On June 8, 2026, the Ethereum-based identity and reputation protocol Humanity was involved in a sudden cross-chain security incident: the attacker did not directly breach the smart contract, but instead disguised themselves as the Korean exchange Bithumb and sent a phishing email to a director of the project, implanting a remote control Trojan in their terminal, silently seizing the wallet private key that controlled H token permissions. After acquiring the private key, the hacker initiated a series of on-chain operations against H token-related contracts on Ethereum and BNB Chain, transferring approximately 141 million H tokens and selling them off quickly, triggering a crisis of trust throughout the ecosystem. Humanity subsequently emphasized that the mainnet bridge was unaffected, pointing to the breached wallet and permission management as the issues, while an investigation by independent security firm Quantstamp confirmed this: it was not a logical failure of the contract but a precisely executed social engineering attack. More unsettling for the industry was Quantstamp's indication that the tools and techniques used in this attack bore a high similarity to past activities attributed to a suspected North Korean hacker group, forcing many teams that had relied entirely on contract audits and cross-chain architectures to reevaluate a harsh reality—what was often truly breached was not the chain, but the people.
How the email posing as Bithumb breached the director's computer
In this incident, the attack vector was not on the chain, but in a seemingly normal business email. The attacker meticulously impersonated the Korean exchange Bithumb, sending a phishing email to a director of the Humanity project with common phrases like "business cooperation" and "token support," making the email's header, signature, and format convincingly realistic enough for the recipient to believe they were communicating with a large exchange. The real trap was hidden in the attachment—a document that appeared to be a standard file, labeled as business-related materials or forms, thus successfully bypassing the individual's vigilance.
A crucial step occurred the moment the director double-clicked to open the attachment. On the surface, the terminal might have just briefly flashed a window or seemed to open a normal file; behind the scenes, however, it was silently installing a remote control Trojan. This Trojan opened a backdoor for the attacker, allowing them to remotely control the device without being detected. Industry analysis pointed out that it was through this remote control capability that the attacker further explored and locked in on the director's wallet environment, ultimately obtaining the wallet private key. The investigation by Quantstamp also emphasized that there was no evidence of the smart contract logic being bypassed or the cross-chain bridge parameters being breached; what was truly lost was personnel security awareness and terminal device protection, not the on-chain security boundaries of Ethereum or the Humanity protocol itself.
Private key theft and H tokens transferred cross-chain
Once the attacker obtained the director's wallet private key, the first step was not to make a direct large transfer, but to initiate admin-level operations on the H token-related contracts on Ethereum. Utilizing these permissions, which should have been strictly controlled, the attacker pushed for a "upgrade" of the contract, redirecting the core logic to a target they controlled, covertly rewriting the asset transfer channel that was originally constrained by rules. Soon after, a large volume of H tokens was transferred out of the address controlled by the project team and into the attacker-controlled wallet and was subsequently sold off on-chain. According to multiple sources, around 141 million H tokens were transferred and sold along this path.
At the same time, the attacker repeated a similar operation on the corresponding H token contract on BNB Chain, using the same private key to sign permission commands in the cross-chain scenario, emptying the assets in both chain environments. Humanity emphasized afterward that its mainnet bridge itself was not breached (according to a single source), the affected party was the breached wallet and the contract permissions configured around that wallet. This means that, on the surface, it appeared as if "cross-chain theft" occurred, but in reality, it was the same high-permission key being misused in a multi-chain environment, revealing that once a critical private key is compromised when a project enters a multi-chain operational phase, any contract upgrades or asset management actions on a single chain could potentially amplify into systemic risks.
Quantstamp points to non-contract vulnerabilities and suspected North Korean hackers
After Humanity pointed to the breached wallet and permission configurations, an independent third-party technical conclusion became particularly critical. The security auditing company involved in the analysis of this incident, Quantstamp, subsequently released an investigation report, reviewing the entire chain from the phishing email and malicious attachment to the remote control Trojan implanted in the terminal. The report emphasized that the root of this incident lay in successful social engineering that deceived the core management, leading to the infiltration of terminal devices which resulted in the leak of high-permission wallet private keys, subsequently used to initiate contract upgrades and asset disposal operations on Ethereum and BNB Chain. In other words, from Quantstamp's technical perspective, this was not an "on-chain vulnerability" arising from a defect in smart contract logic but a typical failure of defense at the human and terminal level.
