Humanity Protocol: attacker stole 7 private keys from one…

Humanity Protocol has released an investigation report confirming that the June 8 attack stemmed from a single compromised developer machine infected with malware, which granted the attacker full root access. Seven private keys had been inadvertently stored on that device during the project's mainnet launch in June 2025 — including the admin hot wallet key, three Ethereum Safe owner keys, and three BSC Safe owner keys — giving the attacker complete control from a single point of failure. The protocol previously disclosed losses exceeding $31 million from the incident.

Why it matters

The investigation explicitly ruled out a smart contract exploit: there was no bug in the bridge, token contract, or Safe implementation. Every transfer, Safe transaction, and proxy upgrade executed by the attacker was authorized using legitimate private keys. That distinction matters enormously for how the industry reads this — the attack vector was operational security, not code. A single developer laptop became the master key to a $31M+ treasury because private keys were backed up to it during a high-pressure mainnet launch window.

Market impact

For investors and protocol teams, the takeaway is structural: hardware security modules, air-gapped key ceremonies, and strict separation of signing authority are not optional at mainnet scale. The Humanity Protocol incident joins a growing list of nine-figure losses traced to key management failures rather than smart contract bugs, reinforcing regulatory pressure on crypto projects to demonstrate institutional-grade custody practices before launch.

Source: [Notion | Where teams and agents work together](https://app.notion.com)