Humanity And KelpDAO Exploit Funds Comingle As ZachXBT Flags Possible Attacker Overlap

Funds from the Humanity Protocol and KelpDAO exploits have commingled onchain, creating new evidence that may point to overlap between the attackers behind the two incidents.

Onchain investigator ZachXBT flagged the fund commingling and linked it to a Bitcoin transaction that joined value connected to both exploit paths. The movement does not by itself prove that the same attacker carried out both breaches, but it creates a stronger shared-infrastructure signal than the earlier Humanity Protocol evidence alone.

The new link matters because the Humanity Protocol breach had already triggered market suspicion around timing, insider supply control and centralized-exchange market-making activity. ZachXBT said the latest evidence changes that interpretation, writing that he believes the commingled funds rule out insiders as the party behind the exploit.

That remains an investigator assessment, not a court finding or official attribution. The safer reading is narrower: the fund movement makes an external attacker overlap more plausible and weakens the theory that the Humanity exploit was an internal event.

KelpDAO Theft Was Already Tied To DPRK Infrastructure

The KelpDAO exploit remains one of the largest DeFi attacks of 2026. On April 18, attackers stole about $292 million in rsETH from KelpDAO’s LayerZero-powered bridge after compromising offchain infrastructure used in the verification path.

Chainalysis tied the KelpDAO bridge exploit to North Korea’s Lazarus Group and the TraderTraitor cluster. The attack was not a standard smart-contract bug. The attackers compromised internal RPC nodes, disrupted external nodes and caused the verifier to accept a forged cross-chain message that released rsETH without a matching burn.

That breach later entered the laundering phase, with the KelpDAO recovery window narrowing as attacker-linked funds moved through privacy channels. The latest commingling signal now brings that trail back into focus because funds tied to a separate June exploit appear to have crossed the same operational path.

The KelpDAO case had already pushed other protocols to recheck bridge security. Virtuals moved $700 million in VIRTUAL to Chainlink CCIP after the KelpDAO rsETH incident, while other projects reassessed narrow validator, DVN and messaging assumptions across high-value cross-chain systems.

Humanity Insider Theory Loses Ground

Humanity Protocol was hit on June 9 after a compromised developer device exposed enough administrative control to drain team-linked addresses and seize bridge permissions. The breach caused the H token crash and pushed traders to question whether the incident was only a security failure or also connected to token-market pressure.

CoinDesk’s Humanity breach report placed the loss near $36 million and said the attacker used enough keys from one compromised laptop to take control of bridge administration on Ethereum and BNB Chain. The incident involved stolen H tokens, unauthorized minting risk and halted bridge activity.

That timing had fueled questions because H was already under scrutiny for insider supply concentration, market-maker activity on centralized exchanges and upcoming investor unlocks. The new commingling evidence does not remove every question around H’s token structure, but it makes the exploit itself look more consistent with an external attacker path than an insider drain.