Humanity Protocol $36M hack tied to North Korean threat actors
In brief
- Phishing email impersonating Bithumb delivered malware to employee laptop, stealing $36 million in Humani tokens.
- Malware signed with South Korean Hancom certificate, a pattern characteristic of DPRK intrusions per Quantstamp.
- North Korea-linked actors have stolen $6.75 billion in crypto over the past decade across 263 incidents.
Attack vector and credentials theft
A phishing email disguised as a Bithumb token lockup schedule update contained the malicious attachment. Once opened, the malware installed full remote access capabilities on the compromised laptop. Attackers then used this access to extract MetaMask wallet credentials and private keys belonging to Humanity Protocol director Chong Yee Wai, giving them direct control over the stolen funds.
The specifics matter. The malware was signed with a South Korean Hancom digital certificate, a pattern Quantstamp described as "characteristic of DPRK intrusions." This code-signing technique—using legitimate regional certificates to evade detection—aligns with known North Korean operational tradecraft.
Scale of North Korean crypto theft
The Humanity Protocol hack fits a broader pattern. North Korea-linked threat actors were tied to at least $578 million of the $634 million stolen in crypto-related incidents in April, according to CertiK analysis. Over the past decade, North Korea-linked actors have stolen an estimated $6.75 billion in cryptocurrency across 263 documented incidents.
According to a May report by CertiK, the same actors have been linked to about $2 billion of the $3.4 billion lost to crypto exploits in 2025, while accounting for 12% of total incidents. The scale reveals how systematized these operations have become.
CertiK's assessment is blunt. The blockchain security firm stated that North Korea has "industrialized" crypto theft into a core state revenue mechanism, making these operations a substantial share of the regime's external income.
North Korea's response
Denial remains standard. On May 3, a North Korean Foreign Ministry spokesperson rejected cybercrime allegations in a statement carried by the Korean Central News Agency. The spokesperson accused the US of spreading "incorrect" narratives about the "non-existent 'cyber threat'" from North Korea.
Such denials are routine. What's changed is the volume and sophistication of the evidence trail.
Frequently asked questions
How did attackers access Humanity Protocol's funds?
A phishing email impersonating Bithumb delivered malware that installed remote access to an employee's laptop. Attackers then extracted the MetaMask wallet credentials and private keys of Humanity Protocol director Chong Yee Wai, enabling them to transfer the stolen funds.
What evidence links this hack to North Korea?
The malware was signed with a South Korean Hancom digital certificate, a code-signing pattern Quantstamp described as characteristic of DPRK intrusions. This technique aligns with known North Korean operational tradecraft used to evade detection.
How much has North Korea stolen in crypto historically?
Over the past decade, North Korea-linked actors have stolen an estimated $6.75 billion in cryptocurrency across 263 documented incidents. In 2025 alone, they've been linked to about $2 billion of the $3.4 billion lost to crypto exploits.
