Verify a decision

{"actor":"system:backfill","investigation_id":"9036638e-8304-41ba-bdbc-09125d2624e9","kind":"publish","page_slug":"humanity-protocol-june-2026-exploit","published_at":"2026-06-15T23:04:55.178Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Humanity Protocol June 2026 Exploit","sections":[{"content":"On June 8-9, 2026, Humanity Protocol's cross-chain infrastructure was compromised in a coordinated attack targeting its bridge administration systems on both Ethereum and BNB Smart Chain. Attackers obtained seven private keys — one admin hot wallet key, three Ethereum Gnosis Safe owner keys, and three BNB Chain Gnosis Safe owner keys — all of which had been stored on a single developer machine that was later confirmed to have been infected with malware. The project characterized the incident as a 'keys, not code' failure: all attacker actions used legitimately authorized private keys rather than exploiting vulnerabilities in smart contract logic. Approximately 447 million H tokens were stolen or unauthorized-minted in total across both chains. Initial reports valued losses at $32 million, while later post-mortem reporting placed the figure above $36 million.","heading":"Incident Overview","severity":"critical","sources":[{"credibility":1,"name":"Humanity Protocol token crashes more than 80% after a $32 million private-key hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/06/09/humanity-protocol-token-crashes-more-than-80-after-a-usd32-million-private-key-hack"},{"credibility":2,"name":"Humanity Protocol says attacker stole seven keys from one device — crypto.news","type":"news_article","url":"https://crypto.news/humanity-protocol-says-attacker-stole-seven-keys-from-one-device/"},{"credibility":2,"name":"One Laptop, $36 Million, and a Token Collapse: Inside the Humanity Protocol Exploit — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/10/one-laptop-36-million-and-a-token-collapse-inside-the-humanity-protocol-exploit/"}]},{"content":"The post-mortem identified three distinct breach vectors. First, attackers stole the private key to an admin hot wallet on Ethereum, enabling the direct theft of approximately 6 million H tokens. Second, with three of six Gnosis Safe owner keys compromised on Ethereum, attackers obtained the threshold signatures required to transfer ProxyAdmin ownership of the Hyperlane bridge contract to an attacker-controlled address, then upgraded the bridge to a malicious implementation and drained approximately 141 million H tokens in a single transaction. Third, on BNB Smart Chain, attackers compromised three of five Gnosis Safe owner keys, seized ProxyAdmin control of the token contract, and executed multiple unauthorized mints totaling approximately 300 million H tokens. The project confirmed no smart contract vulnerabilities were exploited; the Gnosis Safe architecture and bridge contracts themselves functioned as designed. Security researcher Meir Dolev characterized the incident as 'an operational security failure, not a smart-contract bug.' The root cause was an unnamed developer who stored backups of all seven keys on a single machine that became infected with malware of an unspecified type, giving attackers root-level access.","heading":"Technical Attack Vectors","severity":"critical","sources":[{"credibility":2,"name":"Three Breach Vectors, 447M Tokens: Humanity Protocol Details $H Exploit — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/09/three-breach-vectors-447m-tokens-humanity-protocol-details-h-exploit/"},{"credibility":2,"name":"Humanity founder reveals employee laptop breach behind $36M exploit — crypto.news","type":"news_article","url":"https://crypto.news/humanity-founder-reveals-employee-laptop-breach-behind-36m-exploit/"},{"credibility":1,"name":"Humanity Protocol Loses $36M After Private Keys Compromised, Token Crashes 73% — Decrypt","type":"news_article","url":"https://decrypt.co/370485/humanity-protocol-loses-36m-after-private-keys-compromised-token-crashes-73"}]},{"content":"The H token had reached an all-time high of approximately $0.67-$0.85 in the days preceding the exploit, driven by a 31% surge on May 30 and a roughly 61% rally on June 1, 2026. Within hours of the exploit becoming public on June 9, the token collapsed from approximately $0.67-$0.73 to intraday lows near $0.05-$0.08, representing a drawdown of 