exploit
Humanity Protocol drained ~$36M after multisig keys traced to employee laptop
Coordinated Ethereum + BSC attack on Humanity Protocol's Hyperlane bridge: 141.2M H drained, 200M minted on BSC, ~$36M stolen. Team blames a compromised employee laptop; H down ~86%.
Humanity Protocol — the proof-of-humanity / palm-scan identity project trading as H — confirmed on June 8 that its Hyperlane bridge ProxyAdmin multisig was taken over by an attacker who drained tokens on Ethereum and minted fresh supply on BNB Chain. Total losses tracked across both chains are reported at roughly $32M–$36M depending on source and pricing window. The Humanity Foundation attributed the breach to a single foundation member's private keys, then expanded its account to "a member's laptop" being compromised. H fell roughly 86% in 24 hours.
What happened
According to the Humanity Foundation's own incident statement on X (republished across the secondary outlets below), the attacker obtained signing material for the 3-of-6 Gnosis Safe controlling the Hyperlane bridge's ProxyAdmin on Ethereum and the 3-of-5 Safe controlling the equivalent contract on BSC. The two sides of the attack ran in parallel:
- Ethereum. The attacker used the compromised Safe to transfer
ProxyAdminownership to their own address, upgraded the bridge to a malicious implementation, and pulled approximately 141.2 million H in a single transaction from bridge-controlled wallets. - BSC. Same takeover pattern. The attacker deployed a malicious implementation that exposed an unlimited
mint, then minted ~200 million H across two transactions and routed the new supply into the liquid market. On-chain tracker Lookonchain reported one of the two BSC mints — 100M H, ~$11.4M at the time — at block height 103,140,908 at 02:09 UTC.
The attacker progressively swapped the drained and minted H for ETH and BNB. The Foundation said it has paused bridge deposits and withdrawals across affected infrastructure and is working with exchanges and law enforcement to trace funds.
Token contracts for reference: H on Ethereum 0xcf5104d094e3864cfcbda43b82e1cefd26a016eb, H on BNB Chain 0x44f161ae29361e332dea039dfa2f404e0bc5b5cc. The specific attacker addresses circulated by Lookonchain and ZachXBT are not reproduced here pending independent on-chain verification — anyone walking the trail can do so directly from the proxy upgrade transactions on the two token contracts.
Mechanism — proxy admin takeover, not a contract bug
Hyperlane's interchain mailbox contracts use OpenZeppelin's transparent proxy pattern. Behind every bridge endpoint sits a ProxyAdmin contract that holds the right to swap the implementation pointer of the proxy. Whoever controls the ProxyAdmin controls what the bridge code actually executes.
In Humanity's deployment the ProxyAdmin was owned by a multisig — 3-of-6 on Ethereum, 3-of-5 on BSC. The contracts behaved as designed. The threshold did not. Compromise enough signers and a transparent-proxy bridge becomes a faucet with a switch the attacker now holds. That is the path the attacker took: legitimate upgradeAndCall from a Safe whose threshold had been silently met by a single attacker, pointing the proxies at implementations that drained or minted at will.
The Humanity team's own diagnosis — that an employee's laptop carried the signing material for multiple Safe owners — is consistent with what auditors have warned about multisig hygiene for years: signers need to be operationally distinct devices, not labels in the same browser profile.
Numbers
- Stolen / minted (combined Ethereum + BSC): ~$32M–$36M (sources diverge)
- Ethereum drain : ~141.2M H, single transaction
- BSC mints : ~200M H across two transactions
- Tracked BSC mint #1 : 100M H, ~$11.4M, block 103,140,908 at 02:09 UTC
- Attacker holdings (per tracker reports): 16,321 ETH + 1,764 BNB after swaps
- H 24h move : -86% to -89%
- Ethereum ProxyAdmin Safe : 3-of-6
- BSC ProxyAdmin Safe : 3-of-5
USD values use the rates cited by the secondary outlets at the time of the events. The total takes the higher of the two stolen-vs-minted figures rather than summing them, because some of the minted BSC supply was offloaded into liquidity that the attacker also drained.
Skeptical attribution
On-chain investigator ZachXBT initially flagged unusual market behavior and said the incident "could be staged" — citing pre-exploit trading patterns and inviting more analysis. He walked the framing back the same day, posting that after further laundering analysis the "sketchy MM/OTC and the private-key compromise are independent of one another and not related." That correction matters: the on-chain evidence supports a key compromise; the prior-trading questions are a separate inquiry.
No public attribution to a known actor (Lazarus, an OFAC-listed entity, an indicted ring) has been made. We do not call this a "Lazarus drain." Anyone doing so should be treated with the appropriate skepticism until a regulator, an indictment, or a sourced labeling firm puts a name on the wallets.
Impact and what to watch
- Bridge is paused; do not interact. The Foundation has halted deposits and withdrawals through affected Hyperlane endpoints. Until the team publishes new contract addresses and a fresh
ProxyAdminconfiguration, H cannot be safely bridged. - Exchange traces. The attacker has been swapping at scale; expect freeze requests at venues where stolen-tagged ETH and BNB land. Watch Binance, OKX and the major DEX-aggregator routers for trace responses.
- Post-mortem and proxy rotation. A serious response is: rotate every
ProxyAdminSafe with signer keys generated on fresh hardware, raise the threshold above 3-of-{small set}, and publish per-signer attestation. Anything less leaves the same primitive open. - Listings under review. Centralized exchanges typically pause trading during inflation events of this size. Whether H trades resume — and on what supply assumption — is the next concrete decision point for holders.
Context — fourth multisig-keys compromise of a bridge in three months
This is the same failure mode Blockchain Posts has now covered multiple times in a short window: not contract bugs, but custody of the keys that authorize the contracts. Within the last six weeks alone:
- The Cosmos–Ethereum Gravity Bridge halt on May 30 — ~$5.4M, validator signing-key compromise.
- The StablR multisig minting compromise — EURR/USDR depeg from unauthorized minting through a compromised multisig.
- The Lazarus-attributed Bybit cold-wallet exploit earlier this year — the same pattern at exchange-custody scale.
Humanity Protocol joins that list with a clean recurrence: the contracts behaved as written; the multisig did not. Until proxy-admin custody for bridges moves to hardware-root-of-trust signing across operationally distinct signers — not "three Safe owners on the same laptop" — the primitive will keep being exploited. The pattern is the news.
Sources:
- Humanity Foundation incident statement (X, June 8 2026; co-founder confirmation; quoted across the outlets below).
- Decrypt — Humanity Protocol Loses $36M After Private Keys 'Compromised,' Token Crashes 73%.
- The Block — Wallets linked to Humanity Protocol drained for over $32 million, token plunges 89%.
- CryptoTimes — Humanity Protocol Reveals Employee Laptop Breach Behind $36M Exploit.
- CryptoTimes — ZachXBT Calls $32M Humanity Protocol Hack 'Possibly Staged,' $H Crashes 86%.
- H token contracts on Etherscan and BscScan (on-chain verification entry points).