- Humanity Protocol revealed that a compromised employee’s laptop enabled attackers to steal over $36 million in H tokens.
- Attackers gained control of the protocol’s bridge administration after compromising three of six Gnosis Safe multisig keys.
- The exploit affected both Ethereum and BNB Chain, allowing hackers to drain and mint millions of tokens.
- Following the breach, the H token plunged more than 85%, while Humanity Protocol suspended bridge deposits and withdrawals.
Humanity Protocol is a decentralized identity network that verifies that users are genuine individuals rather than AI bots. It allows users to confirm their identities without disclosing personal information by exchanging non-invasive palm biometrics and zero-knowledge cryptography for invasive facial or iris scans.
According to Humanity Protocol, an employee’s laptop compromise allowed attackers to take control of bridges, upgrade contracts, and steal over $36 million in H tokens.
Source: TradingView
Humanity Protocol’s H token plunged more than 85%. However, the token later recovered some of its losses. At the time of writing, H was trading at $0.18, increasing 14% over the past 24 hours.
The protocol stated in an incident update on Tuesday that the Monday attack had an impact on the H token on both the Ethereum and BNB chains.
According to the team, attackers were able to take over bridge administration on both networks because three of the six Gnosis Safe owner keys were hacked.
INCIDENT UPDATE:
Last night, June 8, the H token was hit by a coordinated attack across Ethereum and BSC. While we’re still investigating this incident, we want to be transparent with our community about what happened.
As of right now, ~$36M+ has been stolen across both chains…
— Humanity (@Humanityprot) June 9, 2026
According to Humanity, the attackers altered the bridge contracts into several harmful versions once they gained control. They depleted almost 141.2 million Ethereum coins. They generated 200 million tokens straight into their own wallet after adding a feature on BSC that allowed them to create an infinite number of tokens.
Terence Kwok, the founder of Humanity, told Cointelegraph that although the project’s multisignature controls were distributed among four people, some keys might have been compromised during setup. Kwok told Cointelegraph, “We think that some of the keys were inadvertently backed up to a compromised device.”
Multisig Keys Exposed
Humanity employs MPC for its operations treasury and “a licensed custodian for the majority of token treasury,” but “for certain contracts, multisig keys were set up in one place and then dispersed,” leaving some keys stored on a compromised device.
The event shows how the concentration of various authorities behind a limited number of keys can turn a compromised endpoint into a protocol-level problem. In order to reduce harm and look into recovery alternatives, Humanity said it has stopped deposits and withdrawals to the impacted bridges and is collaborating with exchanges and relevant parties.
Following the project’s disclosure of the private key compromise, the value of Humanity Protocol’s H token dropped by more than 85%. Kwok cautioned users from interacting with the bridge or liquidity pools at the time.
Blockchain detectives examined the matter to see whether the attack was solely an external compromise or related to anomalous token activity prior to an impending unlock, as some community members noted.
ZachXBT, a blockchain investigator, first questioned whether the exploit was related to Humanity’s market maker and over-the-counter (OTC) operations. After more investigation, he added, the market-maker and OTC activities seemed to be unrelated to the private key compromise.
As investigators dug deeper into the exploit, attention shifted from the breach itself to the onchain activity surrounding it.
Onchain Data Raises Doubts
Cyvers’ senior security operations lead, Hakan Unal, told Cointelegraph that because the attacker has legal admin access in both scenarios, the onchain pattern may first appear similar regardless of whether an incident is a real compromise or a staged event.
According to Unal, “the surrounding behavior is what distinguishes them.” “Funds rushed to new wallets, swaps at poor prices, mixer use, and no insider timing are characteristics of a true compromise that typically demonstrate speed and improvisation.”
A staged incident, on the other hand, can exhibit suspicious timing close to unlocks or vesting, concentrated supply, orderly movement, or proceeds that ultimately return to team-linked addresses or market makers, according to Unal.
“The question is open because the evidence is currently conflicting,” he continued.
Researcher Says Humanity Hack Shows Signs Of A Coordinated Operation
Elton Shehdula, research lead at Allium Labs, stated that the exploit’s onchain pattern suggested a possibly organized and coordinated operation rather than a lone opportunist.
Shehdula said that the minting authority was “warmed up” days prior to the attack, wallets were funded via an exchange and a mixer weeks in advance, and the dump happened concurrently across two chains.
The degree of setup and access, he claimed, was compatible with either an “insider or an outside actor” who had been secretly holding the compromised key for a while.
Stay informed with the latest trends in Web3, blockchain innovation, and cybersecurity updates at 3verseTV
You need to login in order to Like
Leave a comment