Lazarus Group Suspected in Linked Attacks on KelpDAO and Humanity Protocol

The recent exploits of KelpDAO and Humanity Protocol have been linked to the same attackers by on-chain investigators. The $292 million KelpDAO bridge exploit in April and the Humanity Protocol private key theft in June were suspected to be connected due to their similarities with DPRK-linked operations, specifically the Lazarus group.

According to blockchain analyst Specter, the proceeds of these attacks are now flowing into shared wallets, indicating a single laundering pipeline. The attackers moved 15,403 $ETH (around $23.6 million) from Humanity Protocol to a relatively new Ethereum address and then crossed it onto the Bitcoin network, where it mixed with proceeds from the KelpDAO exploit.

This technique is consistent with the well-documented tactics of the Lazarus Group, which consolidates proceeds from separate operations into unified Bitcoin wallets before routing them through mixers and over-the-counter desks. The link between the two exploits was further confirmed by Chainalysis's investigation into the KelpDAO attack, which compromised internal RPC nodes operated by LayerZero Labs and launched a DDoS attack against external nodes.

The attackers' ability to drain funds from KelpDAO was prevented by an emergency pause, but over $30 million in downstream funds were frozen. The Humanity Protocol breach did not follow the same pattern but post-mortem reports now confirm North Korea-linked bad actors were involved. A Quantstamp incident report found that the attacker phished a company director with a malicious email impersonating Bithumb, gaining remote desktop access to their Windows machine and stealing MetaMask wallet keys.