87-93%. Approximately $23.7 million of the stolen H tokens were converted to Ethereum by attackers during the dumping phase, with the remainder held or transferred. The token partially recovered to trade near $0.20 in the days following the incident but remained down approximately 73% from pre-exploit levels. Market analysts flagged a further 266.5 million H token unlock scheduled for June 25, 2026, representing approximately 2.7% of total supply, as compounding downside pressure against the backdrop of an estimated 300 million unauthorized tokens already minted by the attacker.","heading":"Token Price Impact","severity":"critical","sources":[{"credibility":1,"name":"Humanity Protocol token crashes more than 80% after a $32 million private-key hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/06/09/humanity-protocol-token-crashes-more-than-80-after-a-usd32-million-private-key-hack"},{"credibility":3,"name":"Humanity Token Faces Critical Test: June 25 Unlock — CoinGabbar","type":"news_article","url":"https://www.coingabbar.com/en/price-prediction/humanity-price-prediction-hack-90percent-crash-june-25-unlock"},{"credibility":2,"name":"Humanity Protocol Token H Crashes 82% After $32M Hack — Bitcoin Foundation News","type":"news_article","url":"https://bitcoinfoundation.org/news/crimes-and-fraud-news/humanity-protocol-hacked/"}]},{"content":"Blockchain investigator ZachXBT posted publicly on June 9, 2026, alleging the incident was 'possibly staged,' writing: 'I am not buying the team's story. It's a convenient way for the active MM to have exited.' He alleged the project had engaged in 'crime pump' activity — artificially inflating the H token price for weeks with 'zero fundamentals' — before the exploit provided exit liquidity. ZachXBT also demanded disclosure of 'active MM agreements with the HK entity' before accepting the official narrative. Supporting analysis from on-chain analyst Elton documented that attacker wallets were created and funded from exchanges and mixers in late April and May 2026, weeks before the exploit, suggesting premeditation. Additional red flags cited included: the minting authority used to create unauthorized H tokens appeared to have been 'warmed up' in advance; stolen H tokens were sold exclusively through decentralized exchanges including Kyber Network and PancakeSwap rather than through centralized venues — a pattern atypical of opportunistic hacks; and the dumps were coordinated simultaneously across two blockchains. In a subsequent update, however, ZachXBT revised his assessment after examining laundering patterns, stating: 'I thought that initially due to the active MM and recent OTC before unlocks however the evidence shared points to otherwise.' He concluded that 'the sketchy MM/OTC and private key compromise are independent of one another and not related,' suggesting external hackers benefited from an artificially elevated token price rather than the team orchestrating the breach. The pre-exploit market-making activity and investor vesting restructuring remain unresolved reputational concerns independent of the security incident.","heading":"Staging Allegations and ZachXBT Investigation","severity":"high","sources":[{"credibility":2,"name":"ZachXBT Calls $32M Humanity Protocol Hack 'Possibly Staged,' $H Crashes 86% — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/09/zachxbt-calls-32m-humanity-protocol-hack-possibly-staged-h-crashes-86/"},{"credibility":2,"name":"ZachXBT rules out insider theft in Humanity Protocol's $31M exploit — crypto.news","type":"news_article","url":"https://crypto.news/zachxbt-rules-out-insider-theft-in-humanity-protocols-31m-exploit/"},{"credibility":2,"name":"Is Humanity Protocol's $32M Hack an Exit Scam? What ZachXBT's Investigation Reveals — Memeburn","type":"news_article","url":"https://memeburn.com/is-humanity-protocols-32m-hack-an-exit-scam-what-zachxbts-investigation-reveals/"},{"credibility":2,"name":"Humanity Protocol Loses $32M in Private Key Hack as ZachXBT Calls Incident 'Possibly Staged' — news.bitcoin.com","type":"news_article","url":"https://news.bitcoin.com/humanity-protocol-exploit-zachxbt-staged/"},{"credibility":2,"name":"ZachXBT Says Humanity Crypto $32M Hack Looks 'Possibly Staged' — The Tokenist","type":"news_article","url":"https://tokenist.com/zachxbt-humanity-crypto-protocol-hack-crypto-etf-risk/"}]},{"content":"In the