Skip to content
Est. MMXXVIVol. VI · № 282RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 282Private Key Compromise

Humanity Protocol Private-Key Compromise

A compromised Humanity Foundation key let an attacker drain wallets and mint 100M H tokens on BNB Chain, netting about $32M and crashing $H nearly 90%.

Date
Victim
Humanity Protocol
Chain(s)
BNB Chain
Status
Funds Stolen

On June 9, 2026, Humanity Protocol — a decentralized-identity project that uses palm-vein biometrics and zero-knowledge proofs for "Proof of Humanity" verification — was drained for approximately $32 million after private keys belonging to a member of the Humanity Foundation were compromised. The attacker emptied at least 17 wallets and minted 100 million new H tokens on BNB Chain, collapsing the $H price by close to 90% within hours.

What happened

The team attributed the incident to a private-key compromise rather than a smart-contract flaw. According to on-chain analysts, the attacker drained the affected wallets and then escalated by taking over the H token's proxy admin on BNB Chain, minting an additional 100,000,000 H (worth roughly $12.9 million at the time) into a freshly created wallet. The proceeds were rapidly liquidated: about $23.7 million was swapped for ETH, while roughly $7.9 million remained in H as ongoing sell pressure dragged the token from around $0.72 toward $0.10. The control-of-mint-authority signature echoes the TesseraDAO and Ankr / Helio incidents, where compromised privileged keys allowed an attacker to print and dump supply faster than defenders could react.

Aftermath

Humanity Protocol publicly acknowledged the breach and said it was investigating, with the incident landing just weeks before a scheduled June 25 token unlock. No funds had been recovered in the immediate aftermath. Notably, on-chain investigator ZachXBT questioned the official explanation, calling the event "possibly staged" and suggesting it could be a planned exit involving the team or an associated market maker rather than an external attack — pointing to the concentration of supply and the on-DEX nature of the dumping. As of reporting, it was not conclusively established whether the loss stemmed from an external compromise or an insider operation.

Why it matters

The Humanity Protocol case reinforces a recurring catalogue theme: a token's mint authority and proxy-admin keys are its single most dangerous privilege, and no amount of audited contract logic protects holders once those keys fall into hostile hands. It also highlights the difficulty of attribution in privileged-key incidents — when the same keys can both legitimately operate a protocol and be used to drain it, the line between an external private-key theft and an insider exit can be genuinely hard to draw from on-chain data alone, leaving holders exposed regardless of intent.

Sources & on-chain evidence

  1. [01]coindesk.comhttps://www.coindesk.com/tech/2026/06/09/humanity-protocol-token-crashes-more-than-80-after-a-usd32-million-private-key-hack
  2. [02]theblock.cohttps://www.theblock.co/post/404053/humanity-protocol-exploit
  3. [03]cointelegraph.comhttps://cointelegraph.com/news/humanity-h-token-tanks-85-following-30m-private-key-compromise
  4. [04]coingape.comhttps://coingape.com/h-token-crashes-humanity-protocol-suffers-private-keys-hack/
  5. [05]cryptotimes.iohttps://www.cryptotimes.io/2026/06/09/zachxbt-calls-32m-humanity-protocol-hack-possibly-staged-h-crashes-86/

Related filings