Humanity Protocol blames H token exploit on compromised developer machine

The Attack Vector

A colleague's machine was infected with malware, giving the attacker root access. The real problem: several production keys were inadvertently backed up on that machine during Humanity Protocol's mainnet launch around June 2025. Those keys included an admin hot wallet key, three Ethereum Safe owner keys, and three BSC Safe owner keys.

Once exposed, the attacker moved fast. The attacker first stole about 6 million H from an admin hot wallet on Ethereum, then drained roughly 141 million H from the Ethereum bridge after taking control of its ProxyAdmin. On BSC, the damage was worse: the attacker minted 300 million H after compromising three Safe owner keys tied to the BSC token's ProxyAdmin. The total: approximately 447 million H across both chains.

Containment and Fallout

Humanity moved to limit further damage. The Ethereum H token was frozen by a clean 4 of 7 Safe after the incident, and the Ethereum token ProxyAdmin remains under clean Safe control. But BSC proved uncontainable: the attacker still controls the BSC token's ProxyAdmin, meaning they can continue minting, pausing, or draining tokens. The team described the BSC H token as unrecoverable and said it should be treated as permanently compromised.

One bright spot: the canonical Arbitrum bridge was unaffected and still holds roughly 87 million H.

The token market reacted sharply. The H token plunged more than 90% after the incident late Monday and early Tuesday, then rebounded over 100% by Tuesday morning. It was recently trading near $0.21, still down nearly 70% from its pre-exploit level of about $0.68.

What's Next

Humanity Protocol emphasized that the attack was not caused by a flaw in its smart contracts, bridge code, or Safe setup — the issue was purely operational. The team said it's engaged external security experts for a forensic investigation and is working on a recovery program for affected victims.