period leading up to the exploit, Humanity Protocol allegedly pressured over 100 investors holding vesting positions into accepting one of two options: an immediate payout at a 70% discount to current price, or an extension of their vesting schedule by three additional years. This restructuring preceded both the exploit and the June 25, 2026 scheduled token unlock of 266.5 million H tokens. ZachXBT cited this pre-exploit OTC and vesting activity as among the factors initially suggesting insider coordination, though he later separated these events from the security breach itself. The 70% discount offer and forced election among investors remains a distinct reputational concern that Humanity Protocol had not publicly addressed in detail as of available reporting.","heading":"Investor Vesting Restructuring","severity":"high","sources":[{"credibility":3,"name":"Humanity Token Faces Critical Test: June 25 Unlock — CoinGabbar","type":"news_article","url":"https://www.coingabbar.com/en/price-prediction/humanity-price-prediction-hack-90percent-crash-june-25-unlock"},{"credibility":2,"name":"ZachXBT rules out insider theft in Humanity Protocol's $31M exploit — crypto.news","type":"news_article","url":"https://crypto.news/zachxbt-rules-out-insider-theft-in-humanity-protocols-31m-exploit/"}]},{"content":"Humanity Protocol founder and CEO Terence Kwok confirmed the breach publicly and advised users: 'do not interact with the bridge or any liquidity pools until we confirm it's safe.' The project halted bridge deposits and withdrawals, coordinated with centralized exchanges and law enforcement, and stated a police investigation was underway. Humanity Protocol announced a $1 million USDT bounty for information leading to the recovery of stolen funds, and launched a real-time tracker of exploiter wallet addresses and downstream fund transfers, sharing this intelligence with exchanges and data aggregators. The project stated that any successfully recovered funds would be used to repurchase H tokens on the open market. A formal compensation plan for affected users had not been released as of the reporting period. The project had not publicly disclosed the identity of the employee whose laptop was compromised, the specific malware involved, or when the initial device compromise occurred relative to the June 8 exploit date.","heading":"Team Response and Recovery Efforts","severity":"medium","sources":[{"credibility":2,"name":"Humanity founder reveals employee laptop breach behind $36M exploit — crypto.news","type":"news_article","url":"https://crypto.news/humanity-founder-reveals-employee-laptop-breach-behind-36m-exploit/"},{"credibility":3,"name":"Humanity Offers $1M USDT Bounty For Tips Leading To Hack Recovery — BitcoinWorld","type":"news_article","url":"https://bitcoinworld.co.in/humanity-1m-usdt-bounty-hack-recovery/"},{"credibility":2,"name":"Humanity Protocol Launches Recovery Initiative — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/humanity-protocol-launches-recovery-initiative/"}]},{"content":"The post-mortem revealed a systemic operational security failure: an employee stored private keys for both the admin hot wallet and all Gnosis Safe co-signer positions across both chains on a single laptop. This configuration meant that compromise of one device was sufficient to obtain the quorum of signatures needed to transfer ProxyAdmin control of both the Ethereum bridge and the BNB Chain token contract, bypassing the intended security properties of multisig key distribution. Neither the malware type, the infection vector, nor the duration of the attacker's access prior to exploitation has been publicly confirmed. The project's internal key management practices, including whether hardware security modules or geographically distributed key storage were in use, were not described in available disclosures.","heading":"Operational Security Failures","severity":"critical","sources":[{"credibility":2,"name":"Humanity Protocol says attacker stole seven keys from one device — crypto.news","type":"news_article","url":"https://crypto.news/humanity-protocol-says-attacker-stole-seven-keys-from-one-device/"},{"credibility":2,"name":"One Laptop, $36 Million, and a Token Collapse: Inside the Humanity Protocol Exploit — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/10/one-laptop-36-million-and-a-token-collapse-inside-the-humanity-protocol-exploit/"},{"credibility":1,"name":"Humanity