Home
chevron
News
chevron
Blockchain
chevron
Humanity Protocol and Kelp DAO: Stolen Funds Overlap — Is One Attacker Behind Both Exploits?
Copié

Humanity Protocol and Kelp DAO: Stolen Funds Overlap — Is One Attacker Behind Both Exploits?

On-chain data links the Humanity Protocol and Kelp DAO exploits. Are the same wallets behind both hacks? What this means for DeFi security.

Written by Charles Ledoux

Adapted by June 28, 2026 at 15:03 by Charles Ledoux

Coin Bitocin sur fond rose avec bougies jaunes sur fond chute de pierres
Copié

Two DeFi protocols hit within days of each other. Stolen funds ending up in the same wallets. And one question that demands an answer: is this the work of a single attacker operating in series?

On-chain investigations are pointing to a troubling connection between the Humanity Protocol exploit and the Kelp DAO exploit. The details emerging from the data challenge the assumption that these were two isolated incidents.

Here is what the blockchain data reveals — and why this case could mark a turning point in how DeFi approaches multi-protocol security.

Two Exploits, Overlapping Wallets: What the Blockchain Shows

On-chain analysis is often the only reliable thread to follow in crypto hack investigations. In this case, security researchers have identified shared fund flows between addresses linked to both exploits. Tokens from the Kelp DAO hack and those from the Humanity Protocol breach passed through identical intermediary wallets — a strong signal of coordination, or even a single common origin.

This type of commingling is a classic technique used by hackers to obscure their trail before laundering funds through mixers like Tornado Cash or cross-chain bridges. The fact that both fund flows converge toward the same addresses before dispersal points to a shared exfiltration infrastructure — which strongly suggests a single actor or an organized group.

Kelp DAO, a liquid restaking protocol on Ethereum, and Humanity Protocol, a project focused on decentralized identity verification, operate in very different verticals. Their only apparent common ground: both were targeted within a tight timeframe, using exploitation methods that share notable technical similarities.

Attacker Profile: Sophistication and Strategic Targeting

What stands out in this case is the apparent level of sophistication behind the attacks. Compromising two distinct protocols — each with different smart contract architectures — within a short window is not the result of opportunistic luck. It requires an in-depth reconnaissance phase, a precise understanding of the specific vulnerability vectors in each protocol, and the operational capacity to manage multiple attacks simultaneously.

The most advanced threat actors — often linked to state-sponsored groups such as the North Korean Lazarus Group — operate with exactly this kind of multi-target strategy. Without formal attribution at this stage, the modus operandi is reminiscent of documented campaigns in which multiple DeFi protocols are hit in sequence to maximize the haul before security teams can react and freeze assets.

Both protocols have communicated about their respective incidents, but no public coordination between their security teams has been announced. This is precisely the gap that attackers exploit: while each team manages its own crisis in isolation, the funds keep moving.

What This Means for DeFi Security

If the link between the two exploits is confirmed, the implications extend far beyond the two protocols involved. Decentralized finance suffers from a structural problem: each protocol treats its security in isolation, while attackers operate across the entire ecosystem. A real-time shared alert system between protocols — similar to the ISACs (Information Sharing and Analysis Centers) used in traditional finance — would allow this type of multi-target pattern to be detected far more quickly.

Platforms like Chainalysis, Arkham Intelligence, and TRM Labs are playing an increasingly important role in post-exploit tracing. But the real challenge remains prevention: regular audits, active bug bounty programs, and above all a culture of threat intelligence sharing between security teams. As long as DeFi remains fragmented on this front, multi-protocol attackers will continue to operate one step ahead.

The Humanity Protocol and Kelp DAO case illustrates an uncomfortable reality: in an ecosystem as interconnected as DeFi, the security of one protocol depends on the security of its neighbors. It is a lesson the industry can no longer afford to ignore.

Charles Ledoux

Charles Ledoux

Charles Ledoux is a Bitcoin and blockchain technology specialist. A graduate of the Crypto Academy, he has been a Bitcoin miner for over a year. He has written numerous masterclasses to educate newcomers to the industry and has authored over 2,000 articles on cryptocurrency. Now, he aims to share his passion for crypto through his articles for InvestX.

DISCLAIMER
This article is for informational purposes only and should not be considered as investment advice. Some of the partners featured on this site may not be regulated in your country. It is your responsibility to verify the compliance of these services with local regulations before using them.

DISCLAIMER

This article is for informational purposes only and should not be considered as investment advice. Trading cryptocurrencies involves risks, and it is important not to invest more than you can afford to lose.

InvestX is not responsible for the quality of the products or services presented on this page and cannot be held liable, directly or indirectly, for any damage or loss caused by the use of any product or service featured in this article. Investments in crypto assets are inherently risky; readers should conduct their own research before taking any action and invest only within their financial means. This article does not constitute investment advice.

Risk Warning : Trading financial instruments and/or cryptocurrencies carries a high level of risk, including the possibility of losing all or part of your investment. It may not be suitable for all investors. Cryptocurrency prices are highly volatile and can be influenced by external factors such as financial, regulatory, or political events. Margin trading increases financial risks.

CFDs (Contracts for Difference) are complex instruments with a high risk of rapid capital loss due to leverage. Between 74% and 89% of retail investor accounts lose money when trading CFDs. You should assess whether you understand how CFDs work and whether you can afford to take the high risk of losing your money.

Before engaging in financial or cryptocurrency trading, you must be fully informed about the associated risks and fees, carefully evaluate your investment objectives, level of experience, and risk tolerance, and seek professional advice if needed. InvestX.fr and the InvestX application may provide general market commentary, which does not constitute investment advice and should not be interpreted as such. Please consult an independent financial advisor for any investment-related questions. InvestX.fr disclaims any liability for errors, misinvestments, inaccuracies, or omissions and does not guarantee the accuracy or completeness of the information, texts, graphics, links, or other materials provided.

Some of the partners featured on this site may not be regulated in your country. It is your responsibility to verify the compliance of these services with local regulations before using them.

Get 6200 USDT with Bitget ! 🔥

Don't miss out on this offer !
Create your account now to unlock this exclusive reward
Open a Bitget account
close-link
Click Me