Blab Crypto
Humanity Protocol $H Token Compromise Traced to Phishing Attack and Key Theft
Humanity Protocol announced on June 12 that a targeted phishing operation impersonating the South‑Korean exchange Bithumb led to the theft of private keys belonging to one of its directors. The compromised keys were used to upgrade the project’s smart‑contract governance on Ethereum and to mint additional $H tokens on the BNB Smart Chain (BSC). The attacker then moved roughly 141 million $H tokens across Ethereum and BSC, selling them on Uniswap and PancakeSwap within about eight hours. The rapid liquidation destroyed liquidity pools and caused the token’s market price to collapse.
The incident began when the director received an email that appeared to be a legitimate Bithumb update. The attachment contained remote‑access malware that installed itself on the device without triggering endpoint security. The malware granted the attacker full desktop control and allowed the extraction of wallet data and private keys stored locally. An independent audit by Quantstamp confirmed that the attacker used the stolen administrative credentials to upgrade the Ethereum contract and to take control of a ProxyAdmin contract on BSC. Quantstamp noted that the malware’s certificate‑signing patterns were characteristic of DPRK‑linked intrusions, although no definitive attribution was made.
Humanity Protocol clarified that the smart‑contract code itself was not vulnerable. The compromise resulted solely from unauthorized administrative access obtained through the phishing attack. After the unauthorized minting and transfer of tokens, the project’s clean multisig wallet—controlled by a separate set of administrators—was able to freeze the Ethereum deployment. The canonical Humanity Mainnet bridge remained unaffected.
The BSC deployment, however, was deemed permanently compromised because the attacker retained minting authority via the ProxyAdmin contract. The team stated that the BSC deployment must be abandoned, as the attacker can continue to create new $H tokens. The incident highlights growing concerns in the crypto industry about governance key management, operational security, and social‑engineering attacks.
The $H token’s price fell by more than 80 % in the hours following the attack. Liquidity providers on both Ethereum and BSC suffered significant losses as the attacker liquidated the newly minted tokens. The incident also raised questions about the adequacy of security practices for projects that rely on cross‑chain bridges and multi‑chain token deployments.
Humanity Protocol’s update emphasized that the attack was not a vulnerability in the underlying smart‑contract logic but a breach of administrative key security. The project has since halted all operations on BSC and is focusing on restoring confidence in its Ethereum deployment. The incident serves as a cautionary example for other projects that maintain parallel deployments across multiple blockchains.
Regulatory and industry responses to the incident are still pending. The project’s statement did not mention any investigations by national or international regulators. The Quantstamp report was released publicly, but no official law‑enforcement statements have been issued. The broader crypto community has noted the incident as part of a series of high‑profile private‑key thefts and phishing attacks that have affected projects across the ecosystem.
In summary, Humanity Protocol’s $H token was compromised through a phishing attack that stole administrative private keys. The attacker upgraded contracts on Ethereum, minted new tokens on BSC, and sold them on major decentralized exchanges, causing a sharp price collapse. The Ethereum deployment was frozen, but the BSC deployment remains compromised and has been abandoned. The incident underscores the importance of secure key management and robust operational security for multi‑chain projects.
The situation remains fluid. Humanity Protocol has not announced any new security measures beyond the abandonment of the BSC deployment. No further updates on potential regulatory investigations or legal actions have been released as of the time of this report.
The incident began when the director received an email that appeared to be a legitimate Bithumb update. The attachment contained remote‑access malware that installed itself on the device without triggering endpoint security. The malware granted the attacker full desktop control and allowed the extraction of wallet data and private keys stored locally. An independent audit by Quantstamp confirmed that the attacker used the stolen administrative credentials to upgrade the Ethereum contract and to take control of a ProxyAdmin contract on BSC. Quantstamp noted that the malware’s certificate‑signing patterns were characteristic of DPRK‑linked intrusions, although no definitive attribution was made.
Humanity Protocol clarified that the smart‑contract code itself was not vulnerable. The compromise resulted solely from unauthorized administrative access obtained through the phishing attack. After the unauthorized minting and transfer of tokens, the project’s clean multisig wallet—controlled by a separate set of administrators—was able to freeze the Ethereum deployment. The canonical Humanity Mainnet bridge remained unaffected.
The BSC deployment, however, was deemed permanently compromised because the attacker retained minting authority via the ProxyAdmin contract. The team stated that the BSC deployment must be abandoned, as the attacker can continue to create new $H tokens. The incident highlights growing concerns in the crypto industry about governance key management, operational security, and social‑engineering attacks.
The $H token’s price fell by more than 80 % in the hours following the attack. Liquidity providers on both Ethereum and BSC suffered significant losses as the attacker liquidated the newly minted tokens. The incident also raised questions about the adequacy of security practices for projects that rely on cross‑chain bridges and multi‑chain token deployments.
Humanity Protocol’s update emphasized that the attack was not a vulnerability in the underlying smart‑contract logic but a breach of administrative key security. The project has since halted all operations on BSC and is focusing on restoring confidence in its Ethereum deployment. The incident serves as a cautionary example for other projects that maintain parallel deployments across multiple blockchains.
Regulatory and industry responses to the incident are still pending. The project’s statement did not mention any investigations by national or international regulators. The Quantstamp report was released publicly, but no official law‑enforcement statements have been issued. The broader crypto community has noted the incident as part of a series of high‑profile private‑key thefts and phishing attacks that have affected projects across the ecosystem.
In summary, Humanity Protocol’s $H token was compromised through a phishing attack that stole administrative private keys. The attacker upgraded contracts on Ethereum, minted new tokens on BSC, and sold them on major decentralized exchanges, causing a sharp price collapse. The Ethereum deployment was frozen, but the BSC deployment remains compromised and has been abandoned. The incident underscores the importance of secure key management and robust operational security for multi‑chain projects.
The situation remains fluid. Humanity Protocol has not announced any new security measures beyond the abandonment of the BSC deployment. No further updates on potential regulatory investigations or legal actions have been released as of the time of this report.
