Humanity Protocol blames H token exploit on developer machine compromise
Humanity Protocol said the H token exploit was caused by a developer machine compromised with malware, not a smart contract bug.
Share
Add us on Google by Estefano Gomez Jun. 9, 2026Humanity Protocol said the exploit that hit its H token late Monday was caused by a compromised developer machine that exposed several private keys tied to the project’s token and bridge infrastructure.
In a post mortem update, the team said a colleague’s machine was infected with malware, giving the attacker root access to the device. Several production keys were inadvertently backed up on that machine during Humanity Protocol’s mainnet launch around June 2025, including an admin hot wallet key, three Ethereum Safe owner keys, and three BSC Safe owner keys.
The incident affected Humanity’s H token across Ethereum and BSC between June 8 and June 9.
AdvertisementThe team said the attacker first stole about 6 million H from an admin hot wallet on Ethereum, then drained roughly 141 million H from the Ethereum bridge after taking control of its ProxyAdmin. The attacker also minted 300 million H on BSC after compromising three Safe owner keys tied to the BSC token’s ProxyAdmin.
The total impact reached about 447 million H across both chains, including the direct Ethereum theft, the bridge drain, and the newly minted BSC tokens. Humanity said the 15 million H initially moved into the Ethereum bridge was already included in the 141 million H bridge drain and should not be counted separately.
The BSC side remains the most severe part of the incident. Humanity said the attacker still controls the BSC token’s ProxyAdmin, meaning they can continue minting, pausing, or draining tokens. The team described the BSC H token as unrecoverable and said it should be treated as permanently compromised.
The Ethereum H token itself was frozen by a clean 4 of 7 Safe after the incident. Humanity said the Ethereum token ProxyAdmin remains under clean Safe control, while the canonical Arbitrum bridge was unaffected and still holds roughly 87 million H.
The update also stressed that the attack was not caused by a flaw in Humanity’s smart contracts, bridge code, or Safe setup. Instead, the attacker used legitimate private keys to authorize transfers, Safe transactions, proxy upgrades, bridge drains, and token mints.
Humanity said it is still investigating when the attacker first gained access, how the malware compromised the device, and how long the attacker held the keys before executing the attack. The team said it has engaged external security experts for a forensic investigation and is working on a recovery program for affected victims.
The H token plunged more than 90% after the incident late Monday and early Tuesday, before rebounding over 100% by Tuesday morning. The token was recently trading near $0.21, still down nearly 70% from its pre exploit level of about $0.68.
Disclosure: This article was edited by Estefano Gomez. For more information on how we create and review content, see our Editorial Policy.
