Login
Sign Up
Humanity Protocol confirmed on Tuesday that a security breach originating from a compromised employee laptop facilitated a $36M theft of H tokens across the Ethereum and BNB Chain networks. The attack, executed on Monday, exploited the exposure of three out of six Gnosis Safe owner keys, granting adversaries full administrative control over the protocol's bridge infrastructure. Once access was secured, the attackers replaced legitimate bridge contracts with malicious versions, executing a dual-chain extraction strategy that drained approximately 141.2M tokens from Ethereum and minted 200M new tokens on BSC directly into attacker wallets. Data compiled by Woofun AI indicates the total value of stolen and minted assets exceeded $36M, representing a catastrophic loss for the ecosystem.
Terence Kwok, founder of Humanity, disclosed to Cointelegraph that while the project utilized multisignature controls distributed among four individuals, the security perimeter was breached during the initial key setup phase. Kwok explained that although the majority of the token treasury is held by a licensed custodian and operations rely on Multi-Party Computation (MPC), specific contract keys were consolidated in one location before dispersal. This procedural error resulted in some private keys being accidentally backed up to the compromised device, illustrating how a single endpoint failure can escalate into a protocol-level crisis when administrative authority is concentrated. Woofun AI notes that this vulnerability highlights the critical risks of key management workflows where physical device security intersects with decentralized governance structures.
In immediate response to the breach, Humanity Protocol halted all deposits and withdrawals on the affected bridges to prevent further asset loss. The team is currently coordinating with major exchanges and relevant stakeholders to investigate recovery options and mitigate the broader market impact. The disclosure of the private key compromise sent the H token price plummeting by over 85%, prompting Kwok to urgently warn users against interacting with the compromised bridge or associated liquidity pools. The severity of the price action underscores the immediate loss of confidence following the revelation of the administrative takeover.
The incident has sparked intense scrutiny from blockchain investigators regarding the nature of the attack, specifically whether it was an external compromise or a staged event linked to unusual token activity preceding an upcoming unlock. Blockchain investigator ZachXBT initially questioned potential connections between the exploit and the project's market maker or over-the-counter (OTC) activity.
However, following deeper analysis, ZachXBT concluded that the market-maker and OTC operations appeared independent of the private key compromise, suggesting the attack may not have been an insider job designed to manipulate token supply prior to vesting schedules.
Hakan Unal, senior security operations lead at Cyvers, highlighted that on-chain patterns can appear identical in both genuine compromises and staged events because the attacker possesses legitimate admin rights in both scenarios. Unal emphasized that distinguishing factors lie in surrounding behaviors, noting that genuine compromises typically exhibit speed and improvisation, such as funds rushing to fresh wallets, swaps at unfavorable prices, and mixer usage without insider timing. Conversely, staged incidents often display suspicious timing near unlocks, concentrated supply movements, or proceeds routing back to team-linked addresses. Woofun AI analysis suggests that while current evidence remains mixed, the behavioral markers are critical for determining the true intent behind the exploit.
Further complicating the narrative, Elton Shehdula, research lead at Allium Labs, observed that the exploit's on-chain signature points toward a potentially planned and coordinated operation rather than a lone opportunist. Shehdula noted that the attacker wallets were funded from an exchange and a mixer weeks in advance, and the minting authority was 'warmed up' days before the attack. The simultaneous dumping of assets across two chains indicated a level of preparation and access consistent with either an insider or an external actor who had quietly held the compromised key for an extended period. This sophisticated setup challenges the initial narrative of a simple endpoint failure and suggests a more complex threat vector.