On-chain evidence now shows that the $292 million KelpDAO bridge exploit in April and the $31 million Humanity Protocol attack in June were orchestrated by the same threat actor, with investigators tracing commingled funds through a unified Bitcoin laundering pipeline. Blockchain analysts have connected the two incidents through shared wallet addresses and operational patterns consistent with North Korea's notorious Lazarus Group, marking one of the largest coordinated crypto theft campaigns on record.

How Did Investigators Link These Two Major Hacks?

The connection emerged through meticulous on-chain analysis. According to blockchain analyst Specter, the Humanity Protocol attacker moved 15,403 ETH (approximately $23.6 million) to a newly created Ethereum address, then bridged those funds to the Bitcoin network, where they mixed with proceeds already traced to the KelpDAO exploit. This consolidation of funds from separate operations into unified Bitcoin wallets is a well-documented technique used by the Lazarus Group before routing money through mixers and over-the-counter desks.

The two attacks followed different technical paths but shared unmistakable operational signatures. The KelpDAO breach, which occurred on April 18, exploited LayerZero Labs' cross-chain bridge infrastructure by compromising internal remote procedure call (RPC) nodes and launching a distributed denial-of-service (DDoS) attack against external nodes simultaneously. This allowed attackers to trick the Ethereum bridge contract into releasing 116,500 rsETH tokens without a corresponding burn on the source chain.

The Humanity Protocol attack, by contrast, did not rely on technical exploitation of smart contracts. Instead, attackers used social engineering to phish a company director, Chong Yee Wai, with a malicious email impersonating the Korean exchange Bithumb. The malware granted remote desktop access, allowing attackers to steal MetaMask wallet keys and mint unauthorized $H tokens on both Ethereum and BNB Smart Chain, causing the token to crash by roughly 89%.

What Do the Technical Details Reveal About the Attackers?

Despite their different attack vectors, both incidents bore hallmarks of DPRK (Democratic People's Republic of Korea) cyber operations. Chainalysis attributed the KelpDAO exploit to the Lazarus Group based on the sophistication of the infrastructure compromise and the speed of execution. The Humanity Protocol breach was independently analyzed by Quantstamp, which concluded the attack was "characteristic of DPRK intrusions" based on the phishing methodology and the attacker's operational security practices.

The scale of losses from these coordinated operations is staggering. KelpDAO losses totaled approximately $292 million in rsETH tokens, though the Arbitrum Security Council froze over 30,000 ETH of the attacker's downstream funds, and KelpDAO's emergency pause prevented another $95 million from being drained. The Humanity Protocol attack resulted in confirmed ETH proceeds worth over $21 million, with total losses estimated at up to $31 million after the token crash.

How Are Recovery Efforts Complicated by Legal Claims?

The recovery process has become entangled in U.S. litigation. Plaintiffs holding over $877 million in unpaid court judgments against North Korea served the Arbitrum DAO with a restraining notice on April 30, seeking to seize approximately 30,766 ETH (about $71 million) of the frozen KelpDAO funds as compensation for terrorism-related damages. This legal claim directly conflicts with Arbitrum's governance proposal to transfer the frozen funds to a recovery initiative backed by Aave Labs, KelpDAO, LayerZero, EtherFi, and Compound, which would compensate affected users.

A federal court later approved the Arbitrum vote to move the Kelp funds back to Aave, but the outcome of the plaintiff litigation remains uncertain. Given the newfound confirmation of North Korea's involvement in both exploits, legal experts anticipate that the Humanity Protocol recovery could also become subject to similar litigation, further complicating compensation efforts.

Steps to Understand the Broader Security Implications

• Bridge Infrastructure Risks: Cross-chain bridges remain a critical vulnerability point in DeFi, with attackers targeting both the smart contract code and the operational infrastructure that supports token transfers between blockchains.
• Social Engineering as a Primary Attack Vector: Even heavily audited protocols can be compromised through targeted phishing campaigns that steal private keys or admin credentials from team members, bypassing technical security measures entirely.
• Laundering Through Bitcoin Mixers: Attackers consolidate stolen funds from multiple exploits into shared wallets before routing them through privacy-focused services, making recovery and asset tracing increasingly difficult for law enforcement and security teams.

The connection between these two exploits underscores a troubling trend in crypto security. As of June 2026, the DeFi sector has experienced 121 hacker attacks since the beginning of the year, resulting in cumulative losses of approximately $942 million, with 85 incidents occurring in the second quarter alone and causing $775 million in losses. This represents the most-hacked quarter on record by incident count, according to DefiLlama data cited in recent security reports.

The rise in coordinated attacks by state-sponsored actors like the Lazarus Group reflects a shift in the threat landscape. Rather than targeting smaller, less-protected protocols, attackers are now focusing on major DeFi platforms with significant total value locked (TVL), suggesting that the sophistication and resources available to these threat actors continue to grow.