Humanity's $36 million exploit tied to compromised laptop hosting a 'multisig' wallet

The compromised laptop held enough multisig keys to take over the project's bridges on two chains, a basic security failure for a startup backed by Pantera and Jump Crypto.

What to know:

• Humanity Protocol said a hacker stole more than $36 million in H tokens after compromising an employee’s laptop that stored multiple bridge admin keys.
• The attacker used three of six Ethereum keys and three of five BNB Chain keys, all kept on the same device, to seize control of token bridges, deploy malicious code and drain or mint hundreds of millions of H tokens.
• The project has halted bridge deposits and withdrawals, is working with exchanges and law enforcement, and faces scrutiny as H trades well below its pre-breach level.

Humanity Protocol explained how attackers were able to steal more than $36 million of its H token, and the cause was a serious lapse in how it secured its keys.

In an incident update shared with CoinDesk, the decentralized identity project said the breach started when an employee's laptop was compromised. The machine held several keys that controlled the project's token bridges, the tools that move H (and other tokens) between blockchains.

Those bridges ran through multisignature wallets, which require a number of separate keys to approve any change. A multisignature wallet is supposed to spread keys across different people and devices so that no single machine can move funds.

In this case, all the keys were stored on a single device, meaning a compromise allowed the exploier to cross the approval threshold on both chains, Humanity said.

The attacker obtained three of the six keys controlling the bridge's admin account on Ethereum, enough to seize controls linked to the project's deployment on the network.

The attacker then transferred ownership to their own wallet, swapped the bridge's code for a malicious version and drained about 141 million H in one transaction.

In a Telegram message to CoinDesk, Humanity founder Terence Kwok said the team had set up a multisig wallet across four individuals (as it should have).

Humanity suspects that "some of the keys were accidentally backed up to a compromised device during setup," Kwok said. "We use a licensed custodian for the majority of token treasury, mpc for operations treasury, and for certain contracts multisig keys were set up in one place and then dispersed.

"Unfortunately in this scenario, the keys were backed up on a compromised device," he said.

The attacker executed similar steps on BNB Chain with three of five keys. This time, installing code with an unlimited mint function, which allowed the creation of tokens at will, and minted about 200 million new H straight to their wallet.

Humanity has since removed the team page from its website. The project said it has halted deposits and withdrawals on the affected bridges and is working with exchanges and the police to recover funds.

Humanity raised $20 million from Pantera Capital and Jump Crypto last year at a $1.1 billion valuation.

ZachXBT, a prominent onchain investigator, said the key compromise and a separate round of suspicious market-making in the token were not connected.

He also raised questions about how the token traded in the weeks before the breach, ahead of a large scheduled token unlock, as H token prices shot up from 20 cents to 70 cents within two weeks.

The token has clawed back some of the lost ground. After falling as low as about 5 cents during the attack, it recovered to around 20 cents, according to CoinGecko data. It remains well below the roughly pre-breach level of 67 cents.

More For You

Crypto prices rose on Monday following last week's crash, but the bears still appear to be in control.

BlackRock warns of energy shock as May CPI is set to show acceleration in inflation

2 minutes ago

Live updates: bitcoin drifts back to $62,500, putting damper on hope for two straight up days

8 minutes ago

Wall Street will run entirely on the blockchain by 2030, says Brickken CEO

51 minutes ago

Bitcoin's bounce isn't a bullish revival, with anything from $68,000 to $80,000 seen as a marker

1 hour ago

Strategy's bitcoin purchase fails to stir BTC price

2 hours ago

Circle debuts cirBTC on Ethereum to challenge Coinbase in the wrapped bitcoin market

2 hours ago

Humanity Protocol token crashes more than 80% after a $32 million private-key hack

8 hours ago

Forehead tattoos and alcohol dares: Inside the dark underbelly of crypto's memecoin craze

14 hours ago

USDT's flashing a golden cross and that may be bad news for bitcoin

3 hours ago

Saylor blamed AI for bitcoin crash. Arca has one word for that: Nonsense

7 hours ago

Influential research firm that caused AI stock meltdown lays out Hyperliquid as 'compelling' idea

18 hours ago