Arbitrum DAO Court Ruling 2026: The $71M Frozen ETH Decision That Exposes DeFi's Liability Gap

The question of how courts regulate crypto DAOs holding seized assets moved out of legal theory and into practice on May 9, 2026. Judge Margaret M. Garnett of the Southern District of New York issued a two-page order modifying a restraining notice that had locked 30,766 ETH, worth approximately $71 million, inside Arbitrum DAO since May 1. The order, issued under CPLR §5240, permits an onchain governance vote to send those funds to a digital assets wallet controlled by Aave LLC, and states directly that any party initiating, voting on, or participating in that transfer shall not be in violation of the freeze. The underlying dispute over who actually owns the money remains entirely unresolved.

How a $292 million hack became a legal question about DAO governance

Attackers attributed by LayerZero and TRM Labs to North Korea's Lazarus Group drained 116,500 rsETH, worth approximately $292 million, from Kelp DAO's LayerZero-powered bridge on April 18, 2026. The attack exploited a single-verifier design: rather than requiring multiple independent validators to confirm cross-chain transactions, Kelp's bridge relied on one, which the attackers compromised by poisoning its RPC nodes and disabling the alternatives through a DDoS attack. Kelp paused contracts 46 minutes after the drain; two follow-up attempts, each targeting 40,000 rsETH worth roughly $100 million, were blocked. The exploit remains the largest DeFi hack of 2026.

Arbitrum's Security Council, on April 20, used emergency powers to freeze 30,766 ETH linked to the attacker's addresses on Arbitrum One, placing the funds under DAO control. That centralized intervention, taken to protect users of a decentralized protocol, gave a US court exactly what it needed to assert jurisdiction: a governance body acting with identifiable authority over a specific pool of assets.

A coalition called DeFi United, led by Aave, Kelp DAO, and LayerZero, had assembled over $311 million in pledged contributions to restore rsETH's economic backing, with major commitments from Consensys, Mantle, and Aave founder Stani Kulechov personally. Arbitrum's 30,766 ETH was the planned single largest contribution. On May 1, a different set of victims arrived with a different legal argument.

The claim backed by $877 million in unpaid terrorism judgments

Gerstein Harrow LLP, representing three families holding unpaid terrorism judgments against North Korea, served a restraining notice on Arbitrum DAO on May 1 under CPLR §5222(b), the New York enforcement mechanism that allows creditors to freeze assets by serving a notice without first obtaining a court order. Two federal statutes undergird the legal theory: the Foreign Sovereign Immunities Act and the Terrorism Risk Insurance Act both give judgment creditors avenues to pursue assets connected to state-backed terrorist activity.

Because LayerZero and TRM Labs had publicly attributed the Kelp DAO exploit to North Korea's Lazarus Group and APT-38, the lawyers argued the frozen ETH qualifies as DPRK property, giving their clients first claim over the rsETH depositors Aave was trying to make whole.

Three US court judgments underlie the creditors' claim: the Kim, Kaplan, and Calderon-Cardona cases against North Korea carry combined awards exceeding $877 million before accrued interest, at roughly $330 million, $169 million, and $378 million respectively.

The Calderon-Cardona case traces to the 1972 Lod Airport massacre, in which 26 people were killed, 17 of them Puerto Rican pilgrims; a US court later found North Korean state backing for the attack. The families behind all three judgments have collected nothing. Gerstein Harrow's pursuit of Arbitrum-frozen ETH follows a pattern of targeting North Korean-linked crypto assets as they move through DeFi protocols, including a separate January 2026 lawsuit targeting Railgun DAO and Digital Currency Group over allegedly facilitating the movement of DPRK-controlled funds.

What the court ordered, and what it left for later

Aave filed an emergency motion through Morrison Cohen LLP on May 5, asking the court to vacate the restraining notice entirely or require the plaintiffs to post a bond of at least $300 million. The company argued that under basic property law a thief acquires no title to stolen property, and that treating the ETH as North Korean state assets would expose every future DeFi recovery effort to seizure claims the moment a state-backed hacker is involved.

Judge Garnett's order resolved the procedural deadlock without ruling on ownership. Invoking CPLR §5240, the court modified the restraining notice to permit the transfer while leaving the terrorism creditors' legal claims fully intact on the assets, which travel with the ETH from Arbitrum to Aave.

The order's third paragraph binds Aave LLC to the restraining notice terms as though the notice had been issued directly to it, meaning the creditors' claims survive the transfer and Aave cannot freely use the funds. Arbitrum delegates voted with 182.2 million ARB tokens in favor of the transfer, representing roughly 91% of participating voting power. A binding onchain governance vote is still required before any transfer occurs. The court reserved decision on all remaining matters, including whether the frozen ETH constitutes North Korean property at all.

The liability gap no court order can close

The structural problem the ruling exposes is precisely what makes it significant for fintech and decentralized infrastructure broadly. Arbitrum DAO has no legal personhood. A restraining notice served on a decentralized governance structure finds no registered address, no officers, and no single party capable of accepting service or being held in contempt. The practical solution for this case, protecting individual voters from personal liability while keeping the assets subject to future claim, is workable only because Aave LLC existed to step into the role of identifiable custodian.

Gerstein Harrow's broader campaign extends that logic directly to protocols where no equivalent legal entity exists. The January 2026 Railgun DAO lawsuit targets a privacy protocol that, by design, operates without centralized control, an operator, or an LLC. That case sought default in March 2026 after claiming the protocol failed to respond to service, which is precisely what happens when a court serves process on an entity structurally incapable of receiving it. The custody question over who bears legal responsibility for court-frozen crypto assets is emerging simultaneously in the debate over the US Bitcoin reserve, where the same absence of a clear responsible party is generating the same unresolved tension.

The regulatory framework that might eventually settle this, the legislation Congress is working through to define crypto's legal standing, has not caught up with the pace at which courts are being asked to improvise answers. The structural problem this ruling exposes cannot be resolved by court order, because each order's logic depends on finding a legal entity willing to accept responsibility for the assets in question.

Judge Garnett found that entity in Aave LLC. The question the ruling leaves open is simpler to state than to answer: what happens when there is no LLC available, no security council with identifiable members, and no individual willing to stand in as the responsible party. A financial system built on trustless coordination works until a court arrives looking for someone to trust.

Editor's note

Every piece published on The Bright Minded goes through careful verification, but mistakes can happen. If you spot an error, have additional information, or want to flag anything, write to rosalia@thebrightminded.com.