Humanity Protocol Compromise Let Attackers Seize Admin Keys and Mint $H
Humanity Protocol disclosed that attackers compromised an employee laptop and recovered enough private keys to take administrative control of key contracts, drain funds, and mint large amounts of $H. The project and outside investigators said the breach was not caused by a smart contract flaw; it stemmed from operational security weaknesses, including multiple multisig signer keys being accessible from a single device and the lack of a timelock on ProxyAdmin-controlled upgrades. Quantstamp tied the initial access to a spear-phishing email sent to director Chong Yee Wai, and the malware activity was described as consistent with DPRK tradecraft.
On-chain analysis and public reporting estimated at least 447 million $H were affected in the acknowledged attack path, while some researchers reported substantially larger mint activity on BSC and questioned gaps in the project’s disclosures. The incident triggered a sharp token-price collapse, forced bridge shutdowns, and left the BSC contract under attacker control, prompting reviews by ZachXBT, PeckShield, Specter, Beosin, SlowMist, and QuillAudits. Humanity later published an incident update and began recovery measures, including a new Ethereum token, a snapshot-based airdrop, and a claims portal that requires identity verification for compensation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Humanity launches recovery and compensation mechanisms
Humanity later introduced recovery measures including a new Ethereum token, a snapshot-based airdrop, and a claims portal requiring identity verification. These steps were presented as part of the project's response to the exploit and user compensation effort.
Researchers publish competing analyses of the Humanity exploit
After the attack, investigators including ZachXBT, PeckShield, Specter, Beosin, SlowMist, and QuillAudits analyzed the incident. Some researchers documented substantially higher BSC mint activity than officially acknowledged and raised questions about disclosure discrepancies and possible pre-incident market-maker activity.
Bridge shutdowns and token price collapse follow exploit
Following the 2026-06-08 compromise, the exploit caused the $H token price to collapse and led to bridge shutdowns, while the BSC contract remained under attacker control. Public reporting and on-chain analysis estimated at least 447 million $H were affected in the officially acknowledged attack path.
Attackers seize admin control and exploit Humanity Protocol
On 2026-06-08, attackers used private keys recovered from the compromised laptop to take administrative control of key contracts, drain funds, and mint large quantities of $H tokens. Reporting said the incident stemmed from operational security failures rather than a smart contract bug.
Spear-phishing email compromises Humanity Protocol director
On 2026-06-05, attackers sent a spear-phishing email to director Chong Yee Wai, leading to compromise of an employee laptop. Quantstamp later linked this initial intrusion to malware behavior described as characteristic of DPRK intrusions.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
THORChain exploit and Alephium bridge hack expose forged cross-chain message flaws
THORChain was exploited across Bitcoin, Ethereum, BNB Chain, and Base, with losses rising from an initial estimate of **$7.4 million** to more than **$10.7 million** after an Asgard vault was drained. The protocol paused trading after the attack, and community investigators published suspected theft addresses on Bitcoin and EVM-compatible networks. Separately, Alephium disclosed that its private Wormhole-fork TokenBridge was exploited on Ethereum and BNB Chain for about **$815,000** after an off-chain backend flaw let forged guardian messages pass through its four-guardian system, enabling the minting of **13.76 million** unbacked wrapped `ALPH` on Ethereum. New reporting tied the THORChain incident to a privately disclosed but allegedly unremediated proposer-forgery flaw in the Bifrost attestation system. Security firm **V12** said it warned THORChain about a critical fund-draining bug, but the protocol silently patched code, did not pay a bounty, and retired its bug bounty program; researchers said a May 6 fix intended to block proposer forgery failed automated testing and was never deployed before the exploit. In Alephium’s case, the project and Blockaid revised earlier claims of guardian key theft and said the root cause was forged malicious events or messages observed and signed because of a backend vulnerability; Alephium shut down the bridge, halted new transactions, and urged holders to pull liquidity from Uniswap and PancakeSwap while the attacker still controls the unbacked tokens.
Jun 1, 2026
Shai-Hulud 2.0 npm Supply Chain Attack Compromises Trust Wallet and Cloud Credentials
A sophisticated supply chain attack, dubbed Shai-Hulud 2.0, targeted the npm JavaScript ecosystem by compromising maintainer accounts of widely used packages. Attackers injected malicious scripts into the preinstall phase of these packages, enabling the theft of credentials from developer environments, CI/CD pipelines, and cloud-connected workloads. The campaign led to the compromise of over 25,000 GitHub repositories and the exposure of hundreds of cloud credentials, affecting major organizations such as Zapier, PostHog, Postman, and Trust Wallet. Blockchain forensics confirmed that secrets stolen in this campaign were used to drain digital wallets, resulting in a confirmed $8.5 million theft from Trust Wallet. The attack's automation and worm-like propagation highlighted the urgent need for improved supply chain security and credential hygiene in cloud-native environments. Security researchers have identified new variants of the Shai-Hulud malware, indicating ongoing development and testing by threat actors. The campaign's technical sophistication included phishing tactics to capture npm maintainer credentials and modifications to payloads for improved evasion and error handling. While the most significant financial impact was observed in the Trust Wallet breach, the broader campaign demonstrated the potential for widespread compromise across the open-source software supply chain. Multiple security vendors have independently verified the attack chain, emphasizing the critical risks posed by supply chain attacks in modern software development.
Mar 21, 2026
Drift Protocol loses $280M after social-engineered multisig takeover
Drift Protocol, a Solana-based decentralized exchange, lost roughly **$270 million to $286 million** after attackers seized its Security Council administrative powers and drained core vaults, prompting the platform to suspend deposits and withdrawals and warn users not to add funds. Drift later said the theft was not caused by a smart contract bug or leaked seed phrases, but by a sophisticated operation that abused Solana **durable nonce** transactions and pre-signed multisig approvals to execute malicious governance changes later. Investigators and Drift said the attackers removed withdrawal limits, introduced a fake collateral asset called **`CVT`** or CarbonVote Token, manipulated controls, and rapidly moved assets out of borrow/lend products, vault deposits, and trading funds, cutting the protocol’s total value locked from about **$550 million** to below **$250 million** and sending the **DRIFT** token sharply lower. Subsequent post-mortems described the breach as the culmination of a **months-long social-engineering campaign** in which the threat actors posed as a legitimate quantitative trading firm, built trust through conferences, Telegram chats, integrations, and deposits, and likely compromised contributors through a malicious code repository and a trojanized TestFlight wallet app. Blockchain intelligence firms including **Elliptic** and **TRM Labs** said the laundering patterns, cross-chain bridging from Solana to Ethereum, use of **Tornado Cash**, and other indicators were consistent with **North Korean** tradecraft, while Drift linked the operation with medium confidence to **UNC4736 / AppleJeus / Citrine Sleet**. The fallout widened beyond Drift as critics questioned why more than **$230 million in USDC** moved through Circle’s CCTP bridge without being frozen, Solana launched new security initiatives, and Drift later secured recovery backing including up to **$127.5 million from Tether** as it worked with security firms, exchanges, bridges, and law enforcement to trace and recover funds.
Jun 8, 2026