Humanity Protocol loses $36M after a laptop picked the wrong backup plan 💻🔑

Humanity Protocol said on Tuesday that an attacker compromised a developer's laptop and stole at least seven production private keys, seizing control of the project's bridge infrastructure on Ethereum and BNB Chain and draining more than $36 million in H tokens. The exploit, which the team says began on June 8, marks one of the largest DeFi incidents of the month and sent the H token plunging as much as 90% in 24 hours, according to CoinGecko.

The protocol traced the attack to a malware-infected device where bridge administrative keys had been backed up, saying three of six Gnosis Safe owner keys on Ethereum and three of five on BSC were compromised. Attackers used the keys to take over ProxyAdmin permissions, swapped the bridge contracts for malicious versions, drained about 141.2 million H on Ethereum, and minted 200,000,005 H directly to their own wallet on BSC through an added mint function, according to the project's incident report. Onchain investigator Specter said more than 17 wallets holding H were drained, with early losses above $5 million before rising past $30 million, while Arkham Intelligence reported the exploiter was swapping H through Kyber Network and PancakeSwap and other DEXes.

Humanity founder and CEO Terence Kwok confirmed the breach in a Tuesday statement, saying, "We've detected a security incident involving the compromise of private keys belonging to a member of the Humanity Foundation," and advised users not to interact with the bridge or any liquidity pools until the team deems them safe. In a separate update, the project wrote that it had halted deposits and withdrawals to the affected bridges and was working with exchanges and law enforcement, noting, "People in this community worked hard for what they hold here, and we feel the weight of that." Kwok later told Cointelegraph that the project used multisignature controls spread across four individuals but said "some of the keys were accidentally backed up to a compromised device."

The H token traded near $0.08 on Tuesday after falling from roughly $0.70 the prior day, dropping 85% in 12 hours and as much as 89% from a Monday high of $0.73132, per CoinGecko. H is currently trading near $0.20, down 73% on the day, erasing much of a rally that pushed the token close to its all-time high of $0.80 a week earlier. The project is built on a zkEVM-based Layer-2 blockchain focused on decentralized identity and uses privacy-preserving palm biometrics for its "Proof of Humanity" system.

Meir Dolev, co-founder and CTO at blockchain security platform Cyvers, called the incident "an operational security failure, not a smart-contract bug," pointing to the attacker gaining admin access through a private key tied to a Humanity Foundation member. Hakan Unal, senior security operations lead at Cyvers, told Cointelegraph that onchain patterns can look similar whether a breach is genuine or staged because the attacker holds legitimate admin rights in both cases, with surrounding behavior such as rushed swaps, mixer use, and insider timing helping distinguish them. Onchain investigator ZachXBT initially questioned Humanity's market-making and OTC activity before later saying further analysis showed the "private key compromise" and "sketchy MM / OTC" activity appeared "independent of one another and not related." The breach extends one of the worst stretches on record for DeFi security, with DeFiLlama data showing more than $885 million lost to DeFi hacks in the first six months of 2026, including this year's $280 million Drift Protocol exploit attributed to the North Korean Lazarus Group.