KelpDAO Hack investigators have identified on-chain links between funds stolen from KelpDAO and Humanity Protocol, after the Humanity attacker bridged $23.6 million in ETH to Bitcoin and mixed it with assets traced to the earlier bridge exploit.
The movement adds a connection between two major incidents tied to North Korea-linked actors. Blockchain analyst Specter said the proceeds are now flowing into shared wallets, creating a pattern consistent with one laundering route across separate attacks.
KelpDAO And Humanity Funds Move Through Shared Wallets
According to Specter, the Humanity Protocol attacker transferred 15,403 ETH, worth about $23.6 million, to a new Ethereum address before crossing the funds to the Bitcoin network. Once on Bitcoin, the assets mixed with proceeds connected to the KelpDAO exploit.

The funds stolen in the Humanity Protocol and KelpDAO attacks have landed in the same wallets, per ZachXBT and Specter. Source: TRM Labs
Investigators described the pattern as a known Lazarus Group method, in which stolen funds from separate operations are consolidated into Bitcoin wallets before being routed through mixers and over-the-counter desks. Both incidents had carried signs associated with DPRK-linked cyber operations.
LayerZero Exploit And Phishing Breach Show Different Methods
Chainalysis found that the April 18 KelpDAO exploit targeted LayerZero infrastructure. The attackers compromised internal RPC nodes operated by LayerZero Labs and launched a simultaneous DDoS attack against external nodes.
That activity allowed the attackers to trick the Ethereum bridge contract into releasing 116,500 rsETH without a matching token burn on the source chain. The attack was attributed to the Lazarus Group.
The Arbitrum Security Council froze more than 30,000 ETH in downstream attacker funds, while KelpDAO’s emergency pause stopped another $95 million from being drained.
The Humanity Protocol breach followed a different route. A Quantstamp incident report prepared for Humanity Protocol on June 11 found that an attacker phished company director Chong Yee Wai with a malicious email impersonating Korean exchange Bithumb.
Quantstamp said the attack was “characteristic of DPRK intrusions.” The malware gave the attacker remote desktop access to Chong’s Windows computer. The attacker copied MetaMask wallet keys and used them to mint and sell unauthorized H tokens on Ethereum and BNB Smart Chain, causing the token to fall about 89%.
Quantstamp found that proceeds at known attacker addresses were worth more than $21 million in ETH.
Frozen Funds And Court Claims Shape Recovery Efforts
Recovery efforts face legal pressure. Plaintiffs with more than $877 million in unpaid U.S. court judgments against North Korea served Arbitrum DAO with a restraining notice on April 30, seeking 30,766 ETH, valued at about $71 million, from frozen funds.
Arbitrum had a governance proposal to transfer the frozen KelpDAO funds to a recovery initiative backed by Aave Labs, KelpDAO, LayerZero, EtherFi, and Compound. A court later approved the Arbitrum vote to move the Kelp funds back to Aave.

