Humanity Protocol Hack: How One Infected Device Handed an Attacker Seven Private Keys

TLDR:

• One compromised developer machine exposed seven private keys tied to Humanity Protocol’s infrastructure.
• The attacker drained 141M H from the ETH bridge and minted 300M H on BSC using stolen Safe owner keys.
• No smart contract bug was involved — every attacker action used legitimate, compromised private keys.
• The BSC H token remains unrecoverable as the attacker still controls the ProxyAdmin and can mint freely.

Humanity Protocol confirmed on June 9, 2026, that a single compromised developer machine was the source of a coordinated cross-chain attack.

An attacker obtained seven private keys from one infected device, enabling unauthorized control over critical protocol infrastructure on both Ethereum and BNB Chain.

The incident resulted in losses exceeding $31 million and a near-total collapse of the H token’s market value.

One Device, Full Protocol Access

The investigation confirmed that a developer’s machine was infected with malware, giving the attacker complete root access.

During the Humanity Protocol mainnet launch in approximately June 2025, several private keys were inadvertently backed up to that same device.

Those keys included the admin hot wallet key, three ETH Safe owner keys, and three BSC Safe owner keys — seven in total, all stored on one machine.

Founder Terence Kwok acknowledged the breach publicly, stating: “We’ve detected a security incident involving the compromise of private keys belonging to a member of the Humanity Foundation. As a precaution, please do not interact with the bridge or any liquidity pools until we confirm it’s safe.” The team added it was already working with security experts at the time of that statement.

Because all seven keys resided on one device, a single point of compromise handed the attacker full operational control. The attack was not the result of a smart contract bug.

Every transfer, Safe transaction, and proxy upgrade the attacker executed used legitimate credentials, making early on-chain detection nearly impossible.

Three Attack Vectors, One Stolen Key Set

The first attack began on June 8, 2026, when the attacker used the compromised admin hot wallet key to transfer 6,045,060 H tokens directly to an aggregation wallet on Ethereum. That transaction required no contract interaction — just a stolen key and a direct outbound transfer.

The second vector followed hours later. Using three of the six stolen ETH Safe owner keys, the attacker assembled an offline Safe transaction and transferred Bridge ProxyAdmin ownership to their own wallet.

They then upgraded the bridge contract to a malicious implementation and swept 141,182,632 H in a single transaction. The entire ETH bridge lockbox was drained within minutes of the ProxyAdmin transfer.

The third vector targeted BNB Chain. Three BSC Safe owner keys — a completely separate set from the ETH compromised keys — were also stored on the same device.

The attacker used those keys to seize the BSC ProxyAdmin by the same method, then called mint() three times, producing 100 million H per transaction.

On-chain analyst Specter flagged the early stages of the attack on X, writing: “It appears that wallets linked to, or that have interacted with, @Humanityprot are being compromised. So far, more than 17 wallets holding $H tokens have been drained, resulting in total losses exceeding $5 million.”

Total BSC mints ultimately reached 300 million H, pushing the pre-attack supply of 141 million to 441 million — a 213% increase.

What Was Saved and What Remains at Risk

Not all protocol infrastructure was affected. The ETH H token contract remained untouched throughout the attack, as its ProxyAdmin was controlled by a clean 4-of-7 Safe.

On June 9, that Safe successfully froze the ETH H token by upgrading it to an implementation that blocks all transfers. The canonical Arbitrum bridge, holding approximately 87 million H, also remained unaffected.

However, the ETH bridge and the BSC H token contract remain fully under attacker control. The BSC ProxyAdmin has not been recovered, and the attacker retains the ability to mint additional H tokens at any time. Around 21.74 million H also remained in the aggregation wallet as of June 9, pending liquidation.

The Humanity Protocol private key compromise reflects a human and operational security failure. The investigation report stated the attack “was made possible entirely by key compromise resulting from inadequate key storage practices,” noting that production-grade signing keys were backed up to a general-purpose development machine rather than isolated hardware.

The attack may have been planned well in advance, as the attacker held all seven keys before executing coordinated moves across two chains within a 15-hour window.

The post Humanity Protocol Hack: How One Infected Device Handed an Attacker Seven Private Keys appeared first on Blockonomi.