Compromised laptop led to $36M Humanity Protocol bridge hack

Attackers used a compromised employee laptop to seize three of six Gnosis Safe owner keys, upgrade bridge contracts and drain or create more than $36 million in H tokens on Ethereum and BNB Chain. The protocol halted deposits and withdrawals on the affected bridges and is coordinating with exchanges and partners while investigating recovery options.

Humanity Protocol reported the breach occurred on Monday. Founder Terence Kwok explained that multisignature controls were distributed across four individuals but that some keys may have been backed up during initial setup to a compromised device. The team said it stores the majority of its token treasury with a licensed custodian and uses multiparty computation for its operations treasury, but that a subset of multisig keys had been created in one place and later dispersed, leaving backups on a potentially compromised endpoint.

With control of three of six Gnosis Safe owner keys, attackers performed administrative upgrades to the bridge contracts. On Ethereum the attackers drained about 141.2 million H tokens. On BNB Chain they added a minting function and created 200 million H tokens directly to an attacker-controlled wallet. The H token’s market value fell by more than 85% after the project disclosed the private key compromise.

The protocol warned users not to interact with the bridges or related liquidity pools while the incident is under review. Humanity said it is working with exchanges and relevant parties to limit further damage. The team has not announced a timetable for asset recovery or any legal steps.

Security firms and blockchain investigators are examining on-chain activity to determine whether the incident was an external compromise or a coordinated operation. Analysts are reviewing the timing and source of wallet funding, prior transfers, the minting authority’s activity and the pattern of token sales across both chains.

Allium Labs research lead Elton Shehdula reported that wallets used in the exploit were funded from an exchange and a mixer weeks before the attack, that the minting authority was prepared days in advance, and that proceeds were sold across both chains at the same time. He said the level of preparation is consistent with either an insider or an outside actor who held a compromised key for an extended period.

Hakan Unal, senior security operations lead at Cyvers, noted investigators look at surrounding behavior to distinguish staged events from genuine compromises: “A genuine compromise usually shows speed and improvisation: funds rushed to fresh wallets, swaps at bad prices, mixer use, and no insider timing.”

Investigations remain ongoing. The protocol has said it will provide updates as new information and recovery efforts develop.