North Korea-Linked Phishing Triggers $36M Humanity Protocol Theft

Humanity Protocol, a blockchain identity network that uses palm-biometric "proof of humanity" credentials to distinguish real people from AI bots, disclosed on June 13 that attackers linked to North Korea stole roughly $36 million in H tokens. According to an investigation by security firm Quantstamp, the attackers compromised a single developer's malware-infected laptop and recovered seven private keys, mistakenly left as backups since the project's June 2025 mainnet launch, then used those valid credentials, not a smart-contract exploit, to drain about 141 million H tokens from its Ethereum bridge. The H token lost 80-90% of its value within hours. Quantstamp linked the malware's tooling and certificate-signing pattern to North Korean threat actors, though some independent researchers say that specific state attribution remains a topic of discussion even as they agree on the attack method.
For teams running identity or authentication infrastructure, this incident is a reminder that credential hygiene on individual developer machines, not smart-contract code, was the actual failure point: a single infected laptop with leftover private-key backups was enough to drain a protocol built specifically to distinguish humans from AI-driven bots and fraud.
What happened
According to Humanity Protocol's June 13 disclosure and a Quantstamp investigation, attackers gained root access to a developer's malware-infected device that still held backups of seven private keys, an admin hot-wallet key plus three Ethereum Safe owner keys and three BNB Safe owner keys, dating back to the project's June 2025 mainnet launch. Using those valid credentials rather than exploiting any smart contract, the attackers authorized transfers and a contract upgrade with enough signatures to satisfy the Safe multisig threshold, then drained roughly 141 million H tokens (about $36 million) from the project's Ethereum bridge in a single transaction, minting additional tokens on BNB Smart Chain that were largely converted to ETH. Humanity Protocol said its bridge, token, and Safe contracts were not compromised; the breach was entirely a stolen-credential incident. The H token fell 80-90% within hours before partially recovering.
Security context
Quantstamp attributed the intrusion to North Korea-linked actors, citing malware tooling and a certificate-signing pattern (a Hancom digital certificate) it described as characteristic of DPRK operations. Independent on-chain investigators, including ZachXBT and Lookonchain, corroborated the malware-driven private-key theft as the attack mechanism, though state attribution specifically remains debated among some researchers even as the technical narrative is not in dispute. Humanity Protocol markets its palm-biometric "proof of humanity" credentials as a way to verify a real person is behind an online action, addressing the fact that CAPTCHAs and behavioral checks are increasingly bypassed by AI; the irony of an AI-adjacent identity-verification protocol being breached through conventional credential theft, rather than any AI-specific attack, underscores that operational security fundamentals still dominate as the practical risk in Web3/AI-identity infrastructure.
For practitioners
The failure mode here, private-key backups persisting on a developer workstation long after a launch event, is a generic and common one: it is a strong argument for hardware-backed key custody, backup expiration policies, and device isolation for anyone holding production signing keys, independent of whether the surrounding system involves AI or blockchain.
What to watch
Whether Humanity Protocol publishes a full post-mortem and compensation plan, and whether Quantstamp's specific state attribution is independently confirmed by other threat intelligence firms tracking North Korea-linked crypto theft.
Key Points
- 1A single compromised developer laptop, not a smart-contract bug, let attackers drain about $36 million in H tokens using valid backed-up private keys.
- 2Quantstamp ties the malware and certificate-signing pattern to North Korea-linked actors, though independent researchers say the state attribution itself remains debated.
- 3Humanity Protocol's business is verifying humans against AI bots, making its own basic key-custody failure a notable lapse for an AI-adjacent identity infrastructure project.
Scoring Rationale
A well-documented crypto security incident with a clear, corroborated attack narrative (credential theft, not a protocol vulnerability), but its direct AI/ML relevance is indirect (an AI-adjacent 'proof of humanity' identity project). Pulled down from 7.4 given the original card's content was built on a source whose actual body does not cover this event at all; recalibrated to a notable-but-not-major security story once corrected.
Sources
Public references used for this report.
Practice with real FinTech & Trading data
90 SQL & Python problems · 15 industry datasets
250 free problems · No credit card
See all FinTech & Trading problems

