Crypto News: Humanity Protocol Hacked for $36 Million — Private Keys Stolen via Employee Laptop, Token Crashes 99.9%

Humanity Protocol has suffered one of the most damaging exploits of 2026, with attackers stealing and selling more than $36 million worth of H tokens across Ethereum and BNB Chain after compromising private keys through a hacked employee laptop. The attack minted 300 million unauthorized H tokens, drained BSC liquidity pools to just $13, and sent the on-chain H token price crashing 99.9% — while the centralized exchange perpetual contract price remained at $0.09, creating a 100-times price divergence that has effectively split H into two unrelated assets.
How the attack unfolded
According to Humanity Protocol's official incident update, the attack originated from a compromised employee laptop that leaked the multi-signature wallet keys controlling the Hyperlane Bridge ProxyAdmin. On Ethereum, the attacker obtained three of six Gnosis Safe owner private keys — enough to reach the signing threshold — transferred ownership of the ProxyAdmin contract to a wallet under their control, and upgraded the bridge contract to a malicious implementation. A single transaction then transferred approximately 141.2 million H tokens to the attacker's wallets.
On BNB Chain, the attacker obtained three of five Safe wallet owner keys through the same compromise vector, took over the ProxyAdmin in identical fashion, and deployed a malicious contract with unlimited minting capabilities — directly minting 200 million H tokens across two transactions.
The attack lasted approximately 13 hours, during which the attacker continued issuing and selling H tokens on BSC, squeezing liquidity from the pool until virtually nothing remained. Cumulatively, the attacker minted approximately 300 million H tokens and sold approximately 450 million — including previously circulating supply — cashing out roughly $34 million in ETH and BNB. On-chain liquidity in the H pool on BSC was reduced to approximately $13 at the time of reporting.
ZachXBT: two separate events, but pre-exploit price pump raises questions
On-chain investigator ZachXBT released an analysis concluding that the Humanity team is likely not behind a "rug pull" or "self-directed performance" — the private key leak disclosure appears genuine and the team does not appear to have orchestrated the theft. However, ZachXBT identified a separate and concerning pattern: before the exploit and before the upcoming token unlock scheduled for approximately June 25, the price of H tokens was artificially pumped through what appear to be suspicious market-making agreements and large over-the-counter transactions.
ZachXBT's assessment is that the private key compromise and the pre-exploit price pump are independent events — but the timing raises the question of whether the price inflation was designed to ease selling pressure ahead of the investor and early contributor token unlock, regardless of its connection to the hack itself. The investigation is ongoing.
Token price collapse: a tale of two markets
The on-chain destruction of H's liquidity has created an extraordinary market bifurcation. The H token price on BSC dropped 99.9% to approximately $0.0009 as liquidity was drained to near zero — essentially making on-chain H worthless in practical terms. Meanwhile, the perpetual contract price on centralized exchanges remained at approximately $0.09 — a 100-times premium over the on-chain spot price. H has effectively become two unrelated assets depending on where it is traded, with the on-chain version reflecting the catastrophic liquidity destruction and the CEX version reflecting delayed price discovery in a market that has not yet fully processed the exploit's implications.
Humanity Protocol's response
The project has suspended all deposit and withdrawal operations for affected bridging services and is working with exchanges and other relevant partners to mitigate further losses. Humanity Protocol stated it is cooperating closely with law enforcement to investigate the incident and attempt to recover stolen funds. An internal investigation is also underway.
A growing pattern of private key exploits
The Humanity Protocol hack continues a disturbing trend of private key compromises that has defined crypto security in 2026. The largest this year was the Drift Protocol exploit in April, where attackers affiliated with North Korea's Lazarus Group gained control of security council admin keys resulting in $280 million in losses. Other private key exploits this year include Step Finance, Resolv, Volo Vault, Echo Bridge, Bankr, Polymarket, StablR, Stake DAO, Gravity Bridge, and Aelphium Bridge. CertiK reported that wallet and private key compromises were the second most costly attack vector in May, with $13.7 million stolen in that month alone.
The Humanity Protocol incident underscores that multi-signature wallet structures — while more secure than single-key systems — remain vulnerable when the individual keyholders' devices are compromised at the endpoint level. Three compromised keys out of six or five is sufficient to reach signing thresholds in standard multi-sig configurations, making endpoint security of keyholder devices as critical as the smart contract architecture itself.