Humanity Protocol Loses $36M After Private Keys ‘Compromised,’ Token Crashes 73%

Humanity Protocol’s native token H collapsed more than 80% Tuesday after attackers compromised private keys tied to the project, seized bridge admin controls, and stole more than $36 million across Ethereum and BNB Chain.

In a detailed thread, Humanity Protocol said the Monday attack was coordinated across Ethereum and BSC and traced to a breach that occurred “after an employee’s laptop was compromised.”

The Humanity breach extends one of the worst stretches on record for DeFi security, with more than $885 million lost to DeFi hacks in the first six months of 2026, according to DeFiLlama data.

Attackers compromised three of six Gnosis Safe keys on Ethereum and three of five on BSC, seizing ProxyAdmin control, draining about 141.2 million H, and minting another 200,000,005 H through malicious contract upgrades, according to the project.

The project’s H token plunged from highs of $0.73132 Monday to a Tuesday morning low of $0.079606, per CoinGecko data, a drop of 89%. H is currently trading near $0.20, down 73% on the day, erasing much of a rally that had pushed the token close to its all-time high of $0.80 just a week earlier.

Founder Terence Kwok confirmed the breach and told users to stay clear of the project’s infrastructure.

Humanity Protocol is a zero-knowledge Layer-2 blockchain focused on decentralized identity, founded by Kwok and built around a “Proof of Humanity” system that verifies users through palm scans rather than iris or facial recognition.

The breach is the latest setback for Kwok, whose previous venture, hospitality-tech startup Tink Labs, raised about $160 million and became one of Hong Kong’s first unicorns before shutting down in 2019 amid financial troubles.

The Humanity Protocol team said it has halted deposits and withdrawals to the affected bridges and is working with exchanges and police to recover funds.

“People in this community worked hard for what they hold here, and we feel the weight of that,” the project said, promising a post-mortem.

An “operational security failure”

Meir Dolev, co-founder and CTO at blockchain security platform Cyvers, told Decrypt the incident was “an operational security failure, not a smart-contract bug,” with the attacker gaining admin access through a private key tied to a Humanity Foundation member.

After the contract upgrade, Dolev said the attacker abused the mint function to create 100 million new H, worth about $12.9 million, then swapped the stolen and minted tokens for ETH and BNB before consolidating across several wallets.

Dolev noted that draining roughly $30 million “required owner/admin-level control able to increase token supply via the proxy contract upgrade and drain protocol-controlled wallets directly.”

“The core failure is structural: one key trusted with both the funds and the power to rewrite the rules,” he said.

He read Kwok’s warning to avoid the bridge and pools as a sign that access “may not be fully contained.”

The attacker still holds large amounts of H but cannot fully cash out because pool liquidity is too thin to absorb the swaps, Dolev said, making the public alert “partly an effort to keep that liquidity from being touched.”

Humanity Protocol is due to unlock 266.5 million H, about 9.4% of the released supply, worth roughly $33 million at pre-crash prices, on June 25, across six allocations, according to Tokenomist data.

On-chain sleuth ZachXBT initially flagged the event as “possibly staged,” suggesting it offered a convenient exit for the active market maker.

He later walked the statement back, tweeting that, “After further analysis of the laundering, it seems the sketchy MM / OTC & private key compromise are independent of one another and not related.”

Dolev cautioned that on-chain evidence so far remains mixed, since the attacker holds legitimate admin rights either way. Where the funds settle in the coming days, and whether the compromised key was dormant beforehand, he said, “will be the deciding factor.”