The Humanity Protocol and Kelp DAO recently encountered attacks, with confirmation of asset theft; however, the publicly available materials have not disclosed specific details regarding the scale of the thefts and the attack vectors. On June 27, 2026, multiple media outlets cited on-chain analyst ZachXBT's public information, stating that about an hour before he spoke out, he monitored that part of the stolen funds from both incidents were transferred from their respective related addresses to the same or highly associated on-chain addresses, where mixing or merging operations occurred within that address or address cluster. This marked the first verifiable intersection of two originally independent paths of stolen funds on-chain. Based on this confluence, ZachXBT commented that the attackers behind the two security incidents "may have overlap," but he also emphasized that this remains a probabilistic judgment based on address relationships rather than a definitive conclusion. As of June 27, 2026, the relevant project parties and law enforcement agencies have not publicly confirmed whether the identities of the attackers overlap; therefore, when evaluating the security significance of this phenomenon of fund convergence, the discussion can only be strictly around the on-chain funding paths themselves, focusing on their implications for risk awareness and defense practices, rather than exaggerating it into a proven fact of attacker overlap.
The Convergence of Funds from Two Cases Within an Hour
According to ZachXBT's monitoring, within about an hour before his public statement, the funds involved in the attacks on Humanity Protocol and Kelp DAO were transferred from their respective output addresses into the same or highly related on-chain address system. On-chain records show that these transfers occurred very closely in time; one side saw the outflow of a portion of Humanity's stolen assets while the other side saw a portion of stolen funds from the Kelp DAO incident being written to the same address or its closely related address cluster, where mixing or merging operations took place.
Prior to this, the address cluster had already received funds from both the Humanity Protocol and Kelp DAO attack events, but this was the first visible "intersection" of two originally independent paths of stolen funds within the same address system. This confluence not only established a verifiable on-chain association edge for the two cases on transaction graphs but also constituted the most critical starting sample for further analysis of potential attacker relationships, allowing security researchers to continuously monitor subsequent fund behaviors and address evolutions around this specific intersection point.
Behind the Fund Convergence: The Same Hacker or Shared Money Laundering Channels?
After the discovery of this fund convergence, ZachXBT did not jump to conclusions but emphasized that the attackers behind the two incidents "may have overlap." This statement is based on the on-chain fact that the funds from Humanity Protocol and Kelp DAO mixed at the same or highly related addresses but is explicitly limited to a probabilistic judgment based on path mapping rather than identity confirmation. In historical cases, the same address repeatedly receiving assets from multiple attacks sometimes indicates that the same attack group targeted different projects at different times, subsequently concentrating the stolen funds back into a unified controlled address system for coordinated dispatch and further handling, which constitutes a possible pathway for the "same hacker" explanation.
However, the same image can also be generated by completely different behavioral patterns: different attackers might, after completing their respective attacks, direct the assets into the same third-party money laundering or fund mixing service. These services often receive funds through fixed or identifiable address clusters, thereby creating the appearance of "multiple stolen funds converging at the same address" on-chain. In such scenarios, the intersection addresses resemble intermediaries or infrastructures rather than wallets controlled by the attackers, which significantly weakens the argument for "the same attacker." Given that as of June 27, 2026, the relevant project parties and law enforcement agencies had not provided any official confirmation regarding the identities of the attack teams or individuals, the currently visible information remains limited to the transfer paths and address relationships themselves; in the absence of off-chain intelligence and identity data, such path intersections can only be viewed as clues that increase suspicion weight rather than a basis to lock in or identify specific attackers.
The Risk of the Same Attacker: From Single-Point Incidents to Chain Reactions
Should subsequent on-chain or official evidence further bolster the "same attacker" hypothesis, it would imply that attackers capable of continuously breaching projects like Humanity Protocol and Kelp DAO are active. The methods in their arsenal for scanning attack surfaces, social engineering techniques, private key acquisition pathways, and permission bypassing skills could likely be reused across multiple protocols. The observed convergence of stolen funds within the same or highly associated address clusters essentially reflects the repeated invocation of this "universal toolbox" on-chain: different projects are breached individually, yet the funds ultimately redirect to a single exit point, indicating potential coherence in operational patterns.
