Guest: Griff Green, member of Arbitrum Security Council

Host: Zack Guzman

Podcast Source: Coinage

Original Title: Why Arbitrum Decided To Take Back $72M North Korea Stole

Broadcast Date: April 23, 2026

Editor’s Introduction

In the past few days, Ethereum and the entire crypto circle have been focused on the incident involving Kelp DAO (a liquidity re-staking protocol) being hacked, which also affected Aave (a decentralized lending platform).

The Arbitrum Security Council exercised emergency powers to freeze and recover approximately $72 million worth of assets from an address controlled by suspected North Korean hackers. This is the first instance in the crypto industry where "an L2 has activated 'God mode' to freeze the funds of a certain address." Before this podcast, there was ongoing debate within the community. The controversial point was that while Arbitrum did the right thing, the ability of a chain to "move assets from a specific address" raised doubts about its limits and decentralization.

The guest on this episode of the podcast is Griff Green, one of the members of the Arbitrum Security Council, who had the authority to make this decision. Griff was also a firsthand witness of the 2016 DAO hack and one of the promoters of Ethereum's hard fork. In the interview, he directly criticized Circle (the issuer of USDC) for its "consistent inaction" in the North Korean hacker incident and compared it to Tether's proactive freezing actions, arguing that Circle's decision-making logic is entirely driven by financial statements.

Highlights

The 'Immutability' of Blockchain is a Misunderstanding

• "People think that blockchain is immutable, but in reality, the basis on which blockchain operates is social consensus. If everyone agrees to upgrade the protocol, the rules can be changed. This is true for both Ethereum and Bitcoin."
• "That's why there are discussions in the Bitcoin community about freezing Satoshi's tokens. This is technically feasible because the blockchain is not absolutely immutable; it just has rules."

The Real Foundation of Decentralization is Market Behavior

• "If people disagree with our decisions, they will sell the tokens. If the Bitcoin network colludes to steal people's money, holders will obviously sell off their holdings. The true basis of decentralization is market behavior, and the role of market dynamics in this matter is seriously underestimated."
• "Honestly, no one will blame us for doing nothing. Doing nothing carries almost no risk, so a little willingness to take risks is required."

The Attack Pattern of North Korean Hackers

• "North Korea rarely conducts attacks at the smart contract layer. Most of the time, the attack is not on the code but on people. They use social engineering to find key holders with special permissions and gain access to computers and keys."
• "I don't know why they left the funds in one address untouched for two days. Maybe they worked for three days and took a break on Sunday, then were late on Monday. That was our window."

Comparison Between Circle and Tether

• "Let me be very clear: there are obviously no good people at Circle. They have consistently chosen inaction. On the other hand, Tether has been freezing North Korean funds continuously, recovering amounts far exceeding $70 million."
• "Circle's origins are not crypto-native; they are from Goldman Sachs. So their decision-making logic is whether this looks good on the financial statements. If freezing North Korean funds can make them money, they will definitely do it."

Security Issues Are the Biggest Obstacle to the Crypto Industry's Landing

• "With today's technology, we can absolutely create something safer than PayPal and banks. We can take the infrastructure of banks and PayPal, remove the custodians, and make a non-custodial version; the technology is already in place."
• "I don't know anyone who has had their money stolen from their bank account after being phished. But I know many people who lost crypto after being phished."
• "I have always been working for the public good, trying to create something better than the government, but I keep hitting the same wall: this technology is not yet safe enough for ordinary people to use."

Activating God Mode

Zack Guzman: Many people are following the developments. The controversy has not stopped. Let's start with the structure of the Arbitrum Security Council. You are a member of the Security Council, and you mentioned in your posts that this is a very serious decision. Can you talk about how the whole incident unfolded?

Griff Green: Kelp DAO was attacked, and there is still debate about whether Kelp DAO or LayerZero (the cross-chain messaging protocol) is mainly responsible, but the impact indeed reached Aave. This was a cross-chain bridge attack where a large amount of tokens, with an approximate value of $300 million on Layer 2, were stolen by hackers through the bridge and then used as collateral to borrow ETH on Aave on Ethereum mainnet and Arbitrum.

After the North Korean hackers obtained the ETH, they left it in their wallet for several days without moving, which gave us a time window to coordinate a rescue. Arbitrum, being a Stage 1 rollup that is still in development (meaning it has certain security assurances but is not yet fully decentralized), has a security council. This operates with a 9-of-12 multi-signature (where 9 out of 12 members are required to sign in order to execute an operation). We collaborated with Seal 911 (a security emergency response organization in the crypto industry) to utilize the emergency powers to transfer the funds from the address controlled by North Korea and freeze them to a new address they cannot access.

