Dialogue Arbitrum Governance Members: Why did we enable the "God Mode" to freeze North Korean hacker funds

Organized & Compiled by: Deep Tide TechFlow

Guest: Griff Green, Member of the Arbitrum Security Council

Host: Zack Guzma

Podcast Source: Coinage

Original Title: Why Arbitrum Decided To Take Back $72M North Korea Stole

Broadcast Date: April 23, 2026

Editorial Introduction

In the past few days, Ethereum and the entire crypto community have been paying close attention to the incident where Kelp DAO (a liquidity re-staking protocol) was hacked, affecting Aave (a decentralized lending platform).

The Arbitrum Security Council used emergency authority to freeze and recover approximately $72 million worth of assets from addresses suspected to be controlled by North Korean hackers. This is the first time in the crypto industry that a Layer 2 chain has activated “god mode” to freeze funds belonging to a specific address. Before this episode, community opinions were divided, with controversy centered on the fact that, although Arbitrum did the right thing, the ability of a single chain to “transfer away assets from a specific address” raises questions about its capabilities and decentralization.

The guest in this episode, Griff Green, is a member of the Arbitrum Security Council with the authority to make such decisions. Griff is also a veteran of the 2016 The DAO hack and one of the advocates for the Ethereum hard fork. In the interview, he directly criticizes Circle (the issuer of USDC) for “continued inaction” during the North Korean hacker incident, and contrasts this with Tether’s proactive freezing actions, arguing that Circle’s decision-making is entirely driven by financial statements.

Key Quotes

The misconception of blockchain’s “immutability”

• “People think blockchain is immutable, but in reality, the foundation of blockchain operation is social consensus. If everyone agrees to upgrade the protocol, the rules can be changed. Ethereum and Bitcoin are both like this.”
• “That’s why some in the Bitcoin community are discussing freezing Satoshi’s tokens. Technically, it’s entirely feasible because blockchain isn’t inherently immutable; it only has rules.”

The true cornerstone of decentralization is market behavior

• “If people dislike our decision, they will sell their tokens. If the Bitcoin network coordinated to steal from people, holders would obviously sell. The real foundation of decentralization is market behavior, and the role of market dynamics in this matter is severely underestimated.”
• “Honestly, no one would blame us for doing nothing. Doing nothing carries almost no risk, so you need a bit of willingness to take risks.”

Attack patterns of North Korean hackers

• “North Korea rarely attacks at the smart contract layer. Most of the time, the attack isn’t on the code but on people. They use social engineering to find key holders with special permissions, gaining access to their computers and keys.”
• “I don’t know why they left funds in one address for two days without moving them. Maybe they worked for three days straight, took Sunday off, and were late on Monday. That’s our window.”

Comparison between Circle and Tether

• “Let me be clear: there are obviously no good actors at Circle. They’ve been choosing to do nothing. On the other hand, Tether has continuously frozen North Korean funds, recovering amounts far exceeding $70 million.”
• “Circle’s origin isn’t crypto-native; it’s Goldman Sachs. Their decision logic is: does this reflect well on their financial reports? If freezing North Korean funds can make them money, they will definitely do it.”

Security issues are the biggest obstacle to crypto industry adoption

• “With today’s technology, we can create systems more secure than PayPal or banks. Using the infrastructure of banks and PayPal, removing custodians, and making non-custodial versions—this technology is already in place.”
• “I don’t know anyone whose bank account was hacked and money stolen after phishing. But I know many who lost crypto after phishing attacks.”
• “I’ve been building for the public good, trying to create better systems than governments, but I keep hitting the same problem: this technology still isn’t safe enough for ordinary people to use securely.”

Activating God Mode

Zack Guzman: Many people are paying attention to how the situation develops. The controversy hasn’t stopped. Let’s start with the structure of the Arbitrum Security Council. You’re a member, and in your post, you mentioned this was a very serious decision. Can you explain how the whole incident unfolded?

Griff Green: Kelp DAO was attacked; whether the main responsibility lies with Kelp DAO or LayerZero (the cross-chain messaging protocol) is still debated, but the impact did extend to Aave. It was a cross-chain bridge attack, where about $300 million worth of tokens on Layer 2 were stolen by hackers from the bridge, then deposited on Ethereum mainnet and Arbitrum as collateral to borrow ETH.

After obtaining ETH, the North Korean hackers kept funds in their wallet for several days without moving them, giving us a window to coordinate rescue efforts. Arbitrum, still in development as a Stage 1 rollup (meaning some security guarantees but not fully decentralized), has a Security Council. It’s a 9-of-12 multisig (requiring 9 signatures out of 12 members). We collaborated with Seal 911 (a security emergency response organization in crypto), using emergency permissions to transfer funds out of the North Korean-controlled address, freezing them into a new address they cannot access.

