Suspicions are mounting that the $292 million stolen from the KelpDAO bridge in April and the funds lost to a private key theft at Humanity Protocol in June are connected, as new on-chain data highlights possible links between the two breaches. Blockchain analyst Specter revealed that assets from both attacks have been combined in shared wallets, forming a pattern indicative of a single laundering operation.
Funds converge on the Bitcoin network
According to data released by Specter, the perpetrator of the Humanity Protocol hack transferred 15,403 ETH, amounting to roughly $23.6 million, into a relatively new Ethereum address. These funds were then bridged to the Bitcoin network, where they pooled with proceeds previously traced to the KelpDAO hack, suggesting a coordinated movement of assets.
Gathering funds from different attacks into common Bitcoin wallets and then funneling them through mixers and over-the-counter transactions is a method frequently seen in operations tied to the Lazarus Group.
Researchers believe this approach mirrors tactics used in previous North Korea-linked Lazarus Group operations. Analysis by ZachXBT and Specter indicates that the asset flows from the two separate incidents ultimately converged at a single financial outflow point.
Glossary: An RPC node is the technical infrastructure enabling blockchain applications to communicate with the network. A DDoS attack aims to overwhelm a service with simultaneous requests, rendering it inaccessible.
Bridge mechanism targeted in KelpDAO attack
Chainalysis investigations found that, in the April 18 KelpDAO attack, cybercriminals compromised internal RPC nodes operated by LayerZero Labs while launching a simultaneous DDoS attack on external nodes. This allowed them to deceive the Ethereum bridge contract, releasing 116,500 rsETH into circulation on the destination chain without a corresponding burn event on the source chain.
The attack was attributed to the Lazarus Group. The Arbitrum Security Council managed to freeze over 30,000 ETH linked to the hacker downstream. An emergency shutdown mechanism enabled by KelpDAO also prevented an additional $95 million from being withdrawn from the platform.
Phishing at the core of the Humanity Protocol incident
Though the Humanity Protocol breach relied on a different technique, post-incident analysis once again pointed to actors linked to North Korea. According to Quantstamp’s incident report dated June 11, the attacker deceived company executive Chong Yee Wai with a malicious email masquerading as a South Korea-based crypto exchange, Bithumb.
Quantstamp found that the breach shared hallmarks of North Korean-origin intrusions, noting the malware installed granted remote desktop access to the attacker.
Subsequently, the attacker copied MetaMask wallet keys from Chong’s Windows device. These keys were then used to mint and sell unauthorized $H tokens on Ethereum and BNB Smart Chain. Following the incident, the token price plummeted nearly 89%. Quantstamp reported that known attacker addresses amassed more than $21 million worth of ETH from the exploit.
Legal proceedings complicate recovery efforts
Legal challenges have added new complexity to the ongoing investigation. There are reportedly more than $877 million in outstanding judgments in US courts against North Korea. In May, plaintiffs filed a preliminary injunction seeking the seizure of approximately 30,766 ETH—worth about $71 million—frozen by Arbitrum DAO, based on a court order dated April 30.
Plaintiffs contend that, because the assets are linked to North Korea, they should be subject to confiscation. Meanwhile, Arbitrum has initiated a governance process to transfer the frozen KelpDAO funds to a recovery initiative backed by Aave Labs, KelpDAO, LayerZero, EtherFi, and Compound. The court has since approved the Arbitrum vote, paving the way to move the KelpDAO funds to Aave.
Even with this latest on-chain confirmation, it remains unclear whether losses and potential recovery claims stemming from the Humanity Protocol incident will face similar legal proceedings.
