Humanity Protocol has identified a malware-infected developer machine as the source of the security breach that led to the theft and unauthorized minting of roughly 447 million H tokens across Ethereum and BNB Smart Chain.
Summary
- Humanity Protocol said a malware-infected developer machine exposed seven private keys used in the June attack that affected Ethereum and BNB Smart Chain.
- Stolen credentials allowed the attacker to drain 141.2 million H from the Ethereum bridge and mint 300 million H on BNB Smart Chain.
- The project said the incident stemmed from compromised private keys rather than a flaw in its smart contracts or bridge infrastructure.
According to Humanity Protocol’s incident report, an attacker gained root access to a developer device and obtained seven private keys that had been inadvertently backed up during the project’s June 2025 mainnet launch.
The keys included the admin hot wallet key, three Ethereum Safe owner keys, and three BSC Safe owner keys, giving the attacker access to critical infrastructure from a single compromised machine.
The findings add new details to an attack that previously caused H to plunge sharply before staging a partial recovery. On June 10, the token traded near $0.163, up 23.7% over 24 hours, although it remained down 74.1% over the previous week following the exploit.
Humanity Protocol said the incident was not caused by a flaw in its bridge contracts, token contracts, or Safe architecture. Instead, the attacker used valid private keys to authorize transfers, Safe transactions, and contract upgrades after obtaining control of the credentials.
Attacker used stolen keys to seize bridge controls
Based on the report, the attack unfolded across three separate actions between June 8 and June 9.
During the first wave, 6.04 million H were drained from an Ethereum admin hot wallet after its private key was compromised. From there, the attacker moved against the protocol’s bridge infrastructure.
Using three stolen keys from a six-member Ethereum Safe, the attacker transferred ownership of the Bridge ProxyAdmin to an attacker-controlled wallet. After obtaining administrative control, the attacker upgraded the bridge to a malicious implementation and drained 141.18 million H in a single transaction.
Humanity Protocol said the transaction carried the signatures needed to meet the Safe’s threshold requirements, allowing the upgrade to appear as an authorized action rather than a smart contract exploit.
On BNB Smart Chain, a separate set of three compromised Safe keys gave the attacker control of the token’s ProxyAdmin. After deploying a malicious implementation, the attacker executed three mint transactions of 100 million H each, increasing the token’s supply from about 141.1 million to 441.1 million H.
Investigation points to single point of compromise
While the Ethereum bridge assets were drained, the report described the BSC token as unrecoverable because the attacker still controls the ProxyAdmin and can continue minting additional tokens. Humanity Protocol said the attacker retains ownership of both the bridge and token administration contracts affected in the incident.
Earlier disclosures from the project focused on compromised employee devices and stolen Safe keys. The latest forensic findings narrowed the cause to one malware-infected developer machine that stored multiple sensitive backups. According to the report, investigators believe all seven private keys were obtained from that single device.
Several questions remain unanswered. Humanity Protocol said it has not yet determined when the attacker first gained access, how the machine was compromised, or how long the stolen credentials were held before the attack was carried out.
In response to the incident, the project halted deposits and withdrawals through the affected bridges, launched a public recovery tracker, and offered a $1 million USDT bounty for information that leads to asset recovery. Humanity Protocol previously said any recovered funds would be used to buy back H tokens.
