Log in
For business
KYT office
Compliance solution to monitor risks, detect sanctions and ensure AML rules.
KYT office
Compliance solution to monitor risks, detect sanctions and ensure AML rules.
AML certification
How industry players can get up-to-date knowledge and professional certification.
AML certification
How industry players can get up-to-date knowledge and professional certification.
Comprehensive transaction analytics that helps to build graphs and trace funds.
Graph
Travel rule
(soon)
For personal use
Telegram bot
Bot for checking crypto for risks, providing AML reports.
Telegram bot
Bot for checking crypto for risks, providing AML reports.
Crypto recovery
Services are focused on tracking
and recovering crypto assets.
Сrypto recovery
Services are focused on tracking
and recovery crypto assets.
Docs and reports
All types of documents related
to cryptocurrency.
Docs and reports
All types of documents related
to cryptocurrency.
Portfolio tracker
Information about all assets and risk assessment in one place.
Portfolio tracker
Information about all assets and risk assessment in one place.
AML checks
Сhecking wallets and transactions
for illicit funds.
AML checks
Сhecking wallets and transactions
for illicit funds.
ES
FR
中文
Вход
AML-сертификация
Актуальные знания в области AML/KYT от ведущих экспертов отрасли.
AML-сертификация
Актуальные знания в области AML/KYT от ведущих экспертов отрасли.
Graph
Визуализация перемещения активов
и связей между кошельками.
Graph
Визуализация перемещения активов
и связей между кошельками.
KYT Office
Мониторинг транзакций и кошельков для вашего отдела комплаенса.
KYT Office
Мониторинг транзакций и кошельков для вашего отдела комплаенса.
Для себя
Для Бизнеса
Travel rule
(Cкоро)
Телеграм-бот
Бот для проверки кошельков и транзакций с выдачей отчётов.
Телеграм-бот
Бот для проверки кошельков и транзакций с выдачей отчётов.
Возврат средств
Услуги по отслеживанию и возврату украденных криптоактивов.
Возврат средств
Услуги по отслеживанию и возврату украденных криптоактивов.
AML-проверки
Проверка кошельков и транзакций на наличие "грязной" криптовалюты.
AML-проверки
Проверка кошельков и транзакций на наличие "грязной" криптовалюты.
Портфолио трекер
Информация о всех активах и оценка рисков в одном месте.
Портфолио трекер
Информация о всех активах и оценка рисков в одном месте.
Отчёты
Все типы документов связанные
с криптовалютой.
Отчёты
Все типы документов связанные
с криптовалютой.
PRIVATE
Government
Financial institutions
Exchanges
PSP's
Wallets
Gambling platforms
Investment platforms
Stablecoin issuers
Investigators
Regulators
Law enforcement
Для бизнеса
Госсектор
Финансовые организации
Биржи
Платежные провайдеры
Кошельки
Игровые платформы
Инвестиционные платформы
Эмитенты стейблкоинов
Расследователи
Регуляторы
Правоохранительные органы
ES
FR
中文
30.06.2026

How the Humanity Protocol, Kelp DAO, and Bybit Hacks Are Connected

The Humanity Protocol, Kelp DAO, and Bybit hacks may be part of the same money-laundering chain, according to BitOK investigators.
Funds stolen in these attacks moved through the same network of Bitcoin wallets and laundering services, with some flows pointing toward Kraken Market, a Russian-language darknet marketplace.

Here is how the attackers operated — and what this case can teach the industry.

Key Takeaways

BitOK's hypothesis is based on three major incidents: the Bybit exchange hack (~$1.5 billion, February 2025), the Kelp DAO exploit (~$292 million, April 2026), and the Humanity Protocol wallet compromise (June 2026).

In this context, an exploit refers to the use of a software vulnerability or stolen credentials to drain funds from a crypto project.

BitOK investigators believe that all three incidents are linked either to the North Korean Lazarus Group or to a laundering infrastructure associated with it.

A key finding is the connection between the Bitcoin laundering infrastructure and Kraken Market, a Russian-language darknet marketplace. A portion of the funds flowing through the cluster consistently ends up in its ecosystem.

Once stolen assets enter this environment, they become commingled with proceeds from drug trafficking, darknet marketplace transactions, and other illicit activity. As a result, tracing subsequent fund movements becomes significantly more difficult. It is no longer possible to reliably distinguish wallets controlled by the hackers from those belonging to marketplace vendors, service operators, or the platform's own internal settlement infrastructure.

This suggests that Kraken Market may be more than just the destination of isolated transfers. Instead, it could represent part of a broader laundering infrastructure designed to obscure the trail of funds stolen in major cryptocurrency hacks.

Table of Contents:

  1. The Three Hacks Behind the Investigation
  2. What BitOK Investigators Traced
  3. How the Funds Enter the Bitcoin Laundering Network
  4. The Link to Kraken Market
  5. Hard Lessons

The Three Hacks Behind the Investigation

Bybit

The February 2025 hack of the Bybit cryptocurrency exchange remains the largest crypto theft on record, with approximately $1.5 billion stolen. The attack was carried out by compromising the Safe{Wallet} multisig platform.

Safe{Wallet} (formerly Gnosis Safe) is a widely used multisignature wallet solution that enables crypto companies and exchanges to manage assets collectively. Under a multisignature (multisig) scheme, multiple authorized parties must approve a transaction before funds can be moved, preventing a single compromised employee from transferring assets unilaterally.

Kelp DAO

On April 18, 2026, attackers drained approximately $292 million from the Kelp DAO bridge. A bridge is a protocol that enables tokens to move between different blockchains. Because bridges typically custody large amounts of digital assets, they are frequent targets for attackers.