From a security structural perspective, multiple projects being targeted by a suspect identical attacker in a short time often points to certain common weaknesses being systematically exploited; this may not be a singular code vulnerability but rather a higher-level authorization management process, trust boundaries for the same type of dependency components, or the operational security habits of the entire team. For the ecosystem, the convergence of stolen funds on-chain has expanded a single project's incident into a potential chain threat across projects and ecosystems, necessitating security teams to retrace the map from the attackers' perspective, placing Humanity Protocol, Kelp DAO, and structurally similar protocols on the same diagram for analysis. For users, once a suspicious path of "serial crimes" appears on-chain, risk perception is no longer confined to a single project, but will spill over to similar products and other protocols within the same ecosystem, leading to a repricing of overall trust levels.
How ZachXBT Constructs a Suspicion Map Using On-Chain Paths
The starting point for on-chain security analysis is to view each transfer as an "edge" on the graph and each address as a "node." Analysts like ZachXBT typically begin from the respective victim addresses of Humanity Protocol and Kelp DAO, tracing along the path of stolen fund outflows, marking all intermediate addresses step by step, and ultimately identifying the "central node" where the funds converge. According to public reports, about an hour before he made his statement on June 27, funds from both incidents were flowing from their respective related addresses into the same or highly associated address clusters, where mixing or merging operations occurred; this intersection point became the critical node highlighted in his map construction.
On such a map, analysts will count whether the same address has received stolen funds from different events multiple times and whether similar splitting, merging, and cross-chain patterns appeared within a close time window, thus providing statistically meaningful clues for "whether there are identical operators." Attackers typically manufacture numerous intermediate nodes through multi-layered transfers, cross-chain bridges, contract interactions, and mixing services to increase the noise of path tracking. This is why, in this case, despite the objective fact of fund convergence at the address level between Humanity and Kelp, ZachXBT still used the phrase "may have overlap": on one hand, all transactions and contract invocation records on public chains are openly traceable, allowing any researcher to independently verify his paths and maps on the same data set; on the other hand, these paths only provide probabilistic connections rather than definitive identity conclusions, only maintaining the conclusion as a "possible" judgment while accepting external review allows for the objectivity and credibility of on-chain analysis to be established.
What Project Parties and Users Should Monitor Next
Moving forward, the priority should be to closely monitor whether the stolen funds from the Humanity Protocol and Kelp DAO incidents appear repeatedly in new addresses or services: if, after June 27, 2026, more involved funds are tracked to the same or highly associated address clusters, this would increase the weight of the hypothesis that "attackers may overlap"; conversely, if subsequent fund directions completely diverge and no substantial intersection occurs, this would weaken that hypothesis. Meanwhile, as of June 27, 2026, publicly available materials include only ZachXBT's on-chain path analysis and the statement of "may have overlap", with no confirmation from project parties or law enforcement agencies regarding the identities of the attackers. Whether Humanity Protocol and Kelp DAO will release security audit reports, attack reviews, and official tracing conclusions in the future will directly determine whether the current inferences based on on-chain paths will be confirmed or overturned. For users holding assets in relevant projects, a more practical approach is to continuously track the project's announcements regarding tightening permissions, contract upgrades, remediation plans (such as asset compensation or risk notifications), and to dynamically adjust their risk assessments based on on-chain paths, official project information, and third-party security audit reports. Until more authoritative information is released, viewing this on-chain convergence of stolen funds as an important risk signal rather than a final conclusion is a more prudent choice between maintaining vigilance and reason.
Join our community to discuss and become stronger together!
AiCoin exclusive Hyperliquid benefits: https://app.hyperliquid.xyz/join/AICOIN88
AiCoin exclusive Aster benefits: https://www.asterdex.com/zh-CN/referral/9C50e2
On-chain Telegram community: https://t.me/AiCoinWhaleData
On-chain community: https://www.aicoin.com/link/chat?cid=N6OVMor5g
AiCoin on-chain Twitter: https://x.com/aicoinwhaledata
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
