On-chain data links $292M KelpDAO and $21M Humanity hacks to same attackers

On-chain investigators have confirmed that the $292 million KelpDAO bridge exploit and the $21 million Humanity Protocol theft were carried out by the same North Korea-linked attackers.

On-chain analysts traced $23.6 million in stolen Humanity Protocol funds to Bitcoin wallets that also hold proceeds from April's $292 million KelpDAO bridge exploit, confirming the two attacks were the work of the same group.

"The funds have landed in the same wallets," blockchain analyst Specter said, citing on-chain evidence showing the Humanity attacker bridged 15,403 ETH to the Bitcoin network, where it mixed with proceeds traced to the KelpDAO exploit.

The KelpDAO attack on April 18 saw hackers compromise internal RPC nodes operated by LayerZero Labs, tricking the Ethereum bridge contract into releasing 116,500 rsETH without a corresponding token burn on the source chain. Chainalysis attributed the exploit to North Korea's Lazarus Group. The Humanity Protocol breach on June 8 followed a different method but led to the same destination. A phishing email impersonating Korean exchange Bithumb gave attackers remote desktop access to a company director's Windows machine, according to a Quantstamp incident report prepared for Humanity Protocol on June 11. The attacker copied MetaMask wallet keys and used them to mint and sell unauthorized $H tokens on Ethereum and BNB Smart Chain, causing the token to crash roughly 89%. Quantstamp described the intrusion as "characteristic of DPRK intrusions."

The confirmed link between the two attacks — separated by two months and targeting entirely different infrastructure — signals a coordinated, state-sponsored campaign against DeFi and crypto identity protocols, raising the stakes for security audits and insurance costs across the sector.

How the Funds Were Traced

Specter identified that the Humanity Protocol attacker moved 15,403 ETH, worth about $23.6 million, to a new Ethereum address before crossing the funds onto Bitcoin. There, the stolen assets commingled with proceeds from the KelpDAO exploit — a well-documented Lazarus Group technique of consolidating funds from separate operations into unified Bitcoin wallets before routing them through mixers and over-the-counter desks.

The KelpDAO attack alone drained approximately $292 million in rsETH, though the Arbitrum Security Council froze over 30,000 ETH of the attacker's downstream funds, and KelpDAO's emergency pause prevented another $95 million from being drained. Proceeds at known Humanity Protocol attacker addresses are worth over $21 million in ETH, per Quantstamp's findings.

Legal Complications Complicate Recovery

The confirmed North Korea link adds a legal twist to recovery efforts. Plaintiffs holding over $877 million in unpaid US court judgments against North Korea served the Arbitrum DAO with a restraining notice on April 30, seeking to seize approximately 30,766 ETH — about $71 million — of frozen funds linked to the KelpDAO exploit. The plaintiffs argued that since the funds were tied to North Korea, they had the right to seize assets linked to the country as part of unpaid judgments.

A court later approved an Arbitrum governance vote to transfer the frozen KelpDAO funds back to Aave, which had been left with an estimated $190 million to $230 million in bad debt after the exploit triggered over $8 billion in user withdrawals. How the plaintiffs will respond to the confirmed on-chain link between the two attacks remains unclear, but the Humanity Protocol losses could face similar litigation.

This article is for informational purposes only and does not constitute investment advice.