Humanity Protocol confirmed the unauthorized extraction of over 36 million dollars in H tokens on June 8, 2026. The organization detailed the technical incident through an official protocol update post. The initial vector for the security incident involved the compromise of an employee’s laptop. This specific hardware device contained accidental backups of the administrative owner keys.
INCIDENT UPDATE:
Last night, June 8, the H token was hit by a coordinated attack across Ethereum and BSC. While we’re still investigating this incident, we want to be transparent with our community about what happened.
As of right now, ~$36M+ has been stolen across both chains…
— Humanity (@Humanityprot) June 9, 2026
The attackers successfully seized three of six multisig keys tied to the project’s Gnosis Safe scheme. This level of access allowed them to modify critical bridge administration parameters. The intrusion simultaneously affected the bridging operations on the Ethereum and BNB Chain networks. After acquiring the necessary permissions, malicious actors replaced the original smart contracts with altered versions.
On the Ethereum network, the modification facilitated the draining of 141.2 million tokens. This unusual flow of digital assets has been widely documented by the coverage of blockchain technology.
The exploitation method deployed on BNB Chain presented specific technical variations. The attackers incorporated an anomalous function to create unrestricted liquidity directly within the internal bridge structure. Using this altered function, they generated 200 million additional tokens directly and immediately. Subsequently, they routed these newly minted assets into a cryptocurrency wallet under their absolute control.
Terence Kwok, the founder of the initiative, explained the underlying operational failure. According to the executive, the access keys were initially distributed among four different individuals within the organization. During the contract configuration process, the development team generated the cryptographic signatures in a single environment. The accidental backup on the compromised device occurred during this specific technical phase.
The primary token treasury currently operates under the direct management of a commercially licensed custodian. Additionally, regular operational funds utilize multiparty computation technology to safely authorize financial transactions. However, the specific bridge contracts relied directly on the compromised multisignature setup. This temporary concentration of authority generated a single point of failure at the basic infrastructure level.
The financial impact on secondary markets materialized immediately. Following the public disclosure of the private key compromise, the trading value of the H token experienced a severe decline.
The massive liquidation across the open market caused an immediate disruption in decentralized liquidity provision. The digital asset registered an abrupt 85 percent drop in value.
As an initial containment measure, the organization permanently halted all deposits and withdrawals. They are currently coordinating with centralized cryptocurrency exchanges to track the funds and block identified malicious addresses.
Forensic evaluation of transactions and patterns
you are hacked just before investor unlocks?
you want us to believe your story?
zero pic.twitter.com/uDkujmKPvZ
— Maran (@TheMaran) June 9, 2026
Security researchers detected anomalous behavioral patterns prior to the capital extraction. Elton Shehdula, lead researcher at Allium Labs, documented a detailed timeline of the attack using on-chain records.
The technical data reveals that the receiving wallets obtained initial funding from a centralized exchange and a cryptocurrency mixer. These preparatory transfers occurred weeks before the June 8 execution.
The minting authority of the smart contracts registered testing activity days before the definitive event. The final extraction of capital was executed simultaneously across both blockchain networks. Shehdula indicated that this particular level of preparation suggests a highly coordinated operation. The responsible actor likely maintained access to the compromised key for an extended period without acting.
Initially, the community questioned a potential relationship between the incident and the project’s over-the-counter activity. Blockchain investigator ZachXBT exhaustively reviewed the prior movements of registered market makers. The subsequent forensic analysis ruled out any direct links. The financial activity of the market makers operated completely independently of the cross-chain bridge vulnerability.
Hakan Unal from the firm Cyvers evaluated the on-chain patterns of the incident. He explained that the use of legitimate administrator rights makes it initially difficult to distinguish between internal and external events.
A genuine external intrusion usually shows haste, immediate transfers to fresh wallets, and the use of mixers. By design, it rarely coincides with the project’s own token unlock schedules.
A planned internal event usually presents more orderly capital movements. It may show temporal proximity to supply consolidation events or returns to addresses closely linked to the core development team. The current technical evidence presents mixed elements. Forensic firms and security analysts continue monitoring the asset routing paths to determine the exact nature of the extraction.
The developer team keeps all interactions with the bridge suspended. The publication of a final technical report detailing available recovery options remains pending for the upcoming weeks.
This article is for informational purposes and does not constitute financial advice.
