Humanity Protocol confirmed that a compromised employee laptop led to the theft of over $36 million in H tokens. The attack, which occurred Monday, targeted the H token on both Ethereum and BNB Chain.
Attackers seized control after three out of six Gnosis Safe owner keys were compromised. They upgraded bridge contracts to malicious versions, draining 141.2 million tokens from Ethereum and minting 200 million more on BSC.
Founder Terence Kwok stated some multisig keys were accidentally backed up to the compromised device. The project has halted all bridge activity and is working with exchanges on recovery.
The H token plummeted 85% following the disclosure.
Security firms like ZachXBT and Cyvers are analyzing the pattern. While initial speculation linked the exploit to market maker or OTC activity, ZachXBT later concluded those actions were unrelated.
Cyvers' Hakan Unal noted that both genuine compromises and staged incidents look similar on-chain because the attacker holds legitimate admin rights. The difference lies in surrounding behavior: speed and improvisation suggest a genuine hack, while orderly movements near unlocks hint at insider coordination.
Allium Labs research lead Elton Shehdula found evidence of planning: wallets were funded weeks in advance, minting authority was "warmed up" days before, and the dump happened simultaneously on two chains. He said this points to either an insider or an outside actor who held the key for some time.
