Humanity Protocol has issued a detailed incident update following the compromise of its bridge admin controls on Ethereum via Hyperlane and BNB Smart Chain. The attack took place on the night of June 8 and resulted in approximately $36 million in losses through stolen and newly minted $H tokens that were quickly dumped on the market.
INCIDENT UPDATE:
Last night, June 8, the H token was hit by a coordinated attack across Ethereum and BSC. While we’re still investigating this incident, we want to be transparent with our community about what happened.
As of right now, ~$36M+ has been stolen across both chains…
— Humanity (@Humanityprot) June 9, 2026
According to the project’s official statement, the breach centered on Gnosis Safe multisigs that controlled the bridge ProxyAdmin. On Ethereum and Hyperlane, three out of six owner keys were compromised. The attacker transferred ProxyAdmin ownership to their wallet, upgraded the bridge contract to a malicious version, and swept 141.2 million $H in a single transaction. On BSC, three out of five Safe owner keys were breached. The attacker took over the ProxyAdmin, deployed a malicious implementation with an unlimited mint function, and minted over 200 million $H across two tranches directly to their address. The root cause, according to the team, was an employee’s laptop compromise that exposed enough keys to meet the multisig thresholds on both chains. Deposits and withdrawals on the affected bridges have now been halted, and the team is actively coordinating with exchanges, security partners, and law enforcement to freeze stolen funds and support recovery efforts. This follows the initial disclosure by founder Terence Kwok regarding the private key compromise of a Humanity Foundation member.
Market Reaction and Community Backlash
The $H token, which had recently rallied, crashed between 90% within hours of the incident and is now trading at a fraction of its recent highs. This sharp decline reflects a significant loss of confidence in the project’s security practices. Community reactions on X are sharply divided. While some users are willing to wait for the promised post-mortem report, many have expressed strong skepticism about the “single laptop” explanation that allowed quorum access across multiple multisigs. Questions have also been raised about key management practices and the timing of the incident. Prominent on-chain investigator ZachXBT initially described the incident as possibly staged but later leaned toward it being a genuine private key compromise. Additional context includes an upcoming token unlock scheduled for June 25, 2026, involving more than 266 million $H tokens across multiple allocations.
Ongoing Fallout and What’s Next
The team has urged users to revoke approvals on relevant contracts as a precautionary measure. They have emphasized that the core protocol contracts were not directly exploited and that the breach was limited to bridge admin controls. Humanity Protocol, a decentralized identity project that uses palm vein scanning for Proof of Humanity, now faces the dual challenge of technical recovery and rebuilding shattered trust. The project has apologized to token holders and committed to releasing a full post-mortem report soon. This incident once again highlights a persistent industry risk where operational security and private key management failures prove far more damaging than smart contract vulnerabilities.
