TL;DR:
- Humanity Protocol suffered an attack that resulted in the loss of over $36 million in H tokens after an employee’s laptop was compromised.
- The attackers obtained three of six Gnosis Safe multisig keys and took control of the bridges on Ethereum and BNB Chain.
- The H token fell more than 85% following the attack disclosure. Investigators are still assessing whether the attack was external or internally coordinated.
Humanity Protocol reported that an attack carried out against its bridges on Ethereum and BNB Chain resulted in the theft of over $36 million in H tokens. According to the protocol, the entry vector was a compromised employee laptop, which allowed the attackers to access three of the six keys of a Gnosis Safe wallet and take administrative control of the bridges on both networks.
With that access, the attackers upgraded the bridge contracts and turned them into malicious versions. On Ethereum they drained approximately 141.2 million tokens. On BNB Chain they introduced an unlimited minting function and minted 200 million tokens directly into their own wallet.
INCIDENT UPDATE:
Last night, June 8, the H token was hit by a coordinated attack across Ethereum and BSC. While we’re still investigating this incident, we want to be transparent with our community about what happened.
As of right now, ~$36M+ has been stolen across both chains…
— Humanity (@Humanityprot) June 9, 2026
Humanity Halts Operations and Weighs its Options
Terence Kwok, founder of Humanity, explained that the multisig keys were distributed among four people, but that some may have been exposed during the initial setup. “What we believe happened was that some keys were accidentally backed up on a compromised device,” Kwok stated. He noted that the protocol uses a licensed custodian for the majority of its treasury and MPC for its operations, but that certain contracts were configured in a centralized manner before dispersing the keys, leaving copies on a vulnerable machine.
The incident illustrated how a single compromised endpoint can escalate into a protocol-level crisis when different authorizations are concentrated behind a reduced number of keys. Humanity halted deposits and withdrawals on the affected bridges and is working with exchanges and counterparties to minimize damages and evaluate all possible recovery options.
External Attack or Coordinated Action?
The subsequent investigation raised further doubts. ZachXBT initially flagged possible links between Humanity’s market maker activity and the exploit, though he later determined that those operations were independent of the key compromise. Hakan Unal, head of security operations at Cyvers, indicated that the onchain pattern can be ambiguous, since in a legitimate compromise and in an orchestrated event the attacker operates with valid admin rights in both cases.
For his part, Elton Shehdula, researcher at Allium Labs, pointed to signs of coordination: wallets funded from an exchange and a mixer weeks before the attack, the minting authority “warmed up” days prior and the simultaneous draining across two chains. Shehdula considered that the level of preparation is consistent with an insider or an external actor who would have held the compromised keys for an extended period.
