Inside the $36M Humanity Protocol Hack: How a Phishing Email from Fake Bithumb Brought Down a Decentralized Identity Project

Once installed, the malware granted the attackers full remote access to the director's laptop. From that single machine, they exfiltrated seven private keys: three of the six Gnosis Safe multi-signature owner keys that governed the Ethereum bridge, plus additional keys that allowed contract upgrades .

How the Exploit Unfolded Across Two Chains

With control of the bridge administration keys, the attackers executed parallel attacks on Ethereum and BNB Smart Chain in a coordinated window:

On Ethereum:

• The attackers upgraded the H token bridge contract to a malicious version under their control .
• They then drained roughly 141 million H tokens from the bridge in a single transaction .
• The stolen tokens were largely swapped or bridged to other assets and moved to external wallets, making recovery extremely difficult .

On BNB Smart Chain:

• The attackers took control of the ProxyAdmin contract .
• Using this access, they minted additional H tokens directly, effectively creating new supply out of thin air .
• The newly minted and stolen tokens were then systematically sold on Uniswap and PancakeSwap for approximately eight hours, crashing the token's price .

Crucially, the attack did not exploit a bug in any smart contract. It was a pure key-compromise breach driven by a human-targeted phishing campaign. Humanity Protocol later confirmed this point explicitly, stating that no smart contracts were exploited .

Quantstamp's Forensic Findings and the North Korea Link

Humanity Protocol hired Quantstamp on June 9, one day after the breach. The security firm released its preliminary investigation report on June 11, and the project publicly attributed the theft to North Korean-linked hackers on June 12, following up with a full disclosure of Quantstamp's findings on June 14 .

Key forensic indicators that pointed Quantstamp toward DPRK-linked threat actors included:

• Malware tooling and behavior: The use of hncagent.exe as a first-stage loader, along with the remote access patterns observed, matched known North Korean intrusion sets .
• Digital certificate abuse: The malware was signed with a legitimate South Korean digital certificate from Hancom, a tactic Quantstamp identified as characteristic of previous DPRK-linked operations .
• Operational tradecraft: The multi-stage, phishing-to-key-exfiltration-to-cross-chain-drain approach mirrors the social-engineering-heavy playbook long associated with the Lazarus Group and its affiliates, which have stolen over $3 billion in cryptocurrency through similar methods .

The report also clarified the ongoing risk: while the H token contract on Ethereum was frozen by a non-compromised multi-signature wallet, the BNB Smart Chain deployment remains permanently under the attacker's control, with continued minting capability .

The H Token Crash and the 210% Surge

The Crash

In the immediate aftermath of the June 8 exploit, H token prices plummeted. From an all-time high of $0.844 on June 2, the token crashed roughly 74%, hitting lows between $0.05 and $0.13 in panic selling .

The Recovery Rallies

A series of relief rallies followed:

• June 12: H surged approximately 44% in a single day, trading back to around $0.227. The bounce was driven by Humanity Protocol's mitigation announcement and the freezing of the Ethereum contract .
• June 14: Another 42% single-day rally pushed the token to a high of $0.6276, representing a roughly 210% surge from its post-exploit lows .

Why the Surge Was Risky

This dramatic recovery was not built on restored fundamentals. Data from CoinMarketCap showed that the June 14 surge was accompanied by a 131% spike in Open Interest to $213 million, indicating a massive inflow of speculative leveraged positions . CoinMarketCap's analysis explicitly flagged that this leverage buildup carried elevated volatility risk, warning that any sudden reversal could trigger cascading liquidations .

By June 15, the token had already pulled back to around $0.23-$0.30, confirming the fragility of the speculative rally .

Broader Implications for Web3 Security

The Humanity Protocol breach is not an isolated incident—it is a textbook illustration of the structural vulnerabilities that persist across Web3, even in projects explicitly designed around decentralization.

1. The myth of decentralization through multi-sig. Humanity used a 3-of-6 Gnosis Safe for bridge control. Yet three of those six keys were stored on a single employee's laptop. The breach demonstrates that a multi-signature scheme is only as secure as the distributed physical custody of its keys—a reality many projects still neglect .

2. North Korean hacking is now a predictable, repeating threat. The DPRK's cyber units, including the Lazarus Group, have refined a repeatable playbook: identify a crypto project, compromise a developer or executive via social engineering, steal private keys, and drain funds across chains. Humanity Protocol is the latest entry on a long and growing list .

3. Cross-chain bridges remain critical chokepoints. By design, bridges hold large, liquid asset pools controlled by a small number of admin keys. This makes them irresistible targets. The simultaneous exploitation of Ethereum and BSC bridges in this attack reinforces why bridge security—not just smart contract auditing but key management and access control—should be the top priority for any cross-chain project .

4. Post-exploit rallies can be traps. The H token's 210% surge attracted traders chasing a quick recovery, but the leverage data suggested a crowded, unstable trade. When a token rebounds on speculation rather than a credible resolution—especially with one chain still permanently compromised—the risk of a second crash is not theoretical .

5. Regulatory pressure will increase. When a state actor like North Korea is implicated in a crypto theft, regulators take notice. Expect renewed scrutiny on KYC/AML compliance, custodial key management standards, and mandatory security audits—particularly for protocols operating cross-chain bridges that hold user funds .