The Humanity Protocol uses palm scans and zero-knowledge proofs (ZKPs) to offer on-chain “proof of humanity.” In June 2026, the protocol suffered an estimated $36 million hack due to compromised private keys.
Inside the Attack
The Humanity Protocol hack began as a malware infection on the computer of one of the protocol’s developers. The malware gained root access to the device, allowing it to collect the credentials and private keys stored there.
In total, the malware was able to steal seven private keys from the developer’s machine. This includes the private key for one of the protocol’s hot wallets as well as two sets of three keys for ETH Safe and BSC Safe accounts. These keys were present on the device because of an accidental backup when the protocol launched its mainnet in June 2025.
The hot wallet private key provided full control over the associated account. With this access, the attacker transferred 6,045,060 H tokens to a wallet they controlled on Ethereum.
Later, the attacker used the two sets of Safe keys to build an offline multisig transaction for the corresponding Safe accounts. The ETH Safe transaction allowed them to perform a malicious upgrade to the project’s bridge contract and drain an estimated 141 million H tokens. The BSC transaction also granted admin-level control over the bridge and the ability to mint 300 million unauthorized H tokens.
In total, an estimated 447 million H tokens were stolen or minted by the attacker across the three compromised accounts. The attacker swapped most of the H tokens for ETH and dumped the rest on DEXs, resulting in an estimated 80-90% drop in the token’s value within 12 hours.
Lessons Learned from the Attack
This incident demonstrated the risks associated with centralization of power within DeFi protocols. The attack was made possible by the fact that sufficient keys were stored on a developer’s machine that an attacker could take over both a hot wallet and two multisig accounts. The alleged reason was accidental backups, but ZachXBT questioned that explanation and suggested the incident was actually an inside job.
Whether accidental or intentional, centralization of private keys made this incident possible. Web3 projects need security policies and programs that ensure that multisig private keys stay separated to avoid undermining their protection. For help with developing an off-chain security program that prevents this type of incident, get in touch with Halborn.