A Humanity Protocol H token compromise on June 8, 2026 turned into one of the year’s most damaging token breaches, with losses that may exceed $36 million. The attack hit both Ethereum and Binance Smart Chain in a coordinated window, and it unfolded fast enough to drain, mint, and sell assets before most holders understood what was happening.
According to a quantstamp investigation published on June 11, the breach started with a phishing email and escalated into a full cross-chain takeover. From that single entry point, the attacker stole keys, moved millions of $H tokens, minted new supply on BSC, and liquidated the proceeds through decentralized exchanges.
Humanity Protocol brought in blockchain security firm Quantstamp on the same day the attack occurred. In practice, the investigation shows how a cryptocurrency phishing attack can become far more than a mailbox problem when admin keys sit close to a personal device.
Summary
How the Humanity Protocol H token compromise unfolded
The June 8 breach on Ethereum and BSC
The Humanity Protocol H token compromise was not a random smart contract bug. Instead, it was a targeted, credential-driven theft that gave the attacker effective control over critical protocol infrastructure on both Ethereum and Binance Smart Chain.
The operation played out over roughly eight hours. By the end, the $H token price had fallen by about 89%, liquidity providers were hit hard, and remaining holders were left with severely devalued assets. Meanwhile, the attacker had already moved on to the next stage: liquidation.
The assets targeted were central to the token’s operation. The attacker accessed Humanity Protocol’s Ethereum account and a BSC Safe, which formed part of the token’s issuance and management setup. Roughly 150 operational $H wallets, along with the wallet used to fund their gas fees, were also drained.
Phishing email led to key theft from Chong Yee Wai
Everything traces back to a phishing email sent to Chong Yee Wai, a director at Humanity Protocol’s issuing entity. The message impersonated Korean cryptocurrency exchange Bithumb and appeared to relate to a circulating-supply lockup schedule, which made it look like routine administrative communication.
The email included a malicious attachment named Bithumb_Circulating_Supply_Lockup_Schedule.zip and a link to an attacker-controlled domain. Once opened, the malware installed remote-access software on Chong’s Windows machine and extracted the private keys he used for on-chain operations. Chong confirmed the user actions involved to Quantstamp investigators.
That detail matters because the compromise did not begin with a protocol flaw. It began with a person clicking a file. In turn, high-value key management appears to have been tied to an individual device rather than isolated cold storage or hardware security modules, which made the chain of events possible.
Cross-chain token theft and unauthorized minting
With the stolen keys in hand, the attacker moved quickly across both chains at once. The Ethereum BSC token hack unfolded in parallel, which made response more difficult and reduced the time available for intervention.
On Ethereum, the attacker used Chong’s stolen account key to replace the implementation of a Hyperlane warp-route proxy and move approximately 141.18 million $H tokens to an attacker-controlled address.
On BSC, the operation went further. Using three stolen Safe signer keys, the attacker took ownership of a ProxyAdmin contract and then used that control to mint 100 million new $H tokens to a freshly created address. This was not just theft; it was unauthorized token creation that increased supply on-chain in real time.
Because the attacker operated on Ethereum and BSC simultaneously, no single defensive action could easily stop the damage before liquidation was complete. A pause, a contract freeze, or a bridge halt on one chain would not necessarily have stopped the other.
Token sales on Uniswap and PancakeSwap drove the price crash
Once the tokens reached attacker-controlled wallets, the liquidation phase began. The attacker sold $H on Uniswap on Ethereum and PancakeSwap on BSC over roughly eight hours, converting stolen and minted supply into ETH and BNB.
The selling pressure was relentless. An 89% token price drop in a single trading session is not a mild correction; it is a near-total wipeout for holders who were still exposed. Liquidity providers on both decentralized exchanges also absorbed substantial damage as the sustained sell-off drained pools and widened spreads.
Quantstamp said proceeds already traceable to known attacker addresses exceed $21 million in ETH. BNB proceeds are still being assessed, and the final figure has not yet been completed.
Different outlets have reported slightly different loss totals. The Block put the figure at over $32 million, while Decrypt reported approximately $36 million. The gap likely reflects timing and whether partially assessed BNB proceeds are included. For now, the confirmed ETH total offers a floor, not a ceiling.
Why the Humanity Protocol H token compromise stands out
The attack stands out for two reasons. First, it combined credential theft with smart contract takeover, so the attacker did not need to find a code bug. Instead, they used legitimate administrative access. Second, the operation was cross-chain from the start, with Ethereum and BSC running in parallel rather than one after the other.
The breach also reinforces a pattern security researchers have warned about for years: decentralized protocols are often only as secure as the people who hold the admin keys. No audit can stop a director from opening a malicious zip file on a personal Windows machine.
Quantstamp’s investigation is still ongoing, and findings may be updated as more on-chain activity is traced. The full BNB proceeds figure remains under review, and additional compromised wallets could still surface in the chain analysis.
FAQ
How did the attacker gain access to Humanity Protocol’s token keys?
The attacker sent a phishing email to director Chong Yee Wai that impersonated Korean exchange Bithumb. The email contained a malicious attachment that installed remote-access malware on his Windows machine, which was then used to steal the private keys he controlled.
What was the impact of the attack on the $H token price?
The $H token price crashed by approximately 89% after the attacker sold stolen and minted tokens on Uniswap and PancakeSwap over roughly eight hours on June 8, 2026.
Which blockchains were affected by the compromise?
Both Ethereum and Binance Smart Chain were targeted in a coordinated cross-chain operation conducted simultaneously on June 8, 2026.
How much financial loss did the breach cause?
Confirmed ETH proceeds at known attacker addresses exceed $21 million. BNB proceeds are still being assessed. Separate media reports have estimated total losses at between $32 million and $36 million.
What steps were taken to investigate the incident?
Humanity Protocol engaged Quantstamp, Inc. on June 8, 2026, the same day as the attack. Quantstamp’s incident response team reconstructed on-chain activity and examined the devices belonging to Chong Yee Wai as part of its ongoing investigation.
