Your crypto may not be truly yours, UK experts warn
Key Points
- The Arbitrum Security Council moved approximately $71 million in stolen crypto without using the attacker's private key in April 2026, challenging the foundational crypto principle of self-custody.
- The action followed the $292 million Kelp DAO exploit, in which attackers used a single compromised verifier node to fabricate cross-chain messages and drain funds.
- UK law firm Travers Smith warns that Layer-2 networks with active governance structures create a de facto intermediary layer, meaning users may not hold true sovereign control over their assets.
- English courts have previously ordered on-chain asset recovery without private keys in the Oasis/Wormhole case, and legal experts say similar orders could now target Layer-2 Security Councils.
- UK crypto holders are advised to map their holdings by governance model and review whether their wallets sit on upgradeable protocols where a third party retains meaningful control.
The Arbitrum Security Council moved approximately $71 million (£53.5 million) in stolen crypto without using the attacker’s private key last month, and UK legal experts say the incident should force every crypto holder to reassess what self-custody actually means.
On 18 April 2026, attackers stole approximately $292 million from Kelp DAO, a platform that lets users earn returns on crypto holdings.
The theft worked by exploiting a weakness in the system that verifies transfers between different blockchains.
That verification system relied on a single checkpoint rather than multiple independent ones, meaning the attackers only needed to fool one gatekeeper to move funds they were not entitled to.
They used that opening to fabricate a legitimate-looking transfer request and drain the platform.
A portion of the stolen funds, worth around $71 million, ended up on Arbitrum, a secondary network that runs on top of Ethereum and processes transactions on its behalf.
On 21 April, the Arbitrum Security Council, a group with administrative oversight of the network, took the unusual step of temporarily modifying Arbitrum’s underlying code to move those funds out of the attacker’s wallet and into an address controlled by the network’s governing body.
Crucially, they did this without ever accessing the attacker’s private key, the password-like credential that normally gives a wallet owner sole control over their funds.
According to Travers Smith, the Security Council acted after extensive deliberation involving technical, legal, and ethical experts, as well as law enforcement.
The recovered funds remain locked in a governed address while a group of major DeFi platforms, including Aave Labs and Kelp DAO, agree on how to distribute them to those affected.
Why UK crypto holders should care
The phrase “not your keys, not your coins” has long defined crypto’s promise of true asset ownership. The Arbitrum intervention directly challenges that.
Travers Smith notes that the seized assets were held in an externally owned account under the attacker’s private-key control, yet Arbitrum’s mutable governance structure allowed the Security Council to override that control entirely.
This is not the first time assets have moved on-chain without a private key.
Following the $320 million Wormhole bridge hack in February 2022, an English High Court order directed Oazo Apps, the company behind the DeFi platform Oasis, to exploit a known vulnerability in its own smart-contract code to recover stolen funds.
The Tulip Trading case, which reached the Court of Appeal, sought to establish whether Bitcoin Core developers owed fiduciary duties to owners of inaccessible bitcoin, though the comparatively decentralised structure of Bitcoin made that a far harder argument.
Arbitrum, by comparison, was designed with an active Security Council that retains meaningful control over the protocol.
Getting the law involved
UK lawyers now argue that crypto holders and institutional investors need to map their holdings not just by chain, but by governance model.
A wallet on a Layer-1 blockchain like Bitcoin or Ethereum behaves very differently from a wallet on a Layer-2 network with an upgradeable governance structure.
The latter may carry an intermediary layer that, in practice, resembles a custodial arrangement even when users believe they are holding assets independently.
English courts have already shown a willingness to issue orders against parties who hold control over on-chain protocols.
The Oasis recovery set a precedent for using governance mechanisms under court direction.
Travers Smith’s analysis suggests courts may now extend that logic to Layer-2 Security Councils and DAO governance bodies, ordering them to return assets to victims or rightful owners.
The legal picture is not straightforward. If a governance body acts to recover funds before any court ruling, and traces assets incorrectly to an innocent third party, that party may have grounds for a claim against both the governance body and the original victim.
The speed at which on-chain governance can act means the legal system will frequently be playing catch-up.
For UK retail investors, the immediate implication is more terms and conditions.
Protocols, including Drift and Aave, now publish terms and conditions that include choice-of-law clauses and arbitration provisions, suggesting even the DeFi sector now accepts it operates within a legal framework rather than outside one.
