Lawyers representing victims of North Korea have altered their legal strategy in the dispute over 30,766 ETH, which the Arbitrum team froze following the Kelp hack.
The attorneys argue for a reclassification of the incident: in their view, the attacker did not merely steal assets but borrowed ETH on Aave against unsecured rsETH and failed to return it.
“In reality, North Korea borrowed assets from Aave users and did not return them. When Aave attempted to liquidate the collateral, it found it was worthless,” the new document states.
The plaintiffs cited a provision of American law: even fraudulently obtained property temporarily becomes the legal possession of the fraudster until contested. An additional basis was the Terrorism Risk Insurance Act, passed after September 11, which allows victims of terrorism to recover funds from the assets of state sponsors.
If the funds stolen during the Kelp attack belonged to North Korea even temporarily, they could be seized as part of enforcing court rulings in terrorism cases, the lawyers believe.
Arguments Against Aave
In early May, a New York court prohibited Arbitrum from unfreezing the stolen ETH. The DAO of the L2 network planned to transfer them to the DeFi United fund, created to restore the ecosystem.
A few days later, the Aave team filed an emergency motion demanding the release of the assets. Project representatives called the court’s logic legally unsound.
“A thief does not own what they have stolen. These funds belong to the users from whom they were taken, and no one else,” stated protocol founder Stani Kulechov.
The plaintiffs’ lawyers questioned Aave’s right to contest the freeze. They pointed to the platform’s terms of use, which state that it “owns, holds, and controls” client assets. According to the lawyers, this makes the project responsible for what happens and could weaken its position in court.
The lawyers also noted that the victims are unlikely to be in dire need of these 30,766 ETH: DeFi United has already raised $327.95 million, four times the amount in question.
The hearing is scheduled for May 6 in a Manhattan federal court.
Kelp and LayerZero Conflict
Kelp developers stated that the April hack was due to a vulnerability in LayerZero’s infrastructure. The project plans to relaunch its cross-chain system based on Chainlink.
After the recent LayerZero exploit, we are taking steps to ensure rsETH is fully secure, which is why we are migrating to @chainlink CCIP.
From the April 18 incident, it is clear that LayerZero’s own infrastructure was exploited, resulting in $300M in losses across DeFi.… https://t.co/beIrfZZLlh
— Kelp (@KelpDAO) May 5, 2026
The crux of the dispute lies in the configuration of the 1-of-1 DVN, where cross-chain messages are confirmed by a single verifier. Kelp claims that LayerZero approved such a setup and did not warn of the risks, shifting the blame after the hack.
LayerZero insists that the issue was isolated at the rsETH level and arose from Kelp’s risky configuration. The affected project’s team counters that the 1-of-1 setup was widely used in the omnichain protocol ecosystem, and the decision to abandon such configurations confirms the systemic nature of the vulnerability.
Back in late April, LayerZero joined the DeFi United initiative and donated 10,000 ETH (~$23 million).