{"id":30507,"date":"2026-06-28T15:03:10","date_gmt":"2026-06-28T14:03:10","guid":{"rendered":"https:\/\/investx.fr\/en\/2026\/06\/28\/humanity-protocol-kelp-dao-stolen-funds-same-attacker-exploits\/"},"modified":"2026-06-28T15:03:14","modified_gmt":"2026-06-28T14:03:14","slug":"humanity-protocol-kelp-dao-stolen-funds-same-attacker-exploits","status":"publish","type":"post","link":"https:\/\/investx.fr\/en\/crypto-news\/humanity-protocol-kelp-dao-stolen-funds-same-attacker-exploits\/","title":{"rendered":"Humanity Protocol and Kelp DAO: Stolen Funds Overlap \u2014 Is One Attacker Behind Both Exploits?"},"content":{"rendered":"\n
Two DeFi protocols hit within days of each other. Stolen funds ending up in the same wallets. And one question that demands an answer: is this the work of a single attacker operating in series?<\/p>\n\n\n\n
On-chain investigations are pointing to a troubling connection between the Humanity Protocol<\/strong> exploit and the Kelp DAO<\/strong> exploit. The details emerging from the data challenge the assumption that these were two isolated incidents.<\/p>\n\n\n\n Here is what the blockchain data reveals \u2014 and why this case could mark a turning point in how DeFi<\/strong> approaches multi-protocol security.<\/p>\n\n\n\n On-chain analysis is often the only reliable thread to follow in crypto hack investigations. In this case, security researchers have identified shared fund flows<\/strong> between addresses linked to both exploits. Tokens from the Kelp DAO<\/strong> hack and those from the Humanity Protocol<\/strong> breach passed through identical intermediary wallets \u2014 a strong signal of coordination, or even a single common origin<\/strong>.<\/p>\n\n\n\n This type of commingling<\/strong> is a classic technique used by hackers to obscure their trail before laundering funds through mixers like Tornado Cash<\/strong> or cross-chain bridges<\/strong>. The fact that both fund flows converge toward the same addresses before dispersal points to a shared exfiltration infrastructure<\/strong> \u2014 which strongly suggests a single actor or an organized group.<\/p>\n\n\n\n Kelp DAO<\/strong>, a liquid restaking<\/strong> protocol on Ethereum<\/a><\/strong>, and Humanity Protocol<\/strong>, a project focused on decentralized identity verification, operate in very different verticals. Their only apparent common ground: both were targeted within a tight timeframe, using exploitation methods that share notable technical similarities.<\/p>\n\n\n\n What stands out in this case is the apparent level of sophistication<\/strong> behind the attacks. Compromising two distinct protocols \u2014 each with different smart contract architectures \u2014 within a short window is not the result of opportunistic luck. It requires an in-depth reconnaissance phase<\/strong>, a precise understanding of the specific vulnerability vectors in each protocol, and the operational capacity to manage multiple attacks simultaneously.<\/p>\n\n\n\n The most advanced threat actors \u2014 often linked to state-sponsored groups such as the North Korean Lazarus Group<\/strong> \u2014 operate with exactly this kind of multi-target strategy. Without formal attribution at this stage, the modus operandi is reminiscent of documented campaigns in which multiple DeFi<\/a><\/strong> protocols are hit in sequence to maximize the haul before security teams can react and freeze assets.<\/p>\n\n\n\n Both protocols have communicated about their respective incidents, but no public coordination between their security teams has been announced. This is precisely the gap that attackers exploit: while each team manages its own crisis in isolation, the funds keep moving.<\/p>\n\n\n\n If the link between the two exploits is confirmed, the implications extend far beyond the two protocols involved. Decentralized finance<\/strong> suffers from a structural problem: each protocol treats its security in isolation, while attackers operate across the entire ecosystem. A real-time shared alert system<\/strong> between protocols \u2014 similar to the ISACs<\/strong> (Information Sharing and Analysis Centers) used in traditional finance \u2014 would allow this type of multi-target pattern to be detected far more quickly.<\/p>\n\n\n\n Platforms like Chainalysis<\/strong>, Arkham Intelligence<\/strong>, and TRM Labs<\/strong> are playing an increasingly important role in post-exploit tracing. But the real challenge remains prevention: regular audits, active bug bounty programs, and above all a culture of threat intelligence sharing between security teams. As long as DeFi<\/a><\/strong> remains fragmented on this front, multi-protocol attackers will continue to operate one step ahead.<\/p>\n\n\n\nTwo Exploits, Overlapping Wallets: What the Blockchain Shows<\/h2>\n\n\n\n
Attacker Profile: Sophistication and Strategic Targeting<\/h2>\n\n\n\n
What This Means for DeFi Security<\/h2>\n\n\n\n