Humanity Protocol says North Korean hackers stole $36 million in a phishing-led attack

The attack on Humanity Protocol started with a phishing email aimed at one of the project’s directors, and Quantstamp says the pattern matches intrusions associated with North Korea. For high-risk operators, the useful detail is simple: the breach moved from one compromised workstation to admin keys, contract control, token minting, and liquidation in about eight hours.

1. According to Quantstamp’s investigation, the attackers sent a fake email posing as South Korean crypto exchange Bithumb, with which the Humanity director had been corresponding. The email carried a malicious file; once opened, it installed remote access software that bypassed the device’s protections.
2. After gaining access to the director’s device, the attackers extracted wallet data and private keys linked to administrative accounts. They then upgraded a contract on Ethereum and transferred about 141.18 million native H tokens.
3. On BNB Smart Chain, the attackers took control of the ProxyAdmin contract and minted additional unbacked tokens. The freshly issued tokens, together with the stolen legitimate ones, were sold on decentralized exchanges including Uniswap and PancakeSwap.
4. Quantstamp said the full sequence took about eight hours. The attack reduced H liquidity and caused a sharp drop in the token’s market value. The firm also said the malware infrastructure and certificate-signing behavior resemble techniques characteristic of North Korean hackers.
5. Humanity Protocol said the attackers still retain administrative control over the compromised BNB Smart Chain contract and could continue minting tokens. The team plans to fully abandon the affected BNB Smart Chain version, and users were advised to temporarily revoke contract permissions until further security checks are complete.

On 9 June, the day after the attack, H fell to $0.08. By Sunday, 14 June, it was trading at $0.36, a gain of more than 72% over the previous 24 hours. A few days later, another crypto platform, Raydium on Solana, disclosed a separate $1.34 million theft tied to a critical flaw in its outdated smart-contract verification, according to GoPlus Security.