Humanity Protocol says North Korea-linked hackers stole about $36 million after compromising a developer’s machine and seizing critical private keys, according to a June 13 investigation disclosure.
What happened
- Humanity Protocol hired Quantstamp to investigate a breach that began when malware gave attackers root access to a developer device used during the project’s June 2025 mainnet launch. The compromised device reportedly contained backups of seven private keys that had been inadvertently stored there.
- Those credentials included an admin hot wallet key, three Ethereum Safe owner keys and three BNB Safe owner keys. With those keys the attackers could control multiple production systems from a single machine.
How the attackers acted
- Rather than exploiting smart contract bugs, the attackers used valid, stolen credentials to authorize transfers, execute Safe transactions and approve a contract upgrade. Because the stolen keys satisfied Safe signature thresholds, the on-chain activity looked legitimate.
- After upgrading a contract, roughly 141 million H tokens were withdrawn from Humanity Protocol’s Ethereum bridge in a single transaction. The attackers later minted additional H tokens on BNB Smart Chain and converted most proceeds into ETH.
Attribution and investigations
- Quantstamp’s analysis linked tooling and certificate-signing behavior in the attack to methods commonly associated with North Korea-linked threat actors, leading Humanity Protocol to attribute the theft to a North Korea-linked group.
- Independent on-chain investigators including Lookonchain and ZachXBT independently pointed to a malware-driven private key compromise as the proximate cause. However, some researchers continue to debate firm state-sponsored attribution.
Damage and market fallout
- Initial reporting indicated about 447 million H tokens were impacted across Ethereum and BNB Smart Chain. Humanity Protocol says the incident was the result of stolen keys and not a vulnerability in its bridge contracts, token contracts or Safe architecture.
- The market reaction was swift: the H token plunged between 80% and 90% after the breach was disclosed. By June 13 the token had partially recovered, trading near $0.214 — up about 20% over 24 hours but down roughly 74% for the week.
Why it matters
- Quantstamp framed the incident as a cautionary example of how a single compromised device can expose high-value infrastructure when sensitive credentials are not properly isolated from production environments.
- The case underscores persistent operational security risks across crypto projects—particularly the dangers of storing private keys or backups on developer machines and failing to isolate keys from everyday tooling.
Humanity Protocol’s disclosure and Quantstamp’s report have clarified the attack path, but the episode leaves ongoing questions about attribution and highlights the urgent need for stronger credential hygiene and infrastructure isolation across the industry.
Read more AI-generated news on: undefined/news
