Humanity Protocol has attributed a token theft worth nearly $36 million to North Korea-linked hackers after an investigation found that attackers accessed critical private keys through a compromised developer device.
summary
- Quantstamp linked the $36 million Humanity Protocol exploit to tactics associated with North Korea-linked hackers.
- The attackers gained access to seven private keys stored on a malware-infected developer’s device and exfiltrated 141 million H tokens.
- Humanity Protocol said no smart contracts were exploited, rather the breach resulted from compromised credentials.
According to humanity’s protocol on June 13 security disclosure investigation Conducted by Quantstamp, attackers took control of key infrastructure and drained approximately 141 million H tokens from the project’s Ethereum bridge before minting additional tokens on the BNB Smart Chain.
The findings provide a clearer picture of the incident that led to a sharp sell-off in the H token and raised new concerns about operational security practices across cryptocurrency projects.
Quantstamp reported that the attack involved tooling and certificate signing activity typically associated with intrusions attributed to North Korean threat actors.
Compromised private keys enabled authorized transactions
Details released by Humanity Protocol indicate that the hack began when attackers gained access to a developer’s device infected with malware. According to the project accident report pubtoished Earlier this week, the device contained backup copies of seven private keys that were inadvertently stored during the Humanity Protocol mainnet launch in June 2025.
These credentials include the admin hot wallet key, three Ethereum Safe owner keys, and three BNB Safe owner keys. Access to these keys gives an attacker control over multiple production systems from a single machine, Humanity Protocol said.
By using valid credentials instead of exploiting the smart contract code, the attacker was able to authorize transfers, execute secure transactions, and approve contract upgrades. The Humanity Protocol stipulates that transactions carry sufficient signatures to meet secure threshold requirements, making actions appear legitimate on the chain.
After the contract upgrade, approximately 141 million H tokens were removed from the Ethereum bridge in a single transaction. Quantstamp reported that additional H tokens were subsequently minted on the BNB Smart Chain, with most of the proceeds eventually being converted into ETH.
The Humanity Protocol ensured that no bridge contracts, token contracts, or secure architecture were compromised. According to the project, the entire incident was caused by stolen private keys and not a vulnerability in the underlying infrastructure.
This was followed by a collapse of the token while investigators were tracking the attack
Market reaction was immediate after details of the exploit became public. According to reports cited by Humanity Protocol, the H token lost between 80% and 90% of its value shortly after the hack was disclosed.
Previous reports by crypto.news indicated that approximately 447 million H tokens were affected across Ethereum and the BNB Smart Chain. Although the token is later Recover Part of its losses Humanity Protocol (H) The price was still trading near $0.214 on June 13, up about 20% over the past 24 hours but down about 74% over the past week.
Independent blockchain investigators also examined the incident. Analytics published by Lookonchain and on-chain researcher pseudonymous ZachXBT He pointed out To malware-related private key compromise as the main cause of the breach. While their findings supported the path of attack described by the Humanity Protocol, attributing responsibility to state-sponsored actors has remained a topic of debate among some researchers.
Quantstamp’s assessment places Humanity Protocol among several cryptocurrency projects that have reportedly been targeted by North Korea-linked groups in recent years. According to the security firm, the attack demonstrates how a single compromised device can expose high-value infrastructure when sensitive credentials are not properly isolated from production environments.
