$36M bridge exploit traced to employee's infected computer, Humanity reveals
Blockchain security experts noted that the attack's characteristics raise unresolved concerns about privileged key management and preparatory steps taken prior to the token sell-off.
According to Humanity Protocol, a breach of a staff member's computer enabled malicious actors to gain access to bridge administrative functions, modify smart contracts and make off with more than $36 million worth of H tokens.
The protocol released an incident report on Tuesday detailing how Monday's breach impacted the H token on both the Ethereum and BNB Chain networks. According to the team's statement, three out of six owner keys for their Gnosis Safe were successfully breached, granting the perpetrators administrative authority over the bridge infrastructure across both blockchain ecosystems.
After gaining administrative privileges, the perpetrators replaced the existing bridge contracts with malicious alternatives, according to Humanity's account. On the Ethereum network, approximately 141.2 million tokens were extracted from the system. On the BSC network, the attackers implemented a new function enabling unlimited token generation, subsequently creating 200 million tokens that were transferred straight into a wallet under their control.
In an interview with Cointelegraph, Humanity's founder Terence Kwok explained that the protocol had implemented multisignature security measures distributed among four separate people, though certain keys might have been left vulnerable during the initial configuration process.
What we believe happened was some of the keys were accidentally backed up to a compromised device.
Terence Kwok, Humanity founder
According to Kwok, Humanity employs "a licensed custodian for the majority of token treasury" along with MPC technology for managing its operations treasury, though "for certain contracts, multisig keys were set up in one place and then dispersed," which resulted in some keys being stored on a device that had been compromised.
This security breach demonstrates how a single compromised computer endpoint can escalate into a critical protocol-wide emergency when multiple levels of authority are consolidated behind a limited set of cryptographic keys. The protocol announced it has suspended all deposit and withdrawal operations for the impacted bridges and is currently collaborating with cryptocurrency exchanges and relevant stakeholders to reduce further losses and explore potential recovery strategies.
The H token from Humanity Protocol plummeted more than 85% following the project's announcement regarding the private key security breach. When the incident was disclosed, Kwok issued an urgent warning advising users to avoid any interaction with the bridge infrastructure or associated liquidity pools.
Security firms examine exploit pattern
The incident attracted close examination from blockchain security investigators regarding whether the breach was genuinely an external attack or potentially linked to peculiar token movements preceding a scheduled unlock event, as certain community observers highlighted.
ZachXBT, a well-known blockchain investigator, initially raised concerns about potential connections between Humanity's market maker operations and over-the-counter (OTC) transactions and the security exploit. Nevertheless, he subsequently stated that following additional examination, the market-maker transactions and OTC activity seemed to be unrelated to the private key security breach.
In a conversation with Cointelegraph, Hakan Unal, who serves as the senior security operations lead at Cyvers, explained that the blockchain transaction patterns can appear remarkably similar initially, regardless of whether an incident represents a legitimate security compromise or an orchestrated internal event, since the perpetrator possesses valid administrative credentials in either scenario.
What distinguishes them is the surrounding behavior. A genuine compromise usually shows speed and improvisation: funds rushed to fresh wallets, swaps at bad prices, mixer use, and no insider timing.
Hakan Unal, Cyvers
In comparison, Unal explained that an orchestrated incident might display questionable timing coinciding with token unlocks or vesting schedules, concentrated token supply, methodical fund transfers or stolen assets that ultimately circle back to addresses associated with team members or market-making entities.
Right now the evidence is mixed, which is why the question is open.
Researcher suspects the Humanity incident was coordinated
In the meantime, Elton Shehdula, who leads research at Allium Labs, indicated that the blockchain transaction patterns associated with the exploit suggested a potentially pre-planned and orchestrated operation rather than the work of a single opportunistic hacker.
According to Shehdula's analysis, the attacker wallets received funding from both a cryptocurrency exchange and a mixing service several weeks prior to the exploit, the token minting capabilities were tested and "warmed up" in the days leading up to the attack, and the massive token dump was executed simultaneously across two separate blockchain networks.
Shehdula stated that the degree of preparation and privileged access observed was compatible with either an "insider or an outside actor" who had been silently in possession of the compromised cryptographic key for an extended period of time.