Humanity Protocol Traces $36M Hack to Single Malware-Infected Machine That Held Seven Keys

Humanity Protocol published a forensic incident report Tuesday tracing its $36 million breach to a single malware-infected developer machine that stored backups of seven private keys, giving an attacker unilateral control over the protocol's Ethereum and BNB Smart Chain infrastructure.

The keys, inadvertently backed up to the device during Humanity's mainnet launch around June 2025, included the admin hot wallet key, three Ethereum Safe owner keys, and three BNB Smart Chain Safe owner keys, according to the incident report published on the protocol's Notion page.

Investigators say the attacker gained root access to the machine via malware, then extracted all seven keys from a single point of compromise. As The Defiant reported Monday, the breach resulted in roughly 447 million H tokens stolen or minted across both chains and an estimated $36 million in losses.

How the Attack Unfolded

The protocol said the breach carried no bug in its bridge contracts, token contracts, or Safe architecture. All transfers, Safe transactions, and proxy upgrades carried valid private key signatures, making each action appear as an authorized operation.

The attack proceeded in three waves between June 8 and June 9. First, 6.04 million H were drained from an Ethereum admin hot wallet after its key was compromised. The attacker then used three of the six Ethereum Safe owner keys to seize ProxyAdmin ownership of the bridge, upgraded the bridge to a malicious implementation, and drained 141.18 million H in a single transaction.

On BNB Smart Chain, three compromised Safe keys gave the attacker control of the token's ProxyAdmin. Three separate mint transactions of 100 million H each expanded the circulating supply from roughly 141 million to 441 million H before being liquidated through decentralized exchanges.

Humanity Protocol noted the BNB Smart Chain token contract remains under attacker control, with the ProxyAdmin still held by the attacker's wallet.

Open Questions and Response

The investigation has not yet determined when the attacker first accessed the machine, how the malware was delivered, or how long the stolen credentials were held before the June 8 attack.

In response, the protocol halted bridge deposits and withdrawals, published a live tracker of the exploiter's addresses, and offered a $1 million USDT bounty for information leading to asset recovery. Any recovered funds would go toward buying back H tokens.

ZachXBT, who initially raised the possibility the incident was staged, later revised his assessment after reviewing the laundering trail, writing on X that the suspicious market-maker activity and the private key compromise appeared unrelated.

H traded near $0.154 Tuesday, down roughly 74% over the preceding week, per CoinGecko.