Blockchain security firm Quantstamp traced the $36 million breach of Humanity Protocol to tactics characteristic of North Korea-linked threat actors. Attackers crafted a phishing email masquerading as an update from South Korean exchange Bithumb, embedding a malicious attachment disguised as a token lockup schedule.
Upon opening, the attachment installed remote-access malware signed with a legitimate South Korean Hancom digital certificate. That certificate usage aligns with known DPRK intrusion campaigns aimed at avoiding detection. Remote access granted attackers full control over a laptop belonging to a Humanity Protocol director, including extraction of MetaMask credentials and private keys.
Stolen credentials facilitated an on-chain transfer of approximately 6 million H tokens from an admin hot wallet on Ethereum, followed by drainage of 141 million H tokens from the protocol’s bridge contract. Blockchain analysis linked those transactions to newly generated addresses under attacker control.
Quantstamp’s incident response highlighted a recorded pattern of precision targeting by North Korean threat groups, which have been tied to hundreds of crypto thefts totaling billions of U.S. dollars over the past decade. CertiK reported North Korean actors were responsible for over $578 million in losses during April 2026 alone, and account for nearly 12 percent of crypto exploits since 2025.
The hack underscores vulnerabilities in operational security and key management practices within decentralized identity projects. Quantstamp urged protocols to implement stringent endpoint security, enforce hardware wallet usage for privileged keys, and integrate anomaly detection for large cross-chain transactions. Industry observers expect heightened regulatory scrutiny and accelerated adoption of multi-party computation wallets to mitigate similar threats in the future.
Comments (0)