North Korean hackers drained 141M H tokens from Humanity…

Humanity Protocol has published Quantstamp's forensic investigation into the June 8 security incident, confirming that approximately 141.18 million H tokens were moved after attackers gained remote access to a director's device via a phishing attack. The intruders copied wallet data and private keys before upgrading the Ethereum H token contract and executing the transfer.

On BNB Smart Chain, the attackers also seized control of a ProxyAdmin contract and minted additional H tokens, compounding the damage beyond the initial Ethereum-side drain.

Why it matters

Quantstamp's report flags the tooling and certificate-signing patterns observed in the attack as characteristic of DPRK-linked intrusions — placing this incident in the same threat category as the Bybit and Ronin Bridge exploits attributed to North Korea's Lazarus Group. State-sponsored crypto theft has now become a systemic risk for any protocol holding significant on-chain treasury or controlling upgradeable smart contracts, and the phishing vector — a single compromised director device — underscores how human access controls remain the weakest link in otherwise technically robust systems.

Market impact

The H token faces immediate sell pressure as the market digests the scale of the mint-and-drain operation across two chains. Protocols with upgradeable proxy contracts and centralised key custody will face renewed scrutiny from both investors and auditors. The incident reinforces the case for hardware-isolated key management and multi-sig governance on any contract with upgrade authority.

Source: [$H Incident Summary | Humanity](https://www.humanity.org/hincidentupdate)