Humanity Says Laptop Breach Led To $36M H Token Exploit

Humanity Protocol said an employee’s laptop compromise allowed attackers to seize bridge controls, upgrade contracts and steal over $36 million in H tokens. 

In an incident update on Tuesday, the protocol said the Monday attack affected the H token across Ethereum and BNB Chain. The team said three of six Gnosis Safe owner keys were compromised, allowing attackers to take control of bridge administration on both networks. 

Once they had control, the attackers changed the bridge contracts into different malicious versions, Humanity said. On Ethereum, they drained around 141.2 million tokens. On BSC, they added a function that let them create unlimited tokens, then minted 200 million tokens directly to their own wallet. 

Humanity founder Terence Kwok told Cointelegraph that the project had multisignature controls spread across four individuals, but that some keys may have been exposed during setup. 

“What we believe happened was some of the keys were accidentally backed up to a compromised device,” Kwok told Cointelegraph.

He said Humanity uses “a licensed custodian for the majority of token treasury” and MPC for its operations treasury, but that “for certain contracts, multisig keys were set up in one place and then dispersed,” leaving some keys backed up on a compromised device. 

The incident shows how a compromised endpoint can become a protocol-level crisis when different authorities are concentrated behind a small number of keys. Humanity said it halted deposits and withdrawals to the affected bridges and is working with exchanges and related parties to minimize damage and investigate recovery options. 

Humanity Protocol’s H token fell by over 85% after the project disclosed the private key compromise. At the time, Kwok warned users not to interact with the bridge or liquidity pools. 

Source: Humanity Protocol

Security firms examine exploit pattern

The case drew scrutiny from blockchain investigators over whether the attack was purely an external compromise or connected to unusual token activity before an upcoming unlock, as some community members pointed out. 

Blockchain investigator ZachXBT initially questioned whether Humanity’s market maker and over-the-counter (OTC) activity were connected to the exploit. However, he later said that after further analysis, the market-maker and OTC activity appeared to be independent from the private key compromise. 

Related: ZEC drops 30% as Shielded Labs reveals more about infinite counterfeit bug

Hakan Unal, the senior security operations lead at Cyvers, told Cointelegraph that the onchain pattern can look similar at first, whether an incident is a genuine compromise or a staged event, because the attacker holds legitimate admin rights in both cases.

“What distinguishes them is the surrounding behavior,” Unal said. “A genuine compromise usually shows speed and improvisation: funds rushed to fresh wallets, swaps at bad prices, mixer use, and no insider timing.”

By contrast, Unal said a staged incident may show suspicious timing near unlocks or vesting, concentrated supply, orderly movement or proceeds that eventually route back toward team-linked addresses or market makers.

“Right now the evidence is mixed, which is why the question is open,” he added.

Researcher suspects the Humanity incident was coordinated

Meanwhile, Allium Labs research lead Elton Shehdula said the exploit’s onchain pattern pointed to a potentially planned and coordinated operation rather than a lone opportunist.

Wallet funding and timeline. Source: Allium Labs

Shehdula said wallets were funded from an exchange and a mixer weeks in advance, the minting authority was “warmed up” days before the attack and the dump occurred across two chains simultaneously.

He said the level of setup and access was consistent with either an “insider or an outside actor” who had quietly held the compromised key for some time.

Magazine: Vietnam preps crypto pilot, HK pushes tokenization: Asia Express