Blockchain’s Foundation

Zack Guzman: I didn’t realize a 9-of-12 threshold was needed; many people probably don’t know that Arbitrum has this capability. You probably also don’t want North Korean hackers to know about this feature.

Griff Green: Actually, this is fully public information. I think there’s some misunderstanding about blockchain technology. The foundation of blockchain is open-source code, nodes running on servers, and social consensus.

My first project was The DAO. We raised $150 million, then got hacked. If you want details, check out Laura Shin’s book The Cryptopians, which dedicates 100 pages to this incident. Ultimately, we performed a hard fork of the Ethereum network, doing something very similar to what we did on Arbitrum now: breaking the rules without the hacker’s permission, moving funds out of the hacker’s wallet.

This can be done on Ethereum, Bitcoin, and any chain. Because blockchain is fundamentally based on social consensus, if everyone agrees, it can be done. For example, on Ethereum and Bitcoin, such actions are possible. On Arbitrum, it’s slightly different: instead of convincing all node operators, there are two paths—ARB token holders can vote to execute the same action, or the 9-of-12 multisig of the Security Council can do it in an emergency. Before this, the Security Council’s authority was only used for bug fixes and protocol upgrades, never for freezing funds. As far as I know, this is the first time a major Layer 2 has frozen on-chain funds.

Comparison of Two Incidents

Zack Guzman: You’ve experienced both the DAO hack and this incident. How do they compare?

Griff Green: This one is much easier. The DAO was my own project, hacked for $150 million, which was much more stressful. This time, I personally didn’t lose any funds; I just helped as a Security Council member.

And infrastructure is so much better now, so we can understand what happened more quickly. When The DAO was hacked, we didn’t even know who the hacker was. This time, Seal 911 was able to contact the FBI, and they confirmed the attacker was North Korean hackers. Over the years, we’ve built an underground network that provided intelligence outside the ecosystem.

Key Decision-Making Process

Zack Guzman: During decision-making, not acting means North Korea keeps the funds. But some worry this could set a chilling precedent for DeFi. How did the discussion unfold?

Griff Green: First, there’s the technical challenge. We spent a lot of time finding a perfect technical solution—just finding that solution was a major achievement, thanks to the behind-the-scenes technical heroes.

Once the technical feasibility was confirmed, the real debate began: should we do it or not?

From my personal perspective, the attacker is almost certainly North Korean, involving $72 million. DeFi faces existential risk. My duty is to uphold Arbitrum’s constitution and do what I believe is right for Arbitrum. No one would blame us for choosing inaction; doing nothing carries almost zero risk, so a bit of risk-taking is necessary.

Some people might feel uncomfortable, thinking “9 people can do this on-chain.” But I tell you, getting 9 highly risk-averse security experts to agree on doing something after thorough investigation is far more difficult than you think. It’s probably harder than coordinating miners to freeze Satoshi’s tokens.

The key point is that the system remains decentralized—not just in architecture but also in market sentiment and price behavior. If people dislike our decision, they will sell their tokens. That’s the true foundation of decentralization, and the role of market dynamics in this matter is severely underestimated.

Zack Guzman: The Security Council is elected by ARB token holders. Could this incident set a precedent that changes how people view hacker incidents in the Ethereum ecosystem?

Griff Green: One thing underestimated is that hackers rarely leave funds in one address for two days without moving them. It’s precisely because they didn’t move the funds that we had a window to act. I can’t recall any previous hacker incident on Arbitrum with a similar situation. I don’t know why they didn’t transfer the funds. Maybe they worked for three days, got tired, took Sunday off, and were late on Monday.

So I think people will be more open-minded about this. Not because it’s technically possible (it always was), but because they saw a real operation. L2Beat (an L2 security assessment project sponsored by the Ethereum Foundation) clearly states that the Security Council has emergency upgrade permissions. Hackers could transfer funds at any time, potentially thwarting us, but we’re fortunate this time.

Security Lessons

Zack Guzman: What are the lessons learned regarding security?

Griff Green: First, improve technical risk analysis. Aave does well in controlling low-market-cap, high-volatility tokens, but it’s too lax with liquid staking tokens (LSTs). These tokens’ underlying asset is ETH, so the economic risk is low, but the technical risk needs more scrutiny. This isn’t just Aave’s problem; protocols like Morpho, Compound, Sky, and others need to double down on technical risk analysis.

