North Korean Cybercriminals Allegