Suspected North Korean hackers steal $36M in Humanity tokens

A phishing email installed malware on a Humanity Protocol employee’s laptop and enabled attackers to steal about $36 million in Humanity (H) tokens on Monday. The attackers extracted MetaMask credentials and private keys belonging to director Chong Yee Wai and used them to move the funds.

Blockchain security firm Quantstamp traced the intrusion to a malicious attachment disguised as a token lockup schedule update from South Korean exchange Bithumb. The attachment installed remote-access malware on the compromised device, Quantstamp reported. The firm noted the malware binary was signed with a South Korean Hancom digital certificate, a detail it called “characteristic of DPRK intrusions.”

The compromised machine belonged to a Humanity Protocol employee. With full remote access, the attackers copied stored wallet credentials and private keys from the director’s MetaMask wallet and carried out the unauthorized transfers. Quantstamp’s incident response report outlined the sequence from the phishing email to the extraction of credentials and the token transfers.

Quantstamp linked the attack to suspected North Korea-affiliated actors based on the delivery method and the signed malware binary. The use of a legitimate-looking digital certificate to sign malware has been observed in earlier intrusions tied to those actors, according to the firm’s analysis.

A May report from blockchain security firm CertiK found North Korea-linked groups were responsible for at least $578 million of the $634 million stolen in crypto incidents in April. The report also attributed about $2 billion of the $3.4 billion lost to crypto exploits so far in 2025 to those groups and estimated roughly $6.75 billion was stolen across 263 documented incidents over the past decade. CertiK described the groups’ operations as focused on “precision and scale” and said they have “industrialized” crypto theft into a core revenue mechanism.

North Korea rarely addresses cybercrime allegations. On May 3 a Foreign Ministry spokesperson rejected such accusations.

The incident highlights risks when wallet keys or seed phrases are stored or entered on developer and employee devices, since private keys on a compromised machine can be copied and used to move assets. Humanity Protocol has not released further technical details or described additional remediation steps beyond sharing Quantstamp’s report. Investigations are ongoing; Quantstamp has circulated its findings to the project community and stakeholders while law enforcement and blockchain monitoring teams continue to trace the stolen tokens.