Even more controversial was the attribution of the attacker's background. Quantstamp noted in the report that the tools and techniques used in this attack were consistent with characteristics often attributed to North Korean-related hacker groups (including the Lazarus Group), such as impersonating exchanges or auditing agencies, invading target devices with emails containing malicious attachments, and after gaining remote control permissions, stealing private keys and dispatching on-chain assets. However, the report maintained a clear caution, only using terms like "consistent with DPRK-linked activity" and "suspected association" without giving a definitive legal characterization. As a result, industry speculation circulated about "suspected North Korean hackers," but under current public evidence, such claims are more of an inference based on technical similarities rather than confirmable facts. The discussion regarding the attacker's identity is likely to remain at the level of "suspected association" for a considerable time.
From Lazarus's usual phishing to Web3 operational shortcomings
Viewing the Humanity incident within the context of the attacks over the past few years, it was not a "black swan" appearing out of nowhere. In recent years, North Korean-related hacker groups (such as the Lazarus Group) have frequently been linked to phishing operations targeting cryptocurrency projects. Their common tactic is to impersonate exchanges, auditing firms, or other business partners, sending emails containing malicious attachments under the guise of "formal communication." Once the victim opens the attachment on their everyday office device, the terminal becomes infiltrated with a remote control Trojan, allowing the attacker to seize the wallet private keys and subsequently extend their focus to the project’s treasury or high-permission contracts. This experience of Humanity is practically a rehash of this script: the attacker posed as the Korean exchange Bithumb, sent a phishing email to a project director, and completed the Trojan implantation after the malicious attachment was opened, thereby acquiring the director's wallet private key and extending the attack chain to the H token-related contracts on Ethereum and BNB Chain. This similarity is also the technical foundation mentioned in the Quantstamp report as "consistent with DPRK-linked activity."
However, rather than attributing everything to "high-level hackers," it would be more accurate to say that Humanity exposed a complete set of common shortcomings in Web3 operations. Humanity itself is an Ethereum-based Web3 identity and reputation protocol, with the H token being its core asset, yet in a multi-chain operational scenario spanning Ethereum and BNB Chain, the private key capable of initiating critical on-chain operations like contract upgrades was left on a director's personal terminal. The lack of isolation in terminal management, insufficient permission tier design, lack of institutionalized processes for private key custody and usage, combined with weak personnel security awareness, transformed what seemed to be "just opening an attachment" into a systemic risk at the cross-chain level. The industry subsequently focused its discussion on these off-chain factors, which, in a sense, serves as a reminder to all project teams: in today's increasingly complex multi-chain and cross-chain structures, the human factors and operational processes remain decisive variables affecting the protocol's security boundary.
Looking at future defenses and the final link from the Humanity incident
The Humanity incident once again laid a harsh conclusion on the table: what was truly breached was not the contract logic on Ethereum or BNB Chain, but the terminal implanted with a remote control Trojan and the person holding the private key. Through phishing emails masquerading as Bithumb, the attacker obtained the director's private key and subsequently initiated operations on-chain to transfer and sell about 141 million H tokens, while Humanity stressed that the mainnet bridge was unaffected. This path serves almost as a textbook annotation to the premise that "people are the last link." Looking forward, there are specific lessons for the project team to learn: first, core assets must be placed under multi-signature; important operations should be split into multiple roles and require multiple permissions for confirmation, avoiding any single private key from becoming a "single point of failure" for the system; second, permissions and scenarios must be thoroughly isolated, separating everyday office terminals from high-permission wallets and operational environments, and as much as possible migrating to hardware signing devices and dedicated secure terminals; third, terminal security must be institutionalized, with email and download behaviors incorporated into auditable processes, and regular drills for phishing and Trojan defense; fourth, all employees should receive ongoing security training, instead of limiting risk education to a "security manual." Meanwhile, it should be acknowledged that current public materials still contain uncertainty regarding the monetary loss, whether there have been additional mints, and exact price fluctuations, and that further attention is needed on Humanity's recovery and compensation plans, whether more third-party audits will get involved, and the qualitative perspective under potential regulation. Viewing this incident as merely an unfortunate event for a specific project is insufficient; it resembles a safety rehearsal publicly enacted on the stage of public chains like Ethereum, reminding the entire industry to treat the attack chain experienced by Humanity as a comprehensive examination of their own terminal defenses, permission design, and personnel system, rather than an isolated case that can be overlooked.
Join our community to discuss together and become stronger!
AiCoin exclusive Hyperliquid benefits: https://app.hyperliquid.xyz/join/AICOIN88
AiCoin exclusive Aster benefits: https://www.asterdex.com/en-US/referral/9C50e2
On-chain Telegram community: https://t.me/AiCoinWhaleData
On-chain community: https://www.aicoin.com/link/chat?cid=N6OVMor5g
AiCoin on-chain Twitter: https://x.com/aicoinwhaledata
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
