Humanity Protocol explained how attackers were able to steal more than $36 million of its H token, and the reason was a serious flaw in how it secured its keys.
In an incident update shared with CoinDesk, the decentralized identity project said the breach started when an employee’s laptop was compromised. The machine had several keys that controlled the project’s token bridges, the tools that move H (and other tokens) between blockchains.
These bridges ran through multi-signature wallets, which require a number of separate keys to approve any change. A multi-signature wallet must spread keys across different people and devices so that no single machine can move money.
In this case, all the keys were stored on a single device, meaning a compromise allowed the miner to cross the approval threshold on both chains, Humanity said.
The attacker obtained three of the six keys controlling the bridge’s Ethereum admin account, enough to seize controls linked to the project’s rollout on the network.
The attacker then transferred ownership to their own wallet, swapped the bridge’s code for a malicious version, and drained around 141 million H in one transaction.
In a Telegram message to CoinDesk, Humanity founder Terence Kwok said the team had created a multisig wallet across four people (as it should have).
Humanity suspects that “some of the keys were accidentally backed up to a compromised device during setup,” Kwok said. “We use an authorized custodian for the majority of token treasury, mpc for operations treasury, and for certain contracts, multisig keys were set up in one place and then dispersed.
“Unfortunately, in this scenario, the keys were backed up on a compromised device,” he said.
The attacker performed similar steps on BNB Chain with three out of five keys. This time installed code with an unlimited mint function, which allowed the creation of tokens at will, and minted about 200 million new H directly into their wallet.
Humanity has since removed the team page from its website. The project said it has halted deposits and withdrawals on the affected bridges and is working with exchanges and the police to recover funds.
Humankind raised $20 million from Pantera Capital and Jump Crypto last year at a valuation of $1.1 billion.
ZachXBT, a prominent onchain investigator, said the key compromise and a separate round of suspicious market-making in the token were not connected.
He also raised questions about how the token was trading in the weeks leading up to the breach, ahead of a major planned token unlock, as H token prices rose from 20 cents to 70 cents within two weeks.
The token has regained some of the lost ground. After falling as low as around 5 cents during the attack, it recovered to around 20 cents, according to CoinGecko data. It remains well below the pre-breakage level of 67 cents.
