Key Highlights
- Humanity Protocol published Quantstamp’s investigation into the June 8 exploit that drained and minted unauthorized $H tokens.
- The attacker allegedly gained access through a phishing email impersonating South Korean crypto exchange Bithumb.
- Quantstamp found indicators consistent with known DPRK-linked cyber intrusion techniques.
- Humanity confirmed the Ethereum deployment has been secured, while the BNB Smart Chain version will be abandoned.
Humanity Protocol has released the findings of an independent investigation conducted by security firm Quantstamp into the June 8 attack that resulted in the compromise of its native $H token ecosystem.
The report provides the clearest explanation yet of how attackers gained control of key administrative infrastructure, triggering one of the largest crypto security incidents of the year and causing an estimated $36 million in losses.
The project had previously disclosed that the exploit led to the collapse of the $H token price after attackers gained access to bridge controls, drained tokens on Ethereum, and minted unauthorized supply on BNB Smart Chain.
Phishing attack started with fake Bithumb email
According to Humanity Protocol, the attack originated from a targeted social-engineering campaign directed at one of its directors.
The attacker reportedly sent a phishing email impersonating South Korean crypto exchange Bithumb, with whom the director had been communicating. The email contained a malicious attachment that installed remote-access malware after being opened.
Quantstamp’s investigation found that the malware allowed attackers to gain full remote-desktop control of the device while evading endpoint security systems.
Once inside the machine, the attacker extracted wallet data and private keys associated with administrative accounts.
“The attacker copied wallet data and private keys from the device and used them to execute the on-chain attack,” Humanity Protocol stated.
Quantstamp links attack pattern to DPRK tactics
According to the investigation, several aspects of the malware infrastructure and certificate-signing behavior resembled techniques commonly associated with North Korean cyber groups.
While the report stops short of making a definitive attribution, Humanity Protocol said Quantstamp identified tooling and operational patterns “characteristic of DPRK-linked intrusions.”
The attackers subsequently used the stolen credentials to upgrade a contract on Ethereum and move approximately 141.18 million in $H tokens. On BNB Smart Chain, they gained control of a ProxyAdmin contract and minted additional unauthorized tokens.
The newly created and stolen tokens were sold across decentralized exchanges including Uniswap and PancakeSwap over roughly eight hours, significantly damaging liquidity and causing a sharp decline in the token’s market value.
Ethereum secured, BNB deployment abandoned
Humanity Protocol said the Ethereum deployment has since been secured using a separate multisignature wallet that was never compromised during the attack.
“The damage is contained,” the team stated, noting that the Ethereum token contract has been frozen and the project’s canonical Humanity Mainnet bridge remains unaffected.
However, the situation on BNB Smart Chain is more difficult.
The project confirmed that attackers retain administrative control over the compromised BSC deployment and can continue minting tokens. As a result, Humanity plans to permanently abandon the affected BNB Smart Chain version while working with exchanges and ecosystem partners on recovery plans.
The foundation has also advised users to temporarily revoke contract approvals until further security assessments are completed.
$H Price Recovers Despite Lingering Risks
Interestingly, the disclosure comes as the $H token has staged a significant recovery following the initial selloff.
Recent market data shows the token surged more than 43% once after the attack, driven partly by speculation surrounding potential recovery measures and ecosystem support initiatives.
However, analysts caution that the rally remains vulnerable. Market participants continue monitoring the attacker’s remaining token holdings, while a scheduled token unlock later this month could introduce additional selling pressure.
For now, Humanity Protocol says it remains focused on finalizing a recovery plan and restoring confidence among affected users.
“We know it’s been a difficult time for H holders and we’re committed to finding the best way forward,” the project said.
Also Read: Raydium Exploit Update: GoPlus Reveals How Hacker Stole $1.34M