Humanity Protocol will prioritize operational security over smart-contract defenses after a June exploit that drained $36 million in H tokens from a compromised employee laptop, founder Terence Kwok said, as crypto hackers shift from code vulnerabilities to social engineering.
"The hard lesson here is that operational security is as critical as smart-contract security, and we're rebuilding accordingly," Kwok said in an interview. The breach stemmed from last year's mainnet launch, when production keys — including admin hot wallet keys and a quorum of multisig owner keys across Ethereum and BNB Smart Chain — were inadvertently backed up onto the laptop that was later compromised.
Blockchain security firm Quantstamp traced the attack to a phishing email disguised as a token lockup schedule update from South Korean exchange Bithumb. The malicious attachment installed malware that gave attackers remote access to the machine, allowing them to drain roughly 141 million H tokens from Humanity's Ethereum bridge and mint additional supply on BNB Smart Chain. Quantstamp said the attack bore characteristics associated with North Korea-linked threat actors, who were tied to at least $578 million of the $634 million stolen in crypto-related incidents in April alone, according to industry data.
The incident underscores a broader shift in crypto attack patterns. Phishing drove $508 million in first-quarter losses, while wallet compromises emerged as the biggest vector in the second quarter at $807 million, according to blockchain security firm CertiK. Overall crypto hack losses fell 46.8% year-on-year to $1.32 billion in the first half of 2026, though CertiK said the decline was misleading due to the $1.4 billion Bybit hack in early 2025. More than 70% of second-quarter losses stemmed from the Drift Protocol and KelpDAO exploits, also attributed to North Korean state-sponsored hackers.
The laptop that broke the multisig
The attack exposed a fundamental flaw in how crypto projects manage key security. Humanity Protocol used Gnosis Safe multisig wallets requiring multiple signers to approve sensitive actions — a setup designed to prevent single points of failure. But because enough keys were stored or cached on one compromised device, the attacker crossed approval thresholds on both chains without needing to exploit a single line of smart-contract code.
Kwok said the company is now rebuilding its security architecture with hardware-secured signers, segregated key environments, and mandatory team training on phishing threats. The H token's market cap stands at roughly $211 million, according to CoinMarketCap, down sharply from its pre-exploit peak near $0.67 in early June.
Pivot to enterprise AI
The hack accelerated a strategic shift that had been under discussion for months. Humanity Protocol, which originally positioned itself as a decentralized identity platform using palm biometrics and zero-knowledge proofs, is now refocusing on enterprise artificial intelligence products. Kwok said the company has been testing products designed for AI companies that need reliable methods of verifying human credentials — a use case that grows more urgent as AI-generated content and deepfakes proliferate.
The platform has registered around 10 million users, with a couple of million completing their credentials, Kwok said. Humanity Protocol previously worked with Mastercard on proof-of-assets applications and is backed by investors including Animoca Brands and Polygon Labs.
What remains at stake
For a project built on the premise of digital trust, the breach is especially damaging. Humanity Protocol's core pitch — verifying real humans using privacy-preserving technology — depends on users believing the infrastructure is secure. The June exploit showed that advanced cryptography does not replace basic operational security: a protocol can use zero-knowledge proofs and decentralized identifiers but still fail if private keys and admin controls are not properly protected.
Kwok said the chances of recovering the stolen funds are "pretty low," with the team's attention turned to rebuilding the ecosystem. The company has launched a public compromised-address tracker, offered a $1 million USDT bounty for information leading to recovery, and begun distributing a replacement token to pre-snapshot holders. Law enforcement agencies in Hong Kong and the United States have been contacted as investigations continue.
This article is for informational purposes only and does not constitute investment advice.