North Korean Hackers Suspected in $36M Humanity Protocol Breach, Quantstamp Reports
According to Quantstamp, the $36 million Humanity Protocol breach was facilitated by a fraudulent Bithumb email, suggesting North Korean cybercriminal involvement.
Blockchain security firm Quantstamp has determined that a dangerous attachment sent via phishing email indicates the participation of North Korea-associated threat actors in the recent Humanity Protocol security breach.
On Monday, the decentralized identity firm reported that hackers managed to extract $36 million worth of Humanity (H) tokens after gaining access through a compromised employee's laptop device.
According to Quantstamp's incident response analysis, the dangerous attachment masqueraded as an updated token lockup schedule from Bithumb, a South Korean cryptocurrency exchange. The attachment deployed malware that provided the attackers with complete remote control of the compromised laptop.
According to Quantstamp's findings, the malicious software carried a digital signature from South Korean company Hancom, a technique the security firm identified as "characteristic of DPRK intrusions." The malicious program allowed the threat actors to extract the MetaMask wallet credentials and private keys belonging to Humanity Protocol director Chong Yee Wai.
If confirmed, the North Korean connection would represent yet another entry in an extensive list of significant cryptocurrency thefts linked to the nation. Throughout April alone, North Korea-associated threat actors were connected to a minimum of $578 million out of the $634 million taken in cryptocurrency-related security incidents.
North Korean hackers tied to some of the largest crypto hacks
A May report published by blockchain security firm CertiK reveals that these same threat actors have been associated with approximately $2 billion of the $3.4 billion lost to cryptocurrency exploits in 2025, despite representing only 12% of total incident occurrences. According to CertiK, these numbers demonstrate a strategic emphasis on "precision and scale."
The report indicates that throughout the past ten years, threat actors linked to North Korea have stolen an estimated $6.75 billion in cryptocurrency through 263 documented security incidents.
CertiK's analysis further noted that North Korea has effectively "industrialized" cryptocurrency theft, transforming it into a fundamental state revenue generation mechanism, with these criminal operations comprising a significant portion of the regime's foreign income sources.
While North Korea seldom addresses accusations of cybercriminal activity, on May 3, a representative from the Foreign Ministry dismissed these allegations in an official statement published by the Korean Central News Agency, the nation's official state media outlet.
The ministry spokesperson criticized the United States for promoting "incorrect" narratives regarding the "non-existent 'cyber threat'" allegedly originating from North Korea.