The Foundation of Blockchain

Zack Guzman: I didn't know that there is a 9-of-12 threshold; many people seem not to know that Arbitrum has this capability. You probably also don't want North Korean hackers to know about this feature's existence.

Griff Green: This is actually completely public information. I think people have some misunderstandings about blockchain technology. The foundation of blockchain is open-source code, nodes running on servers, and social consensus.

My first project was The DAO. At that time, we raised $150 million and then got hacked. If you're interested in learning more, you can read Laura Shin's book "The Cryptopians," which has 100 pages that specifically discuss this event. Ultimately, we used the Ethereum network's hard fork to do something very similar to what we did this time on Arbitrum: breaking the rules and transferring funds from the hacker's wallet without their permission.

What can be done on Ethereum and Bitcoin can be done on any chain because the essence of blockchain operates on social consensus. Now, there are discussions in the Bitcoin community about freezing Satoshi's tokens, and if everyone agrees, it can be realized.

What is slightly different on Arbitrum is that there is no need to convince all network node operators; there are two paths: ARB token holders can vote to execute the same operation, or the 9-of-12 multi-signature of the security council can act in emergencies. Before this incident, the security council's powers were only used to fix bugs and upgrade protocols, and they had never frozen funds before. To my knowledge, this is also the first time a large L2 has frozen on-chain funds.

Comparing Two Incidents

Zack Guzman: You have experienced both the DAO hack incident and this one. How do you feel when comparing the two?

Griff Green: This time it was much easier. The DAO was my own project, and I lost $150 million, which was a lot more pressure. This time, I personally did not incur any financial losses; I stepped in to help as a member of the security council.

Moreover, the infrastructure is so much better now that we can determine what happened more quickly. When The DAO was hacked, we didn't even know who the hacker was. This time, Seal 911 could contact the FBI and basically confirm that the attacker was indeed North Korean hackers. We obtained intelligence from our built network over the years.

Key Topic Discussion

Zack Guzman: In decision-making discussions, one side of inaction is allowing North Korea to retain those funds. But conversely, there are also concerns that this could have a chilling effect on DeFi. What was the discussion process like?

Griff Green: The first challenge was technical. We spent a lot of time finding a perfect technical solution, and finding that solution itself was impressive—kudos to the technical heroes behind the scenes.

Once we confirmed the technical feasibility, we entered into the real discussion: we can do it, but should we do it?

From my personal standpoint, the attacker was almost certainly North Korea, involving $72 million, which posed an existential risk to DeFi. My duty is to uphold the constitution of Arbitrum and do what I believe is right for Arbitrum. No one will blame us for choosing inaction; doing nothing carries almost no risk. So it does require a bit of a willingness to take risks.

Some may feel uneasy, thinking "9 people can do this on-chain." But let me tell you, getting 9 security experts, who are themselves extremely risk-averse, to agree to do something after probing all potential issues is much harder than you might think. It may even be harder than coordinating a mining pool to freeze Satoshi's tokens.

The key information is that the system is still decentralized. This is reflected not only in architecture but also in market sentiment and price behavior. If people dislike our decision, they will sell the tokens. This is the true foundation of decentralization; the role of market dynamics in this matter is seriously underestimated.

Zack Guzman: The security council is elected by ARB token holders. Will this incident set a precedent and change people's attitudes towards hacking incidents in the Ethereum ecosystem?

Griff Green: One aspect that is underestimated is that hackers rarely leave funds in one address untouched for two days. It was precisely because they did not move that we had a window of opportunity. I cannot recall any prior hack incident on Arbitrum that had a similar situation. I don't know why they didn't transfer the funds. Maybe they worked hard for three days, took a break on Sunday, and then were late on Monday.

So I believe people will be more open about this matter. Not because it has become possible technically (it has always been possible), but because they witnessed an actual operation. L2Beat (an Ethereum Foundation-sponsored L2 security assessment project) clearly states that the security council has emergency upgrade permissions. The hackers could have transferred the funds at any moment and thwarted our efforts, but we were lucky.

Security Lessons

Zack Guzman: What are the security lessons?

Griff Green: First, technical risk analysis needs to be better done. Aave has done well in controlling the access of low-market-cap, high-volatility tokens, but they have been too lenient with liquid staking tokens (LST). The underlying assets of these tokens are ETH, and while the economic risks are low, the technical risk aspects need more scrutiny. This is not just an Aave issue; all lending protocols, including Morpho, Compound, and Sky, need to double down on technical risk analysis.

The setup of Kelp DAO had a single point of failure (one-of-one, meaning only one critical point needs to be breached to succeed), which is where it was criticized. But the bigger problem is operational security (opsec), specifically that the keys were compromised. North Korea rarely conducts attacks at the smart contract level; more often than not, the attack is on people, meaning they access computers and keys through social engineering.

There are two ways to respond: one is to strengthen security standards. If you are managing large amounts of funds, your computer security level should be on par with that of the CEO of a large traditional tech company. But the crypto industry is not currently at that level.

How to Handle $72 Million

Zack Guzman: What will happen to the recovered $72 million next? Will you also vote to decide?

Griff Green: Yes, this will be very interesting. The situation for users in the Aave and Kelp DAO ecosystems will improve, but determining the specific plan is quite difficult. Internal coordination within a DAO is inherently challenging, just like it is with governments and large organizations, especially when there is no clear final decision-maker.

Previously, Aave and Kelp DAO were blaming each other, but now with Arbitrum involved, it requires cooperation from three DAOs. The good news is that there is now an actual fund allocation; Aave and Kelp DAO can no longer just pass the buck to each other—they need to publicly establish a plan. How to return this $72 million to users will ultimately require a vote by the Arbitrum DAO token holders.

My personal stance is that unless it is 100% directly returned to users, the Arbitrum DAO should not release these funds.

It should be noted that the security council only acts in emergencies. We deliberately sent the funds to the address 0x0000DAO; the "DAO" suffix was intentionally selected, indicating that this money now belongs to the DAO community. I am also a delegate of the Arbitrum DAO. But the total votes may have up to 200 million votes, while I only have about 10 million votes, which is roughly 5% of the voting power. There are many others with greater weight than I have.

Current Projects

Zack Guzman: Let's talk about the projects you are currently working on, which are very relevant to the theme of security.

Griff Green: After the DAO incident, I have been working in this industry. One platform I am involved in building is called Giveth (a decentralized donation platform), which helps many non-profit organizations fundraise on Ethereum. I have seen these non-profit organizations lose money in every conceivable way: sending money to the correct address but on the wrong chain, getting phished, smart contract vulnerabilities, exchanges being hacked, etc.

With today's level of technology, we can definitely create something safer than PayPal or banks. The technology is in place. But the reality is that I don't know any person whose bank account was stolen after being phished, yet I know many who lost crypto after being phished.

Therefore, we established the DAO Security Fund. The goal is to make Ethereum safer than banks. We have about $170 million in staked assets and use staking profits as a long-term funding source for security.

The first round of large-scale funding starts tomorrow. At qf.giveth.io, you can donate to security projects. Based on your donation direction, a $1 million funding pool will be proportionally distributed to various security projects.

But more important than funding is project discovery. There are hundreds of free open-source security tools available in the market, but many people are completely unaware of their existence. The core purpose of this round is to gather these projects into one place for people to discover them. Funding can help these projects survive, but the real impact is market signals: which projects are most needed and which directions deserve more investment.

Comparison of Circle and Tether

Zack Guzman: When there is no mechanism like a security council, it effectively forces centralized stablecoin issuers (like Circle) to face the question of whether to freeze assets. What do you think of these two models?

Griff Green: If you have the ability to solve this problem, you have the responsibility to do so. There’s an old saying that all it takes for evil to prevail is for good people to do nothing.

I will make a very clear statement: there are obviously no good people at Circle. They have consistently chosen inaction. On the other hand, Tether has been continuously freezing North Korean funds, recovering amounts far exceeding $72 million.

You might think it should be the other way around, but I believe the reason lies in Tether's founding team, which is DeFi-native and crypto-native, and they retain some of the old-school crypto values. Circle's origins are with Goldman Sachs, and their decision-making logic is about how good it looks on the financial statements. If freezing North Korean funds can make them money, they will definitely do it.

I am not a Tether extremist; I lean more towards decentralism. But Circle's performance in this situation is indeed perplexing. I don’t know whether we must collectively sell off USDC to give them enough market feedback. The attacks from North Korea are not only damaging our portfolios but also threatening real-world security. Everyone is negatively affected by not stopping North Korea.

Zack Guzman: The politics of the blockchain world is far more complex than many people realize.

Griff Green: Yes. You might think it’s financial, hardcore technology, but there are extensive political discussions involved. Discussions about self-regulation and how to build society on a new foundational framework are very in-depth. But every time I try to bring these things into the real world, I ultimately hit the security issues.

The attacks from North Korea on large protocols is one dimension. But there are many lower-level problems, like phishing calls impersonating Coinbase customer service, improvements in user experience, etc. Many issues are not nation-state attacks; they are simply that our technology is still not sorted.

I entered crypto in 2013 and obtained the first master's degree in digital currencies in 2016. I have always been working for the public good, trying to create something better than the government, but I keep hitting the same wall: this technology is not yet safe enough for ordinary people to use, but now there is a massive opportunity to change that.