The Kelp DAO bridge was built on the LayerZero protocol. The breach has been attributed to a compromise of the project's infrastructure. Several reports linked the attack to hackers associated with North Korea.

Humanity Protocol

On June 9, 2026, wallets associated with Humanity Protocol and its affiliated organization, the Humanity Foundation, were compromised in a large-scale attack. More than 187.6 million H tokens were stolen from over 280 wallets.

Project founder Terence Kwok said the incident resulted from the compromise of private keys belonging to a Humanity Foundation participant. According to him, the multisig keys had been mistakenly stored on a device that was subsequently compromised.

Following the theft, the attackers quickly liquidated the H tokens through decentralized exchanges (DEXs), which allow users to trade directly from their wallets via smart contracts without intermediaries or identity verification.

The stolen assets were converted along the following routes:
  • H to ETH
  • H to USDC to ETH
  • H to BNB to ETH
Ultimately, both the ETH and BNB proceeds were consolidated into ETH.

What BitOK Investigators Traced

BitOK's transaction graphs reconstruct the flow of funds following the Humanity Protocol compromise. According to the investigation, the primary attacker-controlled address on Ethereum was:

0x9e995952eF7665B243eeEF0693acD7FEd7150504

The operation was initially funded through addresses that had received assets from major cryptocurrency exchanges, including MEXC, Bybit, and Binance.

After a series of swaps, the funds were consolidated into three Ethereum addresses:
  • 0xf3590fc0d591a3868e19b9a200a85165592f9734 — approximately 7,000 ETH (about $11.67 million)
  • 0x36560d6ac2004e1bb483e77b791e905dd4f5e672 — approximately 7,000 ETH (about $11.67 million)
  • 0x59eff548cd9bcfbc169b6340f734e442c764a814 — approximately 4,440 ETH (about $7.4 million)
Together, these three wallets held approximately 18,440 ETH, worth roughly $ 30.74 million. At the time of writing, the funds remained dormant.

One important distinction should be made. The fact that the operation was funded from addresses associated with major exchanges indicates only the source of funding—it does not imply that those exchanges were themselves compromised. Any user, including an attacker, can withdraw assets from an exchange to a personal wallet. BitOK’s hypothesis linking the activity to the Bybit hack is based on a later stage of the laundering process, where the funds converge after being converted into Bitcoin.

The assets were first split across three intermediary wallets, then recombined and bridged through Symbiosis Finance. They were subsequently swapped into USDC via 1inch and KyberSwap before being transferred through the Across Protocol bridge. By the time of analysis, part of the funds had already exited the traced infrastructure, while the remainder was still sitting idle in the identified wallets.

How the Funds Enter the Bitcoin Laundering Network

After being converted into Bitcoin, funds linked to the Humanity Protocol and Kelp DAO exploits moved through the same network of Bitcoin wallets and laundering services.
According to BitOK's transaction graph, the entry point into the Bitcoin ecosystem was Hyperunit, a cross-chain protocol used to bridge assets from other blockchains into BTC.
From there, the funds were dispersed across a large number of intermediary Bitcoin addresses, with each transfer split into dozens of smaller transactions. This fragmentation is a common laundering technique designed to make tracing significantly more difficult.

Some of these transactions’ paths converge at a node identified as Kraken Market, while others are routed through Wasabi Wallet 2.0. Wasabi is a Bitcoin privacy wallet that uses CoinJoin transactions to combine payments from multiple users into a single transaction, making it much harder to link senders and recipients.

The graph also includes a wallet associated with the February 21, 2025, Bybit hack. According to BitOK's analysis, funds from that address ultimately flow into the same Kraken Market and Wasabi infrastructure. This convergence provides a visible intersection between proceeds from multiple high-profile crypto hacks and forms the basis for BitOK's hypothesis that the cases are operationally connected.

Investigator's Note. A natural question is why the attackers chose Bitcoin instead of a privacy-focused cryptocurrency such as Monero. The answer is liquidity. Bitcoin remains the primary reserve asset within the underground economy and can absorb very large transactions with relatively limited market impact. Attempting to move comparable amounts through Monero would create liquidity constraints, significant slippage, and unusually strong demand on a limited number of trading venues—potentially driving prices higher and attracting unwanted attention. That said, Monero's role in laundering operations may continue to grow as a complementary privacy layer. One possible scenario is increased use of Monero through cross-chain protocols such as THORChain to further obscure transaction trails.

The Link to Kraken Market

BitOK's investigation also highlights the relationship between the identified Bitcoin cluster and Kraken Market, a Russian-language darknet marketplace.

According to the analysis, a portion of the funds passing through the cluster consistently flows toward the marketplace. Once the stolen assets enter this environment, they become commingled with proceeds from drug trafficking, darknet marketplace settlements, and other forms of illicit activity, making attribution substantially more difficult.

This suggests that Kraken Market may serve not merely as the destination for isolated transfers, but as part of a broader laundering infrastructure used to obscure the origin of funds stolen in major cryptocurrency hacks.

Hard Lessons

The Humanity Protocol incident demonstrates how the compromise of a single device containing private keys can jeopardize an entire project. Multisignature keys should therefore be stored on physically separate devices, while treasury assets should be secured through a licensed custodian or an MPC (multi-party computation) architecture rather than residing on a single machine.

The second lesson is equally important. The convergence of funds within the same laundering infrastructure—whether a mixer or a darknet marketplace—shows that assets from different incidents entered the same financial network. However, this fact alone does not prove that the underlying hacks were carried out by the same threat actors.
Support
Get it

To inquire about our plans, click here

Try BitOK for free