USDHumanity Protocol Says $36M Lost in Private-Key Exploit
H Token Crashes After Cross-Chain Attack
TL;DR
- Humanity Protocol said attackers stole about $36 million across Ethereum and BSC on June 8, 2026.
- The project linked the exploit to compromised private keys tied to a Humanity Foundation member.
- H fell as much as 90% after attackers allegedly drained and minted tokens.
Trade smarter on Jupiter, Solana’s leading DEX built for fast execution and deep liquidity.
Swap tokens at competitive rates, route across multiple liquidity sources automatically, and access perpetuals, DCA, and advanced trading tools — all in one place!
Humanity Protocol said its H token was hit by a coordinated Ethereum and BSC attack on June 8, 2026, with about $36 million or more stolen after private keys tied to a Humanity Foundation member were compromised.
Humanity Protocol described the incident as a cross-chain attack affecting the H token and said it had halted deposits and withdrawals to affected bridges. The project said it was working with security experts, exchanges and police while investigating the exploit and preparing a post-mortem.
“Last night, June 8, the H token was hit by a coordinated attack across Ethereum and BSC. While we’re still investigating this incident, we want to be transparent with our community about what happened. As of right now, ~$36M+ has been stolen across both chains…” Humanity Protocol said.
Founder Terence Kwok said the incident involved “the compromise of private keys belonging to a member of the Humanity Foundation.” Kwok also warned users: “As a precaution, please do not interact with the bridge or any liquidity pools until we confirm it’s safe.”
Compromised Keys Allegedly Enabled Admin Control
The exploit reportedly involved the compromise of three of six Gnosis Safe keys on Ethereum and three of five Gnosis Safe keys on BSC. Those keys allegedly allowed attackers to seize ProxyAdmin control, giving them the ability to make malicious contract upgrades rather than only drain a normal wallet.
Attackers reportedly drained about 141.2 million H tokens and minted another 200,000,005 H tokens through malicious contract upgrades, according to Humanity Protocol’s incident explanation.
Meir Dolev, co-founder and CTO at blockchain security platform Cyvers, said the attacker used the mint function to create 100 million new H worth about $12.9 million, then swapped stolen and minted tokens into ETH and BNB. The attacker reportedly obtained 18,510 ETH, valued around $30.83 million, plus 1,548 BNB, valued near $924,000, according to analytics firm Lookonchain.
About $23.7 million of stolen value was reportedly swapped into ETH shortly after the exploit. Around $7.9 million reportedly remained parked in H tokens while the token price collapsed. The attacker was also reported to still hold around 111 million H, valued at roughly $14 million at depressed prices.
Onchain liquidity was described as nearly exhausted, limiting the attacker’s ability to fully exit the remaining H position without further damaging the market.
We’ve launched the all-new COIN360 Perp DEX, built for traders who move fast!
Trade 130+ assets with up to 100× leverage, enjoy instant order placement and low-slippage swaps, and earn USDC passive yield while climbing the leaderboard. Your trades deserve more than speed — they deserve mastery.
H Token Falls Sharply After Exploit
The H token collapsed after the exploit, with a reported decline of up to 90% within a week since its all-time high. According to COIN360 data, H fell from $0.73132 on Monday to a Tuesday morning low of $0.079606, an 89% crash, before recovering. Before the price fallout, H had traded near an all-time high of roughly $0.80.
The exploit occurred shortly before a scheduled token unlock. Humanity Protocol was due to unlock 266.5 million H on June 25, 2026. That unlock represented about 9.4% of released supply and was worth roughly $33 million at pre-crash prices.
Researchers Question Key Management and Market Structure
ZachXBT initially questioned the official explanation and said the incident seemed “possibly staged.” ZachXBT said he was “not buying the team’s story” and described the incident as “a convenient way for the active market maker to have exited.”
ZachXBT also accused the team of choosing to “crime pump your token for weeks with zero fundamentals” and demanded that Humanity Protocol disclose its “active MM agreements with the HK entity first.”
ZachXBT later revised the initial suspicion, saying: “After further analysis of the laundering, it seems the sketchy MM / OTC & private key compromise are independent of one another and not related.”
Humanity Protocol had not publicly addressed ZachXBT’s specific market-maker allegations in the available material.
Project Background and Remaining Questions
Humanity Protocol is described as a decentralized identity or identity-verification network and as a zero-knowledge Layer-2 blockchain focused on decentralized identity. Its identity model centers on “Proof of Humanity” and uses palm scans to verify users.
The project reportedly raised $50 million in VC-backed rounds and reached a valuation of $1.1 billion. Pantera Capital was described as the main backer of the project’s second strategic funding round of $20 million. Animoca Brands reportedly supported the seed round.
Humanity Protocol had been operating since 2024. The H token is said to have depended heavily on centralized exchange liquidity, with Gate and Bybit still providing liquidity.
The exploit occurred during a broader period of crypto security losses. More than $885 million had been lost to DeFi hacks in the first six months of 2026, according to DeFiLlama data, with hacks and exploits taking more than $1.47 billion from protocols over the past year.
FAQ
What caused the Humanity Protocol exploit?
Humanity Protocol linked it to compromised private keys tied to a Humanity Foundation member.
How much was stolen?
Reported estimates ranged from $31 million to $36 million+.
Did ZachXBT prove the exploit was staged?
No. ZachXBT later said market-maker concerns and the key compromise appeared independent.
What did Humanity Protocol ask users to do?
Terence Kwok told users not to interact with bridges or liquidity pools.
This article has been refined and enhanced by ChatGPT.
