Humanity Protocol’s H token plunged greater than 80% after attackers compromised project-linked keys and stole greater than $36 million following an worker laptop computer breach.
Attackers drained 141.2 million H and minted one other 200 million H via malicious contract upgrades, prompting the staff to halt bridge exercise.
The breach marks the most recent main DeFi hack of 2026, extending a yr wherein protocols have already misplaced tons of of hundreds of thousands of {dollars} to exploits.
Humanity Protocol’s native token H collapsed greater than 80% Tuesday after attackers compromised personal keys tied to the undertaking, seized bridge admin controls, and stole greater than $36 million throughout Ethereum and BNB Chain.
In a detailed thread, Humanity Protocol mentioned the Monday assault was coordinated throughout Ethereum and BSC and traced to a breach that occurred “after an worker’s laptop computer was compromised.”
INCIDENT UPDATE:
Final evening, June 8, the H token was hit by a coordinated assault throughout Ethereum and BSC. Whereas we’re nonetheless investigating this incident, we need to be clear with our group about what occurred.
As of proper now, ~$36M+ has been stolen throughout each chains…
— Humanity (@Humanityprot) June 9, 2026
The Humanity breach extends one of many worst stretches on file for DeFi safety, with greater than $885 million misplaced to DeFi hacks within the first six months of 2026, in line with DeFiLlama information.
Attackers compromised three of six Gnosis Protected keys on Ethereum and three of 5 on BSC, seizing ProxyAdmin management, draining about 141.2 million H, and minting one other 200,000,005 H via malicious contract upgrades, in line with the undertaking.
The undertaking’s H token plunged from highs of $0.73132 Monday to a Tuesday morning low of $0.079606, per CoinGecko information, a drop of 89%. H is at the moment buying and selling close to $0.20, down 73% on the day, erasing a lot of a rally that had pushed the token near its all-time excessive of $0.80 only a week earlier.
Founder Terence Kwok confirmed the breach and instructed customers to remain away from the undertaking’s infrastructure.
We have detected a safety incident involving the compromise of personal keys belonging to a member of the Humanity Basis. As a precaution, please don’t work together with the bridge or any liquidity swimming pools till we affirm it is secure.
Humanity Protocol is a zero-knowledge Layer-2 blockchain centered on decentralized id, based by Kwok and constructed round a “Proof of Humanity” system that verifies customers via palm scans reasonably than iris or facial recognition.
The breach is the most recent setback for Kwok, whose earlier enterprise, hospitality-tech startup Tink Labs, raised about $160 million and have become one among Hong Kong’s first unicorns earlier than shutting down in 2019 amid monetary troubles.
The Humanity Protocol staff mentioned it has halted deposits and withdrawals to the affected bridges and is working with exchanges and police to get better funds.
“Individuals on this group labored laborious for what they maintain right here, and we really feel the load of that,” the undertaking mentioned, promising a autopsy.
An “operational safety failure”
Meir Dolev, co-founder and CTO at blockchain safety platform Cyvers, instructed Decrypt the incident was “an operational safety failure, not a smart-contract bug,” with the attacker gaining admin entry via a non-public key tied to a Humanity Basis member.
After the contract improve, Dolev mentioned the attacker abused the mint perform to create 100 million new H, price about $12.9 million, then swapped the stolen and minted tokens for ETH and BNB earlier than consolidating throughout a number of wallets.
Dolev famous that draining roughly $30 million “required proprietor/admin-level management capable of improve token provide through the proxy contract improve and drain protocol-controlled wallets straight.”
“The core failure is structural: one key trusted with each the funds and the ability to rewrite the principles,” he mentioned.
He learn Kwok’s warning to keep away from the bridge and swimming pools as an indication that entry “will not be totally contained.”
The attacker nonetheless holds massive quantities of H however can not totally money out as a result of pool liquidity is just too skinny to soak up the swaps, Dolev mentioned, making the general public alert “partly an effort to maintain that liquidity from being touched.”
Humanity Protocol is because of unlock 266.5 million H, about 9.4% of the launched provide, price roughly $33 million at pre-crash costs, on June 25, throughout six allocations, in line with Tokenomist information.
On-chain sleuth ZachXBT initially flagged the occasion as “probably staged,” suggesting it provided a handy exit for the energetic market maker.
He later walked the assertion again, tweeting that, “After additional evaluation of the laundering, it appears the sketchy MM / OTC & personal key compromise are unbiased of each other and never associated.”
Dolev cautioned that on-chain proof to this point stays combined, because the attacker holds authentic admin rights both approach. The place the funds settle within the coming days, and whether or not the compromised key was dormant beforehand, he mentioned, “would be the deciding issue.”
Day by day Debrief Publication
Begin daily with the highest information tales proper now, plus unique options, a podcast, movies and extra.
