Kelp DAO and Humanity Protocol Funds Mixed On-Chain — Is One Attacker Behind Both Exploits?

A fresh wave of on-chain evidence has added a startling new layer to the investigations surrounding two of 2026's most significant DeFi exploits — the Kelp DAO bridge attack and the Humanity Protocol hack. Blockchain sleuth ZachXBT recently flagged activity suggesting that stolen funds from both incidents have been deliberately commingled, pointing toward either a single attacker or a tightly coordinated criminal network operating behind the scenes.

According to on-chain data cited by Specter, the individual responsible for the Humanity Protocol breach transferred 15,403 ETH — valued at approximately $23.6 million — into a freshly created Ethereum address. Those assets were subsequently bridged over to the Bitcoin network, where they were merged with proceeds already tied to the Kelp DAO exploit. To date, more than $8 million of the total stolen amount has been successfully laundered through this process.

This particular methodology closely mirrors tactics long associated with North Korea's Lazarus Group, which is known for consolidating gains from multiple separate operations into a single Bitcoin wallet before routing the funds through cryptocurrency mixers and over-the-counter trading desks to obscure their origin.

The scale of both attacks is worth emphasizing. The Kelp DAO exploit, which struck in April 2026, drained an estimated $292 million from the protocol's LayerZero bridge — one of the largest DeFi thefts on record. Humanity Protocol suffered its breach in June 2026, losing around $32 million after hackers compromised a developer's device and leveraged that access to seize control of deployer accounts and team-controlled wallets.

Prior to the discovery of this fund overlap, the Humanity Protocol incident had largely been treated as a potential insider job due to the nature of the access the attackers obtained. The newly uncovered connection to the Kelp DAO laundering trail, however, now steers suspicion firmly toward an external threat actor — or at the very least, a group with shared infrastructure and coordination.

The North Korea angle carries significant legal weight as well. Plaintiffs holding over $877 million in unresolved court judgments against North Korea in U.S. courts have previously argued that funds traceable to Pyongyang-linked entities should be subject to seizure as partial satisfaction of those debts.

Beyond the criminal dimension, the timing of these revelations coincides with growing concerns over the expanding influence of MEV bots in decentralized markets. While such automated systems generally improve market efficiency, high-profile cases like the Jaredfromsubway.eth incident demonstrate that even sophisticated trading infrastructure remains vulnerable to manipulation by skilled adversaries.

Taken together, the commingling of funds from two separate nine-figure exploits, the Lazarus-style laundering pattern, and the escalating role of automated attack vectors paint a troubling picture for the DeFi sector. Adding to the broader unease, Ethereum's price slipped to an intraday low of $1,581.76 during the period in question, reflecting wider market pressures.

In summary, on-chain forensics now strongly suggest a direct link between the perpetrators of the Kelp DAO and Humanity Protocol attacks. With over $8 million already laundered and investigations still ongoing, the full scope of this coordinated threat has yet to be determined.