Protocol Loses $36M After Private Keys Compromised, Token Crashes 73% — Decrypt","type":"news_article","url":"https://decrypt.co/370485/humanity-protocol-loses-36m-after-private-keys-compromised-token-crashes-73"}]}],"sources_used":[{"credibility":1,"name":"Humanity Protocol token crashes more than 80% after a $32 million private-key hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/06/09/humanity-protocol-token-crashes-more-than-80-after-a-usd32-million-private-key-hack"},{"credibility":1,"name":"Humanity Protocol Loses $36M After Private Keys Compromised, Token Crashes 73% — Decrypt","type":"news_article","url":"https://decrypt.co/370485/humanity-protocol-loses-36m-after-private-keys-compromised-token-crashes-73"},{"credibility":2,"name":"ZachXBT Calls $32M Humanity Protocol Hack 'Possibly Staged,' $H Crashes 86% — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/09/zachxbt-calls-32m-humanity-protocol-hack-possibly-staged-h-crashes-86/"},{"credibility":2,"name":"One Laptop, $36 Million, and a Token Collapse: Inside the Humanity Protocol Exploit — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/10/one-laptop-36-million-and-a-token-collapse-inside-the-humanity-protocol-exploit/"},{"credibility":2,"name":"Three Breach Vectors, 447M Tokens: Humanity Protocol Details $H Exploit — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/09/three-breach-vectors-447m-tokens-humanity-protocol-details-h-exploit/"},{"credibility":2,"name":"Humanity Protocol Loses $32M in Private Key Hack as ZachXBT Calls Incident 'Possibly Staged' — news.bitcoin.com","type":"news_article","url":"https://news.bitcoin.com/humanity-protocol-exploit-zachxbt-staged/"},{"credibility":2,"name":"ZachXBT rules out insider theft in Humanity Protocol's $31M exploit — crypto.news","type":"news_article","url":"https://crypto.news/zachxbt-rules-out-insider-theft-in-humanity-protocols-31m-exploit/"},{"credibility":2,"name":"Humanity founder reveals employee laptop breach behind $36M exploit — crypto.news","type":"news_article","url":"https://crypto.news/humanity-founder-reveals-employee-laptop-breach-behind-36m-exploit/"},{"credibility":2,"name":"Humanity Protocol says attacker stole seven keys from one device — crypto.news","type":"news_article","url":"https://crypto.news/humanity-protocol-says-attacker-stole-seven-keys-from-one-device/"},{"credibility":2,"name":"ZachXBT Says Humanity Crypto $32M Hack Looks 'Possibly Staged' — The Tokenist","type":"news_article","url":"https://tokenist.com/zachxbt-humanity-crypto-protocol-hack-crypto-etf-risk/"},{"credibility":2,"name":"Is Humanity Protocol's $32M Hack an Exit Scam? What ZachXBT's Investigation Reveals — Memeburn","type":"news_article","url":"https://memeburn.com/is-humanity-protocols-32m-hack-an-exit-scam-what-zachxbts-investigation-reveals/"},{"credibility":2,"name":"ZachXBT says Humanity Protocol hack may have been staged as H down 90% — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/humanity-protocols-h-token-crashes-90-attackers-steal-private-keys-drain-32-million/"},{"credibility":2,"name":"Humanity Protocol Suffers $32 Million Hack as Token Plummets Nearly 90% — KuCoin","type":"news_article","url":"https://www.kucoin.com/blog/humanity-protocol-32-million-hack-h-token-crash"},{"credibility":3,"name":"Humanity Offers $1M USDT Bounty For Tips Leading To Hack Recovery — BitcoinWorld","type":"news_article","url":"https://bitcoinworld.co.in/humanity-1m-usdt-bounty-hack-recovery/"},{"credibility":3,"name":"Humanity Token Faces Critical Test: June 25 Unlock — CoinGabbar","type":"news_article","url":"https://www.coingabbar.com/en/price-prediction/humanity-price-prediction-hack-90percent-crash-june-25-unlock"},{"credibility":2,"name":"Humanity Protocol Launches Recovery Initiative — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/humanity-protocol-launches-recovery-initiative/"}],"summary":"On June 8-9, 2026, Humanity Protocol suffered a coordinated cross-chain exploit in which attackers compromised seven private keys stored on a single malware-infected employee laptop, draining approximately 447 million H tokens — valued at $32-36 million — across Ethereum and BNB Smart Chain. Blockchain investigator ZachXBT initially alleged the incident was 'possibly staged' based on pre-funded attacker wallets, suspicious