The project that proves you are human has failed to prove that its private keys are secure

Written by: ChandlerZ, Foresight News

On June 9, according to on-chain analyst Specter, wallets that interacted with the digital identity project Humanity are under continued attack. Hundreds of addresses holding H tokens have already been hacked, with total losses exceeding $31 million. Approximately $9 million has been exchanged for ETH, while about $9.9 million still exists in the form of H tokens.

Humanity founder Terence Kwok subsequently confirmed a security incident involving the private key leak of a foundation member. As a preventive measure, he advised users to refrain from interacting with the Humanity cross-chain bridge or any liquidity pools until further safety confirmations. The team is working with security experts and exchange partners to address the situation and will continue to update the community on progress.

The price of H tokens plummeted from around 0.7 USDT to a low of 0.052 USDT, with a 24-hour drop of over 90%. At the time of writing, H was reported at 0.1368301 USDT, with its market cap falling from $2 billion to around $35.7 million.

As of June 9 at 11:00, attackers reportedly minted 100 million Humanity Protocol tokens H and are selling them to exchange for BNB.

A project that did not truly "prove humanity"

The Humanity Protocol was established in 2024, positioning itself as a decentralized digital identity network, with the core selling point being the use of palm print biometrics and zero-knowledge proof to verify whether users are real people. The project is built on the Polygon CDK (zkEVM) and claims to solve issues such as Sybil attacks, fake accounts, and AI-generated identities without exposing personal information.

This narrative attracted significant capital attention in 2024, with the Humanity Protocol completing two rounds of financing, totaling $50 million. The seed round raised $30 million at a valuation of $1 billion, with investors including Kingsway Capital, Animoca Brands, Blockchain.com, and Shima Capital. A round led by Pantera Capital and Jump Crypto in January 2025 raised $20 million, increasing the valuation to $1.1 billion.

The Humanity Foundation also gathered many notable figures, led by Animoca Brands chairman Yat Siu, with co-founders including Mario Nawfal, founder of an international blockchain consultancy, and Yeewai Chong, a senior investment expert from Morgan Stanley and Ortus Capital.

On June 25, 2025, H tokens were launched through a Fairdrop mechanism, claimed to be the first token distribution in Web3 history targeted only at verified real humans. However, two days after the launch, DL News reported a leaked conversation of the founder. In the conversation, Kwok admitted that out of the 9 million Human IDs created online, only about 1 million had completed biometric verification, meaning that up to 88% of users could be bots.

Additionally, according to users on the X platform, such as SCoin (@LianFang_) and AB Kuai.Dong (@_FOR AB), there are allegations that the Humanity Protocol (H) might be a "domestically produced project shell," as images from a Shenzhen access control company were still found in the APP's code library, raising questions about its authenticity. Netizens claimed that the activity on its social media platform was largely orchestrated by the project’s side accounts, casting doubt on actual user engagement.

AB Kuai.Dong stated that those who had previously verified with Humanity should be cautious. Behind the palm security information is a Shanghai outsourcing company that specializes in full identity recognition outsourcing. Moreover, whistleblower SCoin claimed that the project had collected a large amount of users' palm print information, raising privacy and security concerns.

This is fatal for a project whose core value proposition is to "prove humanity." The H token plummeted by over 61% within two days of its launch, dropping from around $0.05 to a low of $0.018.

The founder's previous unicorn burnt through $170 million

Terence Kwok's personal background also adds a risk annotation to this project. In 2012, 20-year-old Terence Kwok dropped out of the University of Chicago and founded Tink Labs after receiving a $900 roaming bill during a trip, providing free smartphones (brand name Handy) for hotel rooms for guests to use abroad instead of high roaming charges. This concept once impressed the capital market; Tink Labs raised a total of $170 million from Foxconn, SoftBank, Innovation Works, and the founder of Meitu, reaching a valuation of $1.5 billion, becoming Hong Kong's first unicorn. At its peak, Handy devices covered 82 countries and 600,000 hotel rooms globally.

However, Kwok's aggressive expansion strategy soon faced realistic obstacles, with global roaming fees continuously declining and hotels unwilling to pay for Handy devices, leading the company to incur losses starting in 2017. According to the Financial Times, SoftBank cut off funding for key projects after discovering that Tink Labs might have diverted funds from the Japanese joint venture to other losing markets. In July 2019, over 100 employees from the European, Middle Eastern, and African offices did not receive their salaries. Departing employees smeared cake on the walls and floors of the Oxford office. On August 1, Tink Labs officially shut down and entered bankruptcy proceedings in January 2020. A former HR director told the FT that Kwok was only interested in "making money," causing the entire $170 million investment to evaporate.

Six years later, Kwok returned to the market with Humanity Protocol, securing a unicorn valuation once again from Pantera Capital and Jump Crypto.

Private key management: old problems, new costs

From the information currently available, this attack did not involve smart contract vulnerabilities or security deficiencies at the protocol level. The attackers obtained a private key belonging to a foundation member, representing the most traditional failure in security management.

The security situation in the crypto industry in 2026 is already severe. According to CCN statistics, losses from DeFi hacker attacks exceeded $1 billion in the first four months of 2026, and most of the stolen funds have yet to be recovered. On April 1, the Drift Protocol suffered an attack of $286 million, the largest single event of the year. Attackers are increasingly targeting validators, RPC nodes, and governance systems, not just smart contract vulnerabilities. However, private key leaks remain one of the most damaging types of attacks because they bypass all on-chain security mechanisms and directly gain control of assets.

For a project that has borne controversy over 88% of bot users and witnessed a drop of over 90% from its token's peak, a $31 million private key leak event could be the last blow to trust. As of the time of writing, Kwok stated in a press release that the team is cooperating with security experts and exchange partners to address the situation, but did not mention any user compensation plans or explain why the private key of the foundation member had not adopted basic protective measures such as multi-signature or hardware isolation.