Key Takeaways
- Private keys controlling Humanity Protocol’s bridge infrastructure were exposed through a compromised employee device.
- Hackers gained control using three out of six multisignature keys, compromising bridges on both Ethereum and BNB Chain networks.
- Approximately 141 million H tokens were extracted from Ethereum, while 200 million additional tokens were illegally minted on BNB Chain.
- The value of H tokens plummeted more than 85%, crashing from approximately $0.67 to as low as $0.05.
- Security analysts discovered suspicious pre-breach wallet movements, though no conclusive evidence of insider involvement has emerged.
Humanity Protocol revealed on Tuesday that cybercriminals successfully stole more than $36 million in its H token following unauthorized access to private cryptographic keys that were stored on an employee’s compromised laptop.
The platform operates cross-chain bridges enabling H token transfers between the Ethereum and BNB Chain networks. These bridges were secured using multisignature wallet architecture — a security mechanism requiring authorization from multiple independent private keys before executing transactions or modifying smart contracts.
According to founder Terence Kwok, the key distribution was properly spread across four separate individuals as originally planned. However, a critical error occurred during the initial configuration when several keys were inadvertently backed up to a single device that subsequently fell into the wrong hands.
“Some of the keys were accidentally backed up to a compromised device during setup,” Kwok said.
The Exploitation Timeline
On the Ethereum network, the perpetrators secured three of the six required keys associated with the bridge administrator account. This threshold gave them complete operational control. They swapped the authentic bridge smart contract with a fraudulent replacement and extracted approximately 141.2 million H tokens through a single coordinated transaction.
On BNB Chain, the attackers compromised three of the five necessary keys. They inserted an unrestricted minting capability into the bridge’s smart contract code and exploited it to create 200 million fresh H tokens, transferring the entire amount to wallets under their control.
The development team suspended all deposit and withdrawal operations across the affected bridge systems immediately upon detecting the security breach.
Market Fallout and Price Collapse
The H token had experienced significant upward momentum in the period preceding the attack, appreciating from roughly $0.20 to $0.70. Following public disclosure of the exploit, the token’s value collapsed to approximately $0.05 — representing a devastating decline exceeding 85%.
While the token subsequently rebounded toward the $0.20 level, substantial damage had already occurred. In the aftermath of the incident, Humanity Protocol’s team information page was also taken down from their official website.
Investigating the Attack’s Source
Blockchain security investigator ZachXBT initially raised concerns about whether abnormal market-making operations and private OTC transactions involving H tokens might be linked to the security breach. He subsequently clarified that these trading activities appeared unrelated to the key compromise itself.
Security researcher Elton Shehdula from Allium Labs suggested the on-chain transaction patterns indicated a carefully orchestrated operation. His analysis revealed that wallets used in the attack received funding from both a cryptocurrency exchange and a privacy mixer several weeks before execution. Additionally, the attacker appeared to test minting permissions days prior to launching the full-scale exploit, and the drainage occurred simultaneously across both blockchain networks.
Shehdula indicated this degree of strategic planning suggests either an internal threat actor or an external adversary who had quietly maintained possession of the compromised keys for an extended period.
Cyvers security chief Hakan Unal noted the blockchain evidence presents a mixed picture. According to his assessment, authentic external breaches typically exhibit hasty characteristics — rapid movement to newly created wallets, unfavorable swap rates, and immediate mixer usage. Conversely, internally coordinated events may display more deliberate timing patterns, particularly coinciding with token unlock schedules or vesting milestones.
Currently, Humanity Protocol reports it is collaborating with cryptocurrency exchanges and additional stakeholders to explore potential recovery strategies. The specific circumstances surrounding the original laptop compromise remain undisclosed to the public.
