Humanity Protocol Hack Linked to North Korean Actors as Quantstamp Investigation Reveals $36M Exploit

Humanity Protocol, the biometric decentralized identity project, has come under fresh scrutiny after a blockchain security firm’s investigation revealed strong indicators pointing to North Korean hackers in last week’s $36 million plus token exploit.

According to findings released by the project on June 12 and prepared by Quantstamp, the June 8 attack bears the hallmarks of sophisticated intrusions commonly associated with DPRK-linked threat actors. This incident adds Humanity Protocol to the growing list of crypto projects targeted by state-sponsored groups in 2026.

The concern is not isolated. North Korean-linked groups have been repeatedly connected to major attacks across the digital asset sector, including recent large-scale exploits targeting decentralized finance protocols and cross-chain infrastructure. Their growing presence continues to raise alarms among security researchers and crypto firms alike.

The breach originated not from a smart contract vulnerability but from a targeted phishing campaign. Attackers impersonated South Korean exchange Bithumb and sent an email to Humanity Protocol director Chong Yee Wai about a “circulating supply lockup schedule.” A malicious ZIP file in the attachment installed remote-access malware on his Windows device, granting the intruders full control.

Once inside, the attackers exfiltrated critical private keys and wallet credentials that had been stored on the compromised machine. These keys provided access to administrative functions across Ethereum and BNB Smart Chain (BSC), enabling a swift cross-chain operation:

• On Ethereum, attackers used a stolen key to upgrade a Hyperlane warp-route proxy and drained approximately 141.18 million $H tokens.
• On BSC, they seized control of a ProxyAdmin contract through a Gnosis Safe transaction and minted around 100 million additional $H tokens.

The stolen and freshly minted tokens were aggressively dumped over roughly eight hours on decentralized exchanges like Uniswap and PancakeSwap, triggering an immediate market collapse. The $H token plunged as much as 89-90% from recent highs near $0.67, briefly touching lows around $0.05. A significant portion of the proceeds over $21 million in ETH alone has been traced to attacker-controlled wallets.

North Korean Tradecraft Confirmed in Phishing & Malware Attack

Quantstamp’s analysis highlighted several technical signatures consistent with North Korean operations, including specific malware tooling, certificate-signing patterns (such as a South Korean Hancom certificate), and overall operational tactics frequently observed in attacks attributed to groups like Lazarus. This attribution aligns with a broader pattern in 2026, where DPRK-linked actors have been responsible for a substantial share of major crypto heists.

Security experts have also warned that DPRK-linked actors are increasingly moving beyond traditional exploits by infiltrating crypto organizations through social engineering, fake recruitment campaigns, and malware-laced communications. These tactics often provide direct access to sensitive internal systems before any on-chain activity becomes visible.

The root cause traces back to operational security lapses during the project’s mainnet launch in mid-2025. Multiple high-privilege keys, including admin hot wallet and multisig owner keys, were inadvertently backed up on the single compromised device. This single point of failure allowed attackers to bypass multisig thresholds without needing wider network access.

Humanity Protocol has responded with several measures:

• Halting bridge operations and publishing a live transparency tracker for attacker wallets.
• Offering a $1 million bounty for information leading to fund recovery.
• Committing recovered assets to $H token buybacks.
• Declaring its BSC deployment permanently compromised and planning to abandon it.

The project’s core palm vein biometric Proof-of-Humanity system remained untouched. Despite this, the $H token suffered severe damage, followed by a partial recovery. An upcoming large token unlock on June 25 (over 266 million $H) adds further pressure.

Rising Threat of State-Sponsored Crypto Attacks

This attack underscores a persistent and evolving threat: while on-chain code continues to harden, human and operational vulnerabilities remain prime targets especially for well-resourced nation-state actors. North Korean groups have repeatedly demonstrated their ability to blend social engineering, malware deployment, and rapid on-chain execution to fund state objectives.

Recent threat intelligence reports suggest that North Korean cyber groups have stolen billions of dollars worth of digital assets over the past several years, making cryptocurrency theft a significant component of their broader cyber-financing strategy. The Humanity Protocol incident further reinforces concerns that sophisticated state-backed attackers continue to view the crypto industry as a high-value target.

For Humanity Protocol, full recovery will depend not only on tracing and potentially freezing stolen funds but also on implementing rigorous changes in key management, hardware security, and team training to rebuild trust.

As investigations continue, the crypto industry watches closely. In an environment where state-sponsored hacking has become a dominant force in major exploits, robust operational security is no longer optional it is foundational.