On-chain detective ZachXBT claims that mixed traces of stolen funds from Humanity Protocol and Kelp DAO have appeared on-chain
On-chain detective ZachXBT claims that mixed traces of stolen funds from Humanity Protocol and Kelp DAO have appeared on-chain, suggesting that the attackers may have a connection.
Previously, Kelp DAO lost approximately $292 million due to a breach of the LayerZero bridge, with investigations pointing to the Lazarus Group; Humanity Protocol was hacked on June 9, losing about $32 million, initially due to the compromise of developer devices.
Fund mixing refers to the process where stolen funds are laundered through the same series of mixing or withdrawal paths, indicating that at least some of the withdrawal parties or relay nodes are controlled by the same entity or network, supporting the possibility that the attackers are not purely “insiders” acting alone.
If true, the impact is an increase in the threshold for on-chain evidence collection: tracking direction needs to expand from a single compromised account to multi-node mixing, cross-chain bridges, and mixing services, making investigative resources and judicial cooperation more reliant on off-chain information provided by exchanges and custodians.
ABAB AI Insight
Historical Behavior: The Lazarus Group has previously handled large amounts of stolen funds through layered mixing, overseas accounts, and third-party exchange channels (as seen in multiple North Korea-related cyber attack cases), and the Kelp DAO incident has been noted for its consistency with past attack patterns.
Capital Pathway: The typical pathway for attackers is — after initial intrusion to obtain funds, they disperse in batches through multiple wallets, then merge into mixing services or decentralized exchanges, and finally cash out through controlled exchange channels or intermediary companies. The mixing of funds from Humanity and Kelp indicates that the attackers used the same channels or controlled mixing services during the "cleaning phase."
Comparison and Industry Position: This type of cross-case mixing is similar to past large bridge attacks (for example, stolen funds from certain well-known bridges being laundered through the same mixers), currently in the "cross-project reuse attack chain" stage, with attacking organizations tending towards modular and channelized operations.
Structural Judgment (Industry Chain Restructuring): Essentially, this is a restructuring of the industry chain — attackers standardize the "theft-distribution-cleaning-cash out" process, leading to a shift in defense from single-point security to "channel and ecological protection," as the relay and exchange channels for fund transfers determine the final traceability and judicial operability.
ABAB News · Cognitive Law
Invasion is the starting point; channels determine the destination.
The same path hides the same net.
Breaking a single point is not as effective as sealing the channel.