Lawyers representing victims of North Korea have altered their legal argument in the dispute over 30,766 ETH that the Arbitrum team froze following the Kelp hack.

The attorneys argue that the incident should be reclassified: they claim the attacker did not merely steal assets but borrowed ETH on Aave using unsecured rsETH and failed to repay it.

“In reality, North Korea borrowed assets from Aave users and did not return them. When Aave attempted to liquidate the collateral, it found that it was worthless,” states the new document.

The plaintiffs cited a principle of American law: even fraudulently obtained property temporarily transfers to the legal ownership of the fraudster until contested. They also referenced the Terrorism Risk Insurance Act, enacted after September 11, which allows victims of terrorism to recover funds from the property of state sponsors.

If the assets stolen during the Kelp attack belonged to North Korea, even temporarily, they could be seized as part of court rulings in terrorism cases, the lawyers argue.

Arguments Against Aave

In early May, a New York court prohibited Arbitrum from unfreezing the stolen ETH. The DAO of the L2 network planned to transfer the funds to the DeFi United fund, created to restore the ecosystem.

Days later, the Aave team filed an emergency motion to lift the freeze on the assets. Project representatives argued that the court's logic was legally flawed.

“A thief does not own what they stole. These funds belong to the users from whom they were taken, and no one else,” stated protocol founder Stani Kulechov.

The plaintiffs' lawyers questioned Aave's right to contest the freeze. They pointed to the platform's terms of use, which state that it “owns, holds, and controls” client assets. According to the lawyers, this makes the project liable for the situation and could weaken its position in court.

They also noted that the victims likely do not urgently need the 30,766 ETH: DeFi United has already raised $327.95 million, four times the amount in question.

A hearing on the case is scheduled for May 6 in the federal court in Manhattan.

Kelp and LayerZero Conflict

Kelp developers stated that the April hack was due to a vulnerability in LayerZero's infrastructure. The project plans to restart its cross-chain system based on Chainlink.

After the recent LayerZero exploit, we are taking steps to ensure rsETH is fully secure, which is why we are migrating to @chainlink CCIP.

From the April 18 incident, it is clear that LayerZero's own infrastructure was exploited, resulting in $300M in losses across DeFi.… https://t.co/beIrfZZLlh

— Kelp (@KelpDAO) May 5, 2026

The crux of the dispute lies in the 1-of-1 DVN configuration, where cross-chain messages are confirmed by a single verifier. Kelp claims that LayerZero approved this setup and failed to warn about the risks, shifting the blame after the hack.

LayerZero insists that the issue was isolated to the rsETH level and arose from Kelp's risky configuration. The affected project's team argues that the 1-of-1 setup was widely used in the omnichain protocol ecosystem, and the decision to abandon such configurations confirms the systemic nature of the vulnerability.

Recall that at the end of April, LayerZero joined the DeFi United initiative and donated 10,000 ETH (~$23 million).