Humanity Protocol has released new details about the security incident that led to the theft and unauthorized minting of approximately 447 million H tokens across Ethereum and BNB Smart Chain. According to the project’s latest investigation, the breach originated from a single malware-infected developer machine that contained backups of several highly sensitive private keys.
The findings provide a clearer picture of how the attacker gained control of critical protocol infrastructure and carried out one of the most significant exploits affecting the project to date.
Malware-Infected Device Identified as Entry Point
According to Humanity Protocol’s incident report, investigators traced the attack to a compromised developer device that had inadvertently stored backup copies of several private keys dating back to the project’s June 2025 mainnet launch.
The attacker reportedly gained root-level access to the machine and extracted seven private keys from the device.
The compromised credentials included:
- One admin hot wallet key
- Three Ethereum Safe owner keys
- Three BNB Smart Chain Safe owner keys
Possession of these keys gave the attacker direct access to critical administrative controls across both blockchain networks.
Humanity Protocol emphasized that the attack was not caused by vulnerabilities in its bridge contracts, token contracts, or Safe infrastructure. Instead, the attacker was able to perform actions using legitimate credentials obtained from the compromised device.
How the Attack Unfolded
The exploit occurred over multiple stages between June 8 and June 9.
The first phase targeted an Ethereum admin hot wallet.
Investigators said the attacker used the stolen private key to drain approximately 6.04 million H tokens from the wallet before moving on to more critical infrastructure components.
After gaining access to three Ethereum Safe owner keys, the attacker obtained sufficient authorization to seize control of the protocol’s bridge administration system.
Ethereum Bridge Compromised
Using the stolen Safe credentials, the attacker transferred ownership of the Bridge ProxyAdmin to an attacker-controlled address.
Once administrative control was established, the bridge contract was upgraded to a malicious implementation.
The attacker then executed a transaction that drained approximately 141.18 million H tokens from the bridge.
Because the transaction contained valid signatures that satisfied the Safe’s threshold requirements, the malicious upgrade appeared to be an authorized administrative action rather than a traditional smart contract exploit.
This distinction is important because it highlights how credential theft can bypass even robust smart contract security measures.
BNB Smart Chain Suffers Massive Unauthorized Minting
The situation became even more severe on BNB Smart Chain.
The attacker used a separate set of compromised Safe owner keys to gain control of the token’s ProxyAdmin contract.
After deploying a malicious contract implementation, the attacker executed three separate minting transactions.
Each transaction created:
- 100 million H tokens
- 100 million H tokens
- 100 million H tokens
The combined unauthorized minting added 300 million H tokens to circulation.
As a result, the token supply expanded dramatically from approximately 141.1 million H to more than 441 million H.
Single Point of Failure Raises Security Questions
One of the most concerning aspects of the investigation is the discovery that all seven compromised private keys were apparently stored on a single machine.
According to Humanity Protocol, forensic investigators believe the attacker obtained every key from that one infected device.
The finding highlights the dangers of centralized key storage and backup management, particularly in systems designed to manage decentralized infrastructure.
The project acknowledged that several important questions remain unanswered.
Investigators are still attempting to determine:
- When the initial compromise occurred
- How the malware was installed
- How long the attacker maintained access
- When the private keys were first extracted
- Whether additional systems were affected
At this stage, the exact timeline leading up to the attack remains unclear.
Token Price Suffers Heavy Damage
The exploit had an immediate impact on market sentiment.
Following news of the attack, H experienced a dramatic selloff as investors reacted to the unauthorized token creation and bridge compromise.
Although the token recovered partially, trading data showed H changing hands near $0.163 on June 10, representing a gain of approximately 23.7% over the previous 24 hours.
Despite that rebound, the token remained down more than 74% over the preceding week, illustrating the lasting impact of the incident on investor confidence.
Recovery Challenges Remain
Humanity Protocol acknowledged that recovering the Ethereum bridge assets may be possible under certain circumstances.
However, the situation on BNB Smart Chain appears considerably more complicated.
According to the report, the attacker continues to control the compromised ProxyAdmin contract responsible for the token.
As long as the attacker retains administrative control, additional unauthorized minting remains possible.
This creates an ongoing risk for the token ecosystem and complicates recovery efforts.
Project Launches Response Measures
In response to the attack, Humanity Protocol has implemented several emergency measures.
The team has:
- Suspended deposits and withdrawals through affected bridges
- Launched a public recovery tracker
- Continued forensic investigations
- Offered a $1 million USDT bounty for information leading to asset recovery
The project also stated that any recovered funds would be used to repurchase H tokens from the market, potentially helping stabilize supply and restore confidence.
Broader Lessons for Crypto Security
The incident serves as another reminder that many of the most damaging crypto attacks do not originate from flaws in blockchain code.
Instead, attackers increasingly target operational security, employee devices, private key management, and administrative systems.
Even well-designed smart contracts can become vulnerable when privileged credentials fall into the wrong hands.
As institutional adoption grows and protocols manage increasingly large pools of value, operational security practices are becoming just as important as smart contract audits.
Looking Ahead
Humanity Protocol now faces the difficult task of rebuilding trust while continuing efforts to recover assets and secure its infrastructure.
The investigation suggests the breach resulted from compromised private keys rather than weaknesses in the protocol’s core technology. Nevertheless, the scale of the attack has exposed significant operational vulnerabilities that will likely require substantial changes to key management procedures.
For investors and users, attention will remain focused on the project’s recovery efforts, the status of the compromised contracts, and whether any of the stolen assets can ultimately be recovered.
Until more clarity emerges, the incident will stand as one of the most notable examples of how a single compromised device can create systemic risk across an entire blockchain ecosystem.
