Skip to content
Est. MMXXVIVol. VI · № 299RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 287Private Key Compromise

Humanity Protocol Private-Key Compromise

A compromised Humanity Foundation key let an attacker drain wallets and mint 100M H tokens on BNB Chain, netting about $32M and crashing $H nearly 90%.

Date
Victim
Humanity Protocol
Chain(s)
EthereumBNB Chain
Status
Funds Stolen

On June 9, 2026, Humanity Protocol — a decentralized-identity project that uses palm-vein biometrics and zero-knowledge proofs for "Proof of Humanity" verification — was drained for approximately $32 million after private keys belonging to a member of the Humanity Foundation were compromised. The attacker emptied at least 17 wallets and minted 100 million new H tokens on BNB Chain, collapsing the $H price by close to 90% within hours.

What happened

The team attributed the incident to a private-key compromise rather than a smart-contract flaw. According to on-chain analysts, the attacker drained the affected wallets and then escalated by taking over the H token's proxy admin on BNB Chain, minting an additional 100,000,000 H (worth roughly $12.9 million at the time) into a freshly created wallet. The proceeds were rapidly liquidated: about $23.7 million was swapped for ETH, while roughly $7.9 million remained in H as ongoing sell pressure dragged the token from around $0.72 toward $0.10. The control-of-mint-authority signature echoes the TesseraDAO and Ankr / Helio incidents, where compromised privileged keys allowed an attacker to print and dump supply faster than defenders could react.

Aftermath

Humanity Protocol publicly acknowledged the breach and said it was investigating, with the incident landing just weeks before a scheduled June 25 token unlock. No funds had been recovered in the immediate aftermath. Notably, on-chain investigator ZachXBT questioned the official explanation, calling the event "possibly staged" and suggesting it could be a planned exit involving the team or an associated market maker rather than an external attack — pointing to the concentration of supply and the on-DEX nature of the dumping. As of reporting, it was not conclusively established whether the loss stemmed from an external compromise or an insider operation.

In a follow-up post-mortem, Humanity Protocol traced the root cause to a compromised employee laptop that held enough active keys to cross the multisig thresholds on both of its Hyperlane bridges. On Ethereum, three of six Gnosis Safe owners controlling the bridge's ProxyAdmin were compromised; the attacker reassigned ProxyAdmin ownership, upgraded the bridge to a malicious implementation, and moved roughly 141.2 million H in a single transaction. On BNB Chain, three of five Safe owners were compromised, enabling a malicious contract with an unlimited mint function that created about 200 million H across two transactions — more than the 100 million first reported. The team put total losses above $36 million, halted bridge activity, and said it was engaging exchanges and law enforcement ahead of a full post-mortem.

A subsequent independent investigation by security firm Quantstamp traced the entry point to a targeted spear-phishing email impersonating South Korean exchange Bithumb, sent to a Humanity director the impersonated contact had been corresponding with. A malicious attachment installed remote-access malware that handed the attacker full remote-desktop control while evading endpoint defenses, allowing extraction of the admin private keys used in the on-chain attack. Quantstamp reported that the malware tooling and certificate-signing patterns were characteristic of DPRK-linked intrusions — consistent with Lazarus-style tradecraft — while stopping short of a definitive attribution. Humanity said it had re-secured the Ethereum deployment, while the compromised BNB Chain version of $H would be permanently abandoned.

On June 16, Humanity Protocol published its remediation plan: a fresh ERC-20 $H token would be airdropped 1:1 to holders based on snapshots taken shortly before the June 8 exploit (Ethereum block 25,274,179, BNB Chain block 103,071,069 and Humanity Mainnet block 24,247,803), alongside a $1 million bounty for information leading to recovery and a commitment to direct any recovered funds into buybacks. The team framed the token migration, a compensation framework and a planned network relaunch as its primary path to restoring user balances. The original stolen funds remained unrecovered, so holders are being made whole through reissuance rather than clawback.

On June 21, on-chain analytics firm Lookonchain reported that the attacker had entered an active cash-out phase: tranches of the proceeds were routed through Uniswap and PancakeSwap, a portion was converted into USDC, and the USDC was deposited into KuCoin. Tracked movements included repeated 10–50 ETH transfers and a single ~500 ETH transfer from wallets labelled "Humanity Protocol Expl." The laundering through a centralized exchange offers a potential intervention point but, as with the bulk of the stolen funds, none had been frozen or returned at the time of reporting.

Why it matters

The Humanity Protocol case reinforces a recurring catalogue theme: a token's mint authority and proxy-admin keys are its single most dangerous privilege, and no amount of audited contract logic protects holders once those keys fall into hostile hands. It also highlights the difficulty of attribution in privileged-key incidents — when the same keys can both legitimately operate a protocol and be used to drain it, the line between an external private-key theft and an insider exit can be genuinely hard to draw from on-chain data alone, leaving holders exposed regardless of intent.

Sources & on-chain evidence

  1. [01]coindesk.comhttps://www.coindesk.com/tech/2026/06/09/humanity-protocol-token-crashes-more-than-80-after-a-usd32-million-private-key-hack
  2. [02]theblock.cohttps://www.theblock.co/post/404053/humanity-protocol-exploit
  3. [03]cointelegraph.comhttps://cointelegraph.com/news/humanity-h-token-tanks-85-following-30m-private-key-compromise
  4. [04]coingape.comhttps://coingape.com/h-token-crashes-humanity-protocol-suffers-private-keys-hack/
  5. [05]cryptotimes.iohttps://www.cryptotimes.io/2026/06/09/zachxbt-calls-32m-humanity-protocol-hack-possibly-staged-h-crashes-86/
  6. [06]crypto.newshttps://crypto.news/humanity-founder-reveals-employee-laptop-breach-behind-36m-exploit/
  7. [07]decrypt.cohttps://decrypt.co/370485/humanity-protocol-loses-36m-after-private-keys-compromised-token-crashes-73
  8. [08]cryptotimes.iohttps://www.cryptotimes.io/2026/06/13/humanity-protocol-36m-hack-phishing-email-dprk-links-revealed/
  9. [09]ambcrypto.comhttps://ambcrypto.com/humanity-protocol-says-phishing-attack-led-to-permanent-bsc-compromise/
  10. [10]cryptotimes.iohttps://www.cryptotimes.io/2026/06/16/humanity-protocol-unveils-h-token-recovery-and-airdrop-plan-post-36m-hack/
  11. [11]blockonomi.comhttps://blockonomi.com/36m-humanity-protocol-exploit-enters-new-phase-as-funds-hit-kucoin

Related filings