Humanity Protocol has attributed a roughly $36 million token theft to hackers linked to North Korea after an investigation found that attackers gained access to critical private keys through a compromised developer device.
Summary
- Quantstamp linked Humanity Protocol’s $36 million exploit to tactics associated with North Korea-linked hackers.
- Attackers gained access to seven private keys stored on a malware-infected developer machine and drained 141 million H tokens.
- Humanity Protocol said no smart contracts were exploited, with the breach resulting from compromised credentials instead.
According to Humanity Protocol’s June 13 disclosure of a security investigation conducted by Quantstamp, attackers obtained control of key infrastructure and drained approximately 141 million H tokens from the project’s Ethereum bridge before minting additional tokens on BNB Smart Chain.
The findings provide a clearer picture of an incident that triggered a sharp sell-off in the H token and raised new concerns about operational security practices across crypto projects.
Quantstamp stated that the attack involved tooling and certificate-signing activity commonly associated with intrusions attributed to North Korean threat actors.
Compromised private keys enabled authorized transactions
Details released by Humanity Protocol indicate that the breach began when attackers gained root access to a developer machine infected with malware. According to the project’s incident report published earlier this week, the device contained backups of seven private keys that had been inadvertently stored during Humanity Protocol’s June 2025 mainnet launch.
Those credentials included an admin hot wallet key, three Ethereum Safe owner keys, and three BNB Safe owner keys. Humanity Protocol said access to those keys gave the attacker control over multiple production systems from a single device.
Using valid credentials rather than exploiting smart contract code, the attacker was able to authorize transfers, execute Safe transactions, and approve contract upgrades. Humanity Protocol stated that the transactions carried enough signatures to satisfy Safe threshold requirements, causing the actions to appear legitimate on-chain.
Following the contract upgrade, roughly 141 million H tokens were removed from the Ethereum bridge in a single transaction. Quantstamp reported that additional H tokens were later minted on BNB Smart Chain, with most of the proceeds ultimately converted into ETH.
Humanity Protocol emphasized that neither its bridge contracts, token contracts, nor Safe architecture were compromised. According to the project, the incident resulted entirely from stolen private keys rather than a vulnerability in the underlying infrastructure.
Token collapse followed as investigators traced the attack
Market reaction was immediate after details of the exploit became public. According to reports cited by Humanity Protocol, the H token lost between 80% and 90% of its value shortly after the breach was disclosed.
Earlier reporting by crypto.news noted that approximately 447 million H tokens were affected across Ethereum and BNB Smart Chain. Although the token later recovered part of its losses, Humanity Protocol (H) price was still trading near $0.214 on June 13, up about 20% over the previous 24 hours but down roughly 74% over the past week.
Independent blockchain investigators also examined the incident. Analyses published by Lookonchain and pseudonymous on-chain researcher ZachXBT pointed to a malware-related private key compromise as the central cause of the breach. While their findings supported the attack pathway described by Humanity Protocol, attribution to state-sponsored actors remained a topic of discussion among some researchers.
Quantstamp’s assessment places Humanity Protocol among several crypto projects reportedly targeted by North Korea-linked groups in recent years. According to the security firm, the attack demonstrates how a single compromised device can expose high-value infrastructure when sensitive credentials are not properly isolated from production environments.
