Palm Reading Gone Wrong: Humanity Protocol's H Token Loses Its Grip in $36M Private Key Heist

Humanity Protocol disclosed Tuesday that more than $36 million in H tokens was stolen across Ethereum and BNB Chain after attackers compromised private keys tied to a Humanity Foundation member's laptop, sending the project's native token crashing more than 85% within hours. Founder and CEO Terence Kwok confirmed the incident in a public statement, saying, "We've detected a security incident involving the compromise of private keys belonging to a member of the Humanity Foundation." Kwok advised users not to interact with the protocol's bridge or any liquidity pools until the team confirms they are safe.

According to a detailed thread from the project, the Monday attack began when three of six Gnosis Safe owner keys on Ethereum and three of five on BSC were compromised, giving the attackers ProxyAdmin control over both bridges. On Ethereum, the attacker drained approximately 141.2 million H tokens from bridge contracts that had been swapped to malicious versions. On BSC, the attacker added a mint function and created roughly 200 million H tokens, of which 200,000,005 were sent directly to their own wallet. Kwok told Cointelegraph that the project's multisignature setup involved four individuals and that some keys "were accidentally backed up to a compromised device" during the configuration process, adding that Humanity uses "a licensed custodian for the majority of token treasury" and MPC for its operations treasury.

On-chain investigator Specter first flagged the exploit, reporting that more than 17 wallets holding H were drained, with early losses exceeding $5 million before climbing above $30 million and ultimately surpassing $36 million. Arkham Intelligence confirmed the more than $30 million figure and reported the exploiter was swapping H tokens through Kyber Network and PancakeSwap, among other decentralized exchanges. The H token fell from highs of $0.73132 on Monday to a Tuesday morning low of $0.079606, an 89% drop, and was trading near $0.20, down 73% on the day, according to CoinGecko data.

The protocol said it has halted deposits and withdrawals to the affected bridges and is working with exchanges, security firms, and law enforcement to investigate and pursue recovery. "People in this community worked hard for what they hold here, and we feel the weight of that," the project wrote in its update, promising a full post-mortem. Meir Dolev, co-founder and CTO at Cyvers, characterized the incident to Decrypt as "an operational security failure, not a smart-contract bug," noting the attacker gained admin access through compromised keys rather than a flaw in the code.

The breach extends one of the worst stretches on record for DeFi security, with more than $885 million lost to DeFi hacks in the first six months of 2026, according to DeFiLlama data. Humanity Protocol, a zero-knowledge Layer-2 blockchain focused on decentralized identity, verifies users through palm scans as part of its "Proof of Humanity" system, in contrast to iris- or face-based designs. The incident adds to a string of high-profile private-key compromises this year, including the April Drift Protocol exploit attributed to the North Korean Lazarus Group, which resulted in $280 million in losses.