market-making activity, and DEX-only token dumps, though he subsequently revised his assessment, concluding the private key compromise and the earlier suspicious market-making were independent events. The H token crashed between 87-89% within hours of the attack and remained deeply depressed ahead of a 266.5 million token unlock scheduled for June 25, 2026.","timeline":[{"date":"2026-04-01","event":"Alleged period during which attacker wallets were created and funded from exchanges and mixers, weeks before the exploit, according to on-chain analyst Elton's forensic findings cited by ZachXBT.","source":"CryptoTimes / ZachXBT via Memeburn","source_url":"https://memeburn.com/is-humanity-protocols-32m-hack-an-exit-scam-what-zachxbts-investigation-reveals/"},{"date":"2026-05-30","event":"H token surged 31% with a 134% volume increase, beginning a sustained price pump ahead of the exploit.","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/10/one-laptop-36-million-and-a-token-collapse-inside-the-humanity-protocol-exploit/"},{"date":"2026-06-01","event":"H token rallied approximately 61%, reaching an all-time high near $0.67-$0.85.","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/10/one-laptop-36-million-and-a-token-collapse-inside-the-humanity-protocol-exploit/"},{"date":"2026-06-08","event":"Coordinated cross-chain attack initiated. Attackers compromised a malware-infected developer laptop containing seven private keys. Admin hot wallet drained of approximately 6 million H tokens. Ethereum Gnosis Safe co-signer quorum achieved; ProxyAdmin transferred and bridge upgraded to malicious implementation, draining 141 million H tokens. BNB Chain Safe quorum achieved; ProxyAdmin seized and approximately 300 million H tokens unauthorized-minted.","source":"crypto.news post-mortem reporting","source_url":"https://crypto.news/humanity-protocol-says-attacker-stole-seven-keys-from-one-device/"},{"date":"2026-06-09","event":"Exploit disclosed publicly. Approximately 17+ project wallets confirmed drained. H token crashed from approximately $0.67-$0.73 to intraday lows near $0.05-$0.08, a decline of 87-93%. Stolen H tokens actively swapped for ETH on DEXes including Kyber Network and PancakeSwap. Approximately $23.7 million converted to ETH. CEO Terence Kwok confirmed breach and advised users to avoid bridge and liquidity pools.","source":"CoinDesk / CryptoTimes","source_url":"https://www.coindesk.com/tech/2026/06/09/humanity-protocol-token-crashes-more-than-80-after-a-usd32-million-private-key-hack"},{"date":"2026-06-09","event":"ZachXBT posted publicly calling the incident 'possibly staged,' citing pre-funded attacker wallets, DEX-only dumps, coordinated cross-chain execution, and prior suspicious market-making activity. On-chain analyst Elton's forensic findings referenced in support.","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/09/zachxbt-calls-32m-humanity-protocol-hack-possibly-staged-h-crashes-86/"},{"date":"2026-06-09","event":"Humanity Protocol announced $1 million USDT bounty for information leading to recovery of stolen funds. Real-time exploiter wallet tracker launched and shared with exchanges.","source":"BitcoinWorld","source_url":"https://bitcoinworld.co.in/humanity-1m-usdt-bounty-hack-recovery/"},{"date":"2026-06-10","event":"Post-mortem reporting expanded scope to approximately 447 million H tokens across all three breach vectors. Total losses revised upward to over $36 million.","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/10/one-laptop-36-million-and-a-token-collapse-inside-the-humanity-protocol-exploit/"},{"date":"2026-06-10","event":"ZachXBT updated his assessment, concluding the private key compromise and the suspicious market-making activity were 'independent of one another and not related,' effectively ruling out insider orchestration of the exploit itself.","source":"crypto.news","source_url":"https://crypto.news/zachxbt-rules-out-insider-theft-in-humanity-protocols-31m-exploit/"},{"date":"2026-06-25","event":"Scheduled unlock of 266.5 million H tokens (approximately 2.7% of total supply) for vesting recipients. Represents a significant supply overhang event occurring less than three weeks after the exploit.","source":"CoinGabbar","source_url":"https://www.coingabbar.com/en/price-prediction/humanity-price-prediction-hack-90percent-crash-june-25-unlock"}]},"v":1}