Stay connected with KayaToday—follow us on Instagram and Facebook for the latest news and reviews delivered straight to you.
Multisignature wallets are supposed to be one of the stronger security tools in crypto. The premise is straightforward, no single person controls enough keys to authorize a critical transaction on their own, so even if one keyholder is compromised, an attacker still can’t move funds without collecting approvals from others. It’s a system designed around the assumption that not everyone will be vulnerable at the same time.
Humanity Protocol had a multisig setup. It had distributed keys across four different individuals. On paper, the architecture was sound.
Then one employee’s laptop got hacked, and $36 million in H Token disappeared.
The incident, which the project disclosed in detail this week, is a case study in how a single operational mistake can hollow out a security model that was otherwise well-designed. The keys were distributed. The policy was correct. But somewhere during the setup process, multiple keys ended up backed up onto the same device — a device that, once compromised, handed an attacker everything they needed to drain two separate blockchain bridges simultaneously.
What Humanity Protocol Actually Is
Before getting into the mechanics of the attack, it’s worth understanding what Humanity Protocol does, because the nature of the project made this breach particularly damaging.
Humanity Protocol is a decentralized digital identity project. Its core premise is building a system that can verify unique human identity on the blockchain — a problem that has become increasingly important as AI-generated accounts, bots, and synthetic identities proliferate across the internet. The project uses biometric verification, particularly palm scanning, to link real human individuals to on-chain identities without requiring them to surrender personal data to a central authority.
The H Token sits at the center of this ecosystem. It’s the native currency through which the network’s economic activity flows, and it moves between blockchains through a token bridge — the infrastructure that allows assets to travel from one network to another. That bridge, it turned out, was the attack surface.
In 2025, the project raised $20 million from investors including Pantera Capital and Jump Crypto, with the round valuing the company at $1.1 billion. By any measure, this was a well-resourced project with serious institutional backing, not a fly-by-night operation cutting corners on security out of necessity.
Which makes what happened next all the more instructive.
The Laptop That Held Too Much
According to Humanity Protocol’s post-incident disclosure, the breach began with a single employee’s laptop being compromised by an attacker. The device stored several private keys used to administer the project’s cross-chain token bridge — the technical infrastructure enabling H Token to move between Ethereum, BNB Chain, and other networks.
The critical failure wasn’t that the keys existed on a laptop. It was that multiple keys from the same multisig scheme were stored on the same device.
Founder Terence Kwok confirmed that the project had implemented a four-person multisig arrangement — four different individuals holding different keys, requiring a threshold of approvals before any significant action could be authorized. Under normal operation, that means an attacker would need to compromise multiple people across multiple devices to gain sufficient control. The system assumes the keys are genuinely distributed.
“We suspect some keys were accidentally backed up to the compromised device during the setup process,” Kwok said in the project’s disclosure.
That single operational error — keys being copied or backed up to a device that shouldn’t have held them — collapsed the distributed security model entirely. When the attacker got into that laptop, they didn’t have one key. They had enough keys to meet the multisig threshold on their own.
Two Bridges Two Attack Vectors One Coordinated Strike
Once inside the laptop, the attacker moved with speed and precision across two separate blockchain networks.
On Ethereum, they obtained three of the six administrator keys required to control the bridge. Three out of six was enough. With that threshold met, the attacker transferred ownership of the bridge contract to a wallet they controlled, replaced the legitimate bridge code with a malicious version they had prepared in advance, and then drained approximately 141 million H Tokens in a single transaction. The entire sequence — takeover, code replacement, drainage — happened in rapid succession before anyone could intervene.
On BNB Chain, the attack took a different form but achieved an equally catastrophic result. There, the attacker obtained three of five required multisig keys, again meeting the threshold needed to make changes to the contract. Rather than draining existing tokens, they deployed malicious code that gave them the ability to mint new H Tokens without restriction. They used that access to mint approximately 200 million new tokens and transfer them directly to wallets they controlled.
The combined impact of the Ethereum drain and the BNB Chain minting operation resulted in total losses exceeding $36 million in H Token. The dual-chain nature of the attack suggests a degree of planning that goes beyond opportunistic exploitation — the attacker had clearly studied the project’s architecture in advance and knew exactly what to do with the access once they had it.
The Mechanics of What Went Wrong
Kwok’s explanation of the incident acknowledges something that the crypto security community has long flagged as a recurring problem: the gap between a security policy and its operational implementation.
The policy at Humanity Protocol was correct. Four keyholders, distributed control, multisig approval required for any critical action. If that policy had been implemented as designed, the attacker’s access to one laptop — however thorough — would have been insufficient to authorize anything.
The problem emerged during setup, when private keys were either copied to or inadvertently backed up onto a device that wasn’t supposed to hold them. This kind of mistake is more common than the industry likes to admit. Setting up a multisig arrangement involves generating keys, distributing them, and confirming that each keyholder has secured their own copy. When that process is rushed, or when developers lean on existing devices out of convenience, or when backup routines run automatically without sufficient awareness of what’s being captured, keys end up in places they shouldn’t be.
Kwok noted that the majority of the project’s treasury assets are managed through licensed custodians and multi-party computation technology — a more sophisticated approach that would not have been vulnerable in the same way. The bridge contracts, however, operated under a different key management process, and that’s where the gap appeared.
It’s a reminder that a project’s security posture is only as strong as its weakest operational procedure. Having the right system designed is not the same as having it correctly deployed.
ZachXBT Weighs In
On-chain investigator ZachXBT, who has built a reputation for independently tracking crypto hacks and fraud operations, offered his own assessment of the incident. His conclusion on the primary question was clear: the hack was not connected to suspicious market-making activity that had previously been observed around the H Token, a separate issue that had drawn scrutiny before the breach occurred.
But ZachXBT flagged something that is worth examining regardless of whether it connects to the hack itself.
In the two weeks leading up to the breach, H Token’s price rose sharply — from approximately $0.20 to approximately $0.70. That move coincided with an upcoming token unlock event, where a significant volume of previously locked H Tokens was scheduled to become available. The price spike in advance of a major unlock is a pattern the crypto market has seen before, and it tends to attract attention from analysts trying to understand whether the movement reflects genuine demand or coordinated positioning.
When the hack hit, the price collapsed. At the depth of the sell-off triggered by the breach, H Token fell to approximately $0.05 — a drop of more than 90% from its recent peak, and well below where it was trading even before the pre-unlock rally began.
For token holders who had bought in during that run-up, the losses were severe by any measure. For holders who had accumulated earlier, the sudden destruction of value was a direct consequence of an internal security failure that they had no way to anticipate or protect against.
What the Project Is Doing Now
In the immediate aftermath, Humanity Protocol suspended all deposit and withdrawal activity on the affected bridges. The decision to halt bridge operations is standard practice following a bridge exploit — continuing to allow funds to flow through compromised infrastructure risks additional losses while the attack vector remains unaddressed.
The team says it is actively cooperating with cryptocurrency exchanges to track the movement of the stolen funds, and working with law enforcement on the investigation. Recovering funds after a crypto hack is difficult and rarely results in full restitution, but coordination with exchanges can sometimes freeze assets if the attacker attempts to convert tokens into other currencies or move them to centralized platforms that have KYC requirements.
The project has not disclosed a timeline for restoring bridge functionality or detailed what remediation steps are being taken to prevent a recurrence. Rebuilding trust with users after a breach of this scale typically requires more than technical fixes — it requires transparent communication about what went wrong, what has changed, and what guarantees exist that the new setup is properly implemented rather than just correctly designed.
The Lesson the Industry Keeps Not Learning
The Humanity Protocol hack will take its place in a long list of bridge exploits that have collectively cost the crypto industry billions of dollars over the past several years. Bridges are among the most technically complex and security-sensitive components of the blockchain ecosystem, and they have consistently been among the most attacked.
What distinguishes this incident is that the vulnerability wasn’t in the bridge’s smart contract code or in some exotic cryptographic failure. It was in the process by which keys were managed and stored by the humans responsible for the system. The attacker didn’t beat the technology. They beat an operational mistake.
That’s arguably harder to fix than a code bug. A code bug can be patched with certainty once it’s identified. Human processes are harder to audit, harder to enforce, and easier to get subtly wrong — especially during a setup phase when teams are moving quickly and the consequences of small errors aren’t immediately visible.
The $36 million that left Humanity Protocol’s bridges did so because someone’s laptop held keys it wasn’t supposed to hold. That’s the entire story. And it’s a story the industry will keep telling until key management discipline becomes as non-negotiable as the security architecture it’s designed to protect.
Read Also: Two-Thirds of Accounts Banned by Anthropic Were Preparing Cyberattacks