Kelp DAO’s setup has a single point of failure—one key point that, if compromised, can be exploited. But a bigger issue is operational security (opsec): if keys are compromised, that’s the real vulnerability. North Korea rarely attacks at the code level; most of the time, they attack people—using social engineering to gain access to computers and keys with special permissions.

There are two ways to respond: one, strengthen security standards. If you manage large sums, your computer security should be as tight as a CEO of a major tech company. But the crypto industry has not yet achieved this level.

What to Do with the $72 Million?

Zack Guzman: What’s next for the recovered $72 million? Is it decided by your vote?

Griff Green: Yes, that will be very interesting. The situation for Aave and Kelp DAO users will improve, but the specific plan is hard to determine. Internal coordination among DAOs is already difficult—like with governments and large organizations, especially when there’s no clear final decision-maker.

Previously, Aave and Kelp DAO blamed each other; now, with Arbitrum involved, it requires three DAOs to cooperate. The good news is that there are actual funds involved, so Aave and Kelp DAO can no longer just pass the buck—they need to publicly develop a plan. How to return the $72 million to users ultimately depends on a vote by Arbitrum DAO token holders.

My personal stance is that unless the funds are directly returned to users 100%, Arbitrum DAO should not release this money.

It’s important to note that the Security Council only acts in emergencies. We deliberately transferred the funds to address 0x0000DAO—the “DAO” suffix was chosen intentionally, meaning the money now belongs to the DAO community. I am also a delegate of Arbitrum DAO. But the total voting power could be around 200 million votes, while I hold only about 10 million—roughly 5%. Many others have greater influence than I do.

Projects I’m Working On

Zack Guzman: Tell us about the projects you’re currently involved in, especially those related to security.

Griff Green: Since the DAO incident, I’ve been building in this space. I helped create Giveth, a decentralized donation platform that helps many nonprofits raise funds on Ethereum. I’ve seen these nonprofits lose money in all sorts of ways: sending funds to the right address but on the wrong chain, phishing, smart contract bugs, exchange hacks, and more.

With today’s technology, we can build systems more secure than PayPal or banks. The technology is in place. But the reality is, I don’t know anyone whose bank account was hacked and money stolen after phishing, yet I know many who lost crypto after phishing.

That’s why we launched the DAO Security Fund. The goal is to make Ethereum safer than banks. We have about $170 million in staked assets, using staking yields as a long-term funding source for security initiatives.

The first large-scale funding round starts tomorrow. On qf.giveth.io, you can donate to security projects. Based on your donation, a $1 million fund will be proportionally distributed among various security initiatives.

But more important than funding is project discovery. There are hundreds of free, open-source security tools out there, but many people don’t even know they exist. The core purpose of this round is to gather these projects in one place, so people can find them. Funding helps these projects survive, but market signals—knowing which projects are most needed and which directions deserve more investment—are truly impactful.

Circle vs. Tether Revisited

Zack Guzman: When there’s no security council mechanism, centralized stablecoin issuers like Circle are forced to face the issue of freezing or not freezing assets. How do you see these two models?

Griff Green: If you have the ability to solve this problem, you have the responsibility to do so. There’s an old saying: “The only thing necessary for evil to triumph is for good men to do nothing.”

Let me be clear: there are obviously no good actors at Circle. They’ve been choosing to do nothing. Conversely, Tether has been freezing North Korean funds, recovering amounts far exceeding $70 million.

You might think it should be the other way around, but I believe the reason is that Tether’s founding team is crypto-native, DeFi-native—they retain some old-school crypto values. Circle’s origin is Goldman Sachs, so their decision logic is: does this look good on their financial reports? If freezing North Korean funds can make them money, they will definitely do it.

I’m not a Tether extremist; I lean more toward decentralization. But in this case, Circle’s behavior is perplexing. I wonder if we need to collectively sell USDC to give them enough market feedback. North Korea’s attacks aren’t just damaging our investments—they threaten real-world security. Everyone suffers because we don’t stop North Korea.

Zack Guzman: The political dimension of blockchain is much more complex than many realize.

Griff Green: Exactly. People think it’s just finance and hardcore tech, but there’s a lot of political discussion—about self-regulation, building society on new frameworks, and deep debates. But every time I try to bring these issues into real-world implementation, I hit security problems.

North Korea’s attacks on major protocols are just one dimension. There are many lower-level issues, like scam calls impersonating Coinbase support, UX improvements, and more. Many problems aren’t state-level attacks; they’re just our own tech not being tight enough.

I entered crypto in 2013, earned the first master’s degree in digital currency in 2016. I’ve been building for the public good, trying to create better systems than governments, but I keep hitting the same barrier: this technology still isn’t safe enough for ordinary people to use securely. But there’s a huge opportunity now to change that.