Humanity Protocol has published the full Quantstamp investigation summary into the $H token compromise, giving users a clearer account of how the June 8 attack unfolded across Ethereum and BNB Smart Chain.
The report says Humanity engaged Quantstamp after $H was minted and sold without authorization on both chains. Investigators reconstructed the on-chain activity and examined two devices belonging to Chong Yee Wai, a director of the issuer, whose keys were stolen and used during the attack.
On Ethereum, the attacker used a stolen account key to replace the implementation of a Hyperlane warp-route proxy and move about 141.18 million $H to a new address. On BNB Smart Chain, the attacker used three stolen Safe signer keys to take ownership of a ProxyAdmin contract, then minted about 100 million new $H to another address.
The attacker sold $H through Uniswap and PancakeSwap over roughly eight hours, pushing the open-market price down by about 89%. Known attacker addresses already held more than $21 million in ETH proceeds at the time of the report, while BNB-side proceeds were still being tallied.
Phishing Email Led To Malware And Key Theft
The compromise began with a phishing email that impersonated Korean exchange Bithumb and referenced a circulating-supply lockup schedule. The malicious attachment was named Bithumb_Circulating_Supply_Lockup_Schedule.zip and pointed to an attacker-controlled host.
After the file was opened, the attacker installed remote-access malware on a Windows machine and created a hidden GuestUser profile. The report says the attacker gained full remote-desktop control, copied MetaMask wallet data and private keys from the host, then used those keys to execute the on-chain attack on June 8.
The loader was signed with a South Korean Hancom certificate, which Quantstamp described as a pattern characteristic of DPRK intrusions. The report did not name a specific confirmed actor. That wording matters because attribution in crypto security incidents can shift as forensic work continues.
The incident adds to a wider run of crypto security stories where private-key handling, device compromise and operational controls matter as much as smart contract code. Recent market attention has already moved from device-level security toward broader infrastructure exposure, including Ledger’s backlash over past breaches and a Bitcoin Core 31.0 privacy bug affecting a narrow set of users.
Recovery Plan Still To Follow
Humanity said transparency matters and that a recovery plan and next steps will follow. The report does not yet provide a final user compensation framework, token remediation plan or completed recovery schedule.
The project’s next update will determine how it treats affected holders, liquidity providers and users exposed to the unauthorized $H movement and selling. Humanity has already said the Quantstamp report may be updated as the investigation continues, leaving the current document as an incident summary rather than a final postmortem.
For users, the immediate status is now clearer. The attack was tied to stolen operational keys, unauthorized bridge-related activity and malware-enabled access to a director’s device. The remaining open points are recovery, user treatment, BNB-side proceeds, any additional attacker tracing and whether Humanity changes its key-management controls before normal operations fully resume.
Be the first to comment