Single Laptop, Multiple Keys: Disaster Strikes
Humanity Protocol, a decentralized identity project valued at $1.1 billion last year, suffered a devastating exploit this week after attackers compromised a laptop belonging to one of its employees.
The attacker managed to seize three out of six keys that governed Humanity's bridge on Ethereum, as well as three out of five keys on BNB Chain. With these, they were able to cross the multisignature approval threshold on both chains. This allowed them not only to drain approximately 141 million H tokens in a single Ethereum transaction but also to install malicious code on BNB Chain that enabled unlimited minting of new H tokens.
On paper, multisignature wallets are meant to prevent exactly this kind of breach—but storing all keys on a single device nullified their intended security benefits.
Token Plunge Wipes Out Investor Confidence
The impact on Humanity Protocol’s native H token was swift and severe. Within just 12 hours of the exploit being detected, the price of H collapsed from around $0.70 to as low as $0.08—a loss of 85%—according to CoinGecko data cited by cointelegraph.com. At its lowest point on Tuesday, the token had fallen nearly 89% from its Monday high of $0.73132, briefly recovering to trade near $0.20 but still down over 73% for the day.
Arkham Intelligence tracked $23.7 million of the stolen H tokens being swapped for Ethereum within hours of the breach.
Investors watched tens of millions in value evaporate almost overnight.
According to onchain analysts, wallets linked to Humanity Protocol were drained for over $32 million during the attack, with $23.7 million swapped for Ethereum and another $7.9 million still held in H tokens at the time of reporting. The attacker quickly moved stolen funds through decentralized exchanges such as Kyber Network and PancakeSwap in an apparent attempt to obfuscate their trail and cash out before freezing measures could be enacted.
Exploiter Mints Millions, Market Panics
Beyond draining existing tokens, the attacker leveraged their control over bridge admin accounts to exploit contract upgrade mechanisms. On BNB Chain, they installed code that enabled them to mint an additional 200 million H tokens out of thin air—flooding the market and further undermining any remaining confidence in Humanity Protocol’s ecosystem.
This coordinated attack across both Ethereum and BNB Chain left users scrambling for information and prompted founder Terence Kwok to issue an urgent warning: users were advised not to interact with any bridges or liquidity pools until further notice due to ongoing risk. Security firm CertiK noted that wallet or private key compromises had already been responsible for $13.7 million in losses across the crypto sector in May alone; Humanity’s incident now dwarfs that figure by nearly triple.
See Also
Team Scrubs Web Presence After Breach
In the aftermath of the breach, Humanity Protocol took drastic steps by removing its team page from its website entirely—a move interpreted by some community members as an attempt at damage control or self-protection while investigations continue. The company has halted all deposits and withdrawals on affected bridges and is reportedly working with exchanges and law enforcement agencies in hopes of recovering some portion of the stolen funds.
Despite raising $20 million from notable investors like Pantera Capital and Jump Crypto last year, Humanity Protocol now faces an existential challenge: regaining trust after a security lapse that exposed fundamental flaws in operational practices. It is unclear how much—if any—of the stolen assets can be recovered or what long-term impact this will have on its ambitious proof-of-humanity vision based on privacy-preserving palm biometrics.
In a Nutshell
- •Attackers stole over $36 million in H tokens by compromising 3 of 6 Ethereum and 3 of 5 BNB Chain multisig keys on a single laptop.
- •The H token price crashed up to 89%, dropping from $0.73 on Monday to as low as $0.08 within 12 hours.
- •$23.7 million of stolen funds were swapped for Ethereum, with $7.9 million remaining in H tokens after the June 2024 exploit.
What remains under scrutiny
If Humanity Protocol fails to restore bridge functionality and confirm the safety of deposits and withdrawals in the coming days, as advised by founder Terence Kwok, users will remain unable to interact with the bridge or liquidity pools and over $7.9 million in stolen H tokens will stay unrecovered.