Humanity Says $36M H Token Exploit Stemmed From Keys on One Laptop

Humanity Protocol said a hacker stole more than $36 million worth of its H token after compromising an employee laptop that contained multiple keys for the project’s token bridges. The bridges, which move H and other assets between blockchains, were controlled by multisignature wallets, but the compromised device held enough keys to meet the approval threshold on both Ethereum and BNB Chain.

The incident matters because multisig wallets are supposed to reduce single points of failure by spreading signing authority across different people and devices. In this case, Humanity said the keys were stored or backed up in one place, turning what should have been a layered security setup into a concentrated risk for a project backed by Pantera Capital and Jump Crypto.

On Ethereum, the attacker obtained three of six admin keys, transferred ownership to their own wallet, replaced bridge code with a malicious version and drained about 141 million H in one transaction, according to the project’s update cited by CoinDesk. On BNB Chain, the attacker used three of five keys and installed code with an unlimited mint function, creating about 200 million new H directly to their wallet.

Humanity founder Terence Kwok told CoinDesk the team had initially set up a multisig across four individuals, but the project suspects some keys were accidentally backed up to the compromised device during setup. He said Humanity uses a licensed custodian for most of its token treasury and MPC for operations treasury, while some contract multisig keys were set up together and then dispersed.

Humanity has halted deposits and withdrawals on the affected bridges and said it is working with exchanges and police to recover funds. The project, which raised $20 million last year at a $1.1 billion valuation, also faces market scrutiny after H fell sharply during the attack and remained well below its reported pre-breach level.