Palm Reading Gone Wrong: Humanity Protocol's H Token Drops 85% in $30M Private Key Heist 🖐️

The Humanity Protocol, a Proof of Humanity project using privacy-preserving palm biometrics and a zkEVM blockchain, suffered a private key compromise on Tuesday that drained more than $30 million and sent the price of its H token tumbling 85%, from around $0.70 to $0.08, according to CoinGecko. Onchain investigator Specter reported that wallets linked to or interacting with the project were compromised in an ongoing attack, with Arkham Intelligence confirming the figure and tracking the exploiter as it swapped stolen H tokens through Kyber Network, PancakeSwap and other DEXes.

Humanity Protocol founder and CEO Terence Kwok confirmed the incident in a public statement, saying: "We've detected a security incident involving the compromise of private keys belonging to a member of the Humanity Foundation." Kwok advised users not to interact with the bridge or any liquidity pools until it has been deemed safe, and said the team was working with security experts, though he did not provide further details at the time. The Humanity Protocol account later reiterated the warning, telling users "please do NOT interact with" the affected systems, noting the team was coordinating with security experts and exchange partners to assess the scope of the incident.

Earlier reporting described losses as a 90% crash in the H token, with attackers said to be minting additional 100 million H tokens and swapping them for ETH and BNB; CoinGecko data placed the later decline at 85%.

Private key and wallet compromises have been a recurring attack vector this year, including the April Drift Protocol exploit in which attackers affiliated with the North Korean Lazarus Group gained control of security council admin keys, resulting in a loss of $280 million. Other recent incidents cited in industry reporting include Step Finance, Resolv, Volo Vault, Echo Bridge, Bankr, Polymarket, StablR, Stake DAO, Gravity Bridge, and Aelphium Bridge. According to CertiK, wallet or private key compromises were the second-most costly attack vector in May, with $13.7 million stolen, underscoring the ongoing operational risk facing projects that rely on multisig and admin key structures.