Humanity Protocol, a palm-scan-based decentralized identity project backed by $50 million in venture funding, lost over $36 million in a coordinated attack across Ethereum and BNB Smart Chain on June 8-9, 2026. The root cause was a catastrophic operational security failure: an employee stored multiple bridge admin keys on a single laptop, giving attackers direct access to the protocol’s most sensitive administrative functions once they compromised that device.
According to Humanity Protocol’s post-mortem, the breach unfolded through three attack vectors. First, an admin’s hot wallet private key was stolen directly, resulting in the theft of approximately 6 million H tokens. Second, attackers used three of six Gnosis Safe owner keys controlling the Hyperlane bridge ProxyAdmin on Ethereum, all stored on the same laptop, to transfer ownership of the ProxyAdmin contract and upgrade the bridge to a malicious version, draining approximately 141 million H tokens. Third, on BNB Smart Chain, attackers compromised three of five multisig keys, also from the same device, seized the token contract’s proxy admin, and minted 300 million additional H tokens, flooding supply and amplifying the price collapse.
In total, approximately 447 million H tokens were lost or illegally minted. The attacker converted the stolen funds into 18,510 ETH worth roughly $30.8 million and 1,548 BNB worth approximately $924,000. The H token fell from $0.67 to as low as $0.05 before recovering slightly to around $0.13, a drop of approximately 89% within 24 hours.
Founder Terence Kwok confirmed the private key compromise. On-chain analyst ZachXBT complicated the narrative further by alleging the incident was “possibly staged,” suggesting a market maker may have offloaded a position under cover of an exploit. Humanity Protocol has not publicly addressed the allegation.
The project has halted bridge deposits and withdrawals and is working with security firms and law enforcement. The exploit has added to a brutal 2026 for crypto security, with April closing as the most-hacked month in industry history with nearly 30 separate incidents, including the $285 million Drift Protocol exploit and $292 million Kelp DAO breach, both involving private key compromises.
The H token plunged more than 90% after the incident late Monday and early Tuesday, before rebounding over 100% by Tuesday morning. The token was recently trading near $0.21, still down nearly 70% from its pre exploit level of about $0.68.
