5 Minutes
Humanity Protocol links $36M token theft to North Korea-associated hackers
Summary of the incident
Quantstamp, a blockchain security firm, concluded in a June 13 disclosure that attackers tied to tactics commonly associated with North Korea-linked threat actors were responsible for a roughly $36 million token theft from Humanity Protocol. The probe found that the intrusion did not exploit smart contract code but instead relied on stolen private keys from a malware-infected developer device.
How attackers compromised critical credentials
According to Humanity Protocol's incident report and Quantstamp's investigation, the breach started when a developer machine with root access became infected by malware. That single device contained backups of seven private keys that had been stored inadvertently during Humanity Protocol's June 2025 mainnet launch. Those keys included an admin hot wallet key plus three Ethereum Safe owner keys and three BNB Safe owner keys.
Possessing these credentials allowed the attacker to operate across multiple production systems from a single compromised endpoint. Rather than exploiting a vulnerability in bridge contracts, token contracts, or Safe architecture, the attacker used legitimate credentials to authorize transfers, sign Safe transactions, and approve a contract upgrade. The transactions carried enough valid signatures to meet Safe threshold requirements, so they appeared legitimate on-chain.
Tokens drained and cross-chain minting
After the unauthorized upgrade, the attacker withdrew approximately 141 million H tokens from Humanity Protocol's Ethereum bridge in a single transaction. Quantstamp reported that the attacker later minted additional H tokens on BNB Smart Chain and converted most proceeds into ETH. Earlier reporting indicated roughly 447 million H tokens were affected across both Ethereum and BNB Smart Chain networks.
Market impact and token volatility
News of the exploit triggered a severe market reaction. The H token plunged between 80% and 90% shortly after the breach became public. Although the token recovered some value in subsequent days, Humanity Protocol's price remained deeply depressed, trading near $0.214 on June 13 — up about 20% over 24 hours but down roughly 74% for the prior week.
Independent analysis and attribution debate
Independent on-chain researchers, including Lookonchain and pseudonymous analyst ZachXBT, examined transaction flows and malware indicators and reached conclusions consistent with Humanity Protocol's account: a malware-related private key compromise enabled the attack. While Quantstamp's assessment points to tooling and certificate-signing activity often linked with North Korea-affiliated groups, some researchers caution that attribution to state-sponsored actors can remain inconclusive without additional intelligence.
What was and wasn't exploited
Humanity Protocol emphasized that neither its bridge contracts nor token contracts nor the Safe architecture were directly exploited. The project maintains the incident was caused by stolen private keys and poor operational separation rather than a flaw in the underlying smart contract code.
Operational security lessons for blockchain projects
This incident highlights a persistent operational security risk for crypto projects: a single compromised developer device can expose high-value infrastructure when private keys and credentials are not properly isolated. Best practices that can reduce this risk include strict key management, hardware security modules or secure enclaves for signing, hardened developer workstations, routine threat-hunting and endpoint monitoring, and segregation of backups from production environments.
For bridges, multisig Safes, and cross-chain systems, defense-in-depth should combine secure code with rigorous operational controls. Organizations should assume that sophisticated adversaries can obtain initial access and therefore focus on limiting the blast radius of credential exposure.
Looking ahead
Quantstamp's report places Humanity Protocol among various projects targeted by hackers using tactics associated with North Korea-linked groups in recent years. The broader crypto ecosystem will be watching whether Humanity Protocol and other teams implement enhanced key-management and incident-response controls to prevent similar losses. Meanwhile, on-chain investigators continue to trace funds as exchanges and services update blacklists and coordinate recoveries where possible.
This episode underscores that blockchain security requires both resilient smart contract design and uncompromising operational hygiene to protect tokens, bridge liquidity, and user funds from sophisticated threat actors.
Source: crypto
Comments
fundflux
is the NK link overplayed? on-chain shows private key theft sure, but tying it to state actors needs extra intel. feels a bit quick to blame, imo
circuitz
wow, insane, a single infected dev box did all that? makes me wanna scream lol. How were backups sitting on that machine, no way ops didnt know. urgent fixes needed
Leave a Comment