$H — Humanity Protocol Hack: Full Breakdown 🚨
One of the most damaging security incidents in crypto this year. Here is exactly what happened, how it happened, and what it means.
On June 8–9, 2026, Humanity Protocol was hit by three coordinated attacks across Ethereum and BNB Chain. Total damage — approximately 447 million H tokens stolen or minted illegitimately.
No smart contract bug. No code exploit. Just keys in the wrong place.
THE ATTACK — HOW IT UNFOLDED
Attack 1 — Hot Wallet Key Theft
An admin hot wallet had its private key stolen. The attacker drained 6,045,060 H directly to their aggregation wallet. Small in comparison to what followed — but this was just the opening move.
Attack 2 — ETH Bridge Drain
The ERC-BSC bridge at 0x44F161ae is an upgradeable proxy. Its upgrade permissions were controlled by a Gnosis Safe requiring 3 of 6 owner signatures.
The attacker had 3 of those keys.
They assembled a Safe transaction offline, submitted it, seized the ProxyAdmin, deployed a malicious contract, and drained 141,182,632 H in a single transaction. The entire bridge balance — including 15M H the attacker had pre-loaded to inflate it — swept in one call. Time from ProxyAdmin seizure to full drain — under 2 minutes.
Attack 3 — BSC Unlimited Mint
Same playbook. Different chain. Different keys.
The BSC H token ProxyAdmin was controlled by a separate Gnosis Safe requiring 3 of 5 signatures. The attacker had 3 of those keys too — completely different from the ETH set.
ProxyAdmin seized. Malicious mint contract deployed. Then mint() called three times.
100,000,000 H at 02:09 UTC
100,000,000 H at 03:51 UTC
100,000,000 H at 08:58 UTC
BSC supply went from 141 million to 441 million in under 7 hours. A 213% inflation of the entire BSC token supply. The attacker retains full control of the BSC contract and can continue minting at any time.
HOW DID THIS HAPPEN?
This was not a protocol failure. Every transaction was signed with legitimate private keys. The bridge logic worked as designed. The Safe worked as designed. The proxy upgrade worked as designed.
The failure was human and operational.
During the Humanity Protocol mainnet launch in June 2025, a developer backed up seven production-grade private keys to a general-purpose development machine. That machine was later compromised with malware giving the attacker complete root access.
Those seven keys included the admin hot wallet, three ETH Gnosis Safe owner keys, and three BSC Gnosis Safe owner keys. One compromised laptop. Seven keys. 447 million tokens.
The attack on June 8 may have been planned well in advance. The attacker likely held the keys for an unknown period before executing.
WHAT IS SAFE AND WHAT IS NOT
ETH H token — unaffected. Clean 4-of-7 Safe controls the upgrade. Transfers have been paused as a protective measure.
Canonical Arbitrum bridge — unaffected. Holds approximately 87 million H.
ETH bridge — compromised. Malicious implementation active. Attacker owns the ProxyAdmin.
BSC H token — unrecoverable. Attacker owns the ProxyAdmin outright. Can mint, pause, or drain at will. This token should be treated as permanently compromised.
FUND FLOW SUMMARY
141M H swept from ETH bridge — fragmented across OTC and DEX wallets.
6M H drained from hot wallet — sent to attacker aggregation wallet.
300M H minted on BSC — distributed across multiple downstream addresses.
Approximately 21.74M H remains in the aggregation wallet unharvested as of June 9.
WHAT THIS MEANS
Humanity Protocol is now facing a recovery scenario where the ETH-side token infrastructure survived but the BSC token is permanently in attacker hands. Any BSC H token circulating now exists alongside 300 million illegitimately minted tokens from an attacker who still controls the contract.
A recovery program for affected users is being developed. External security experts have been engaged for forensic investigation of the compromised devices.
THE LESSON
Smart contracts are only as secure as the keys that control them. Upgradeable proxies and multisigs are powerful tools — but they become attack surfaces the moment signing keys touch insecure infrastructure.
Hardware wallets. Air-gapped key storage. Separation of development and production environments.
This hack did not require a single line of malicious code to be written into the protocol. It required one compromised laptop.
Stay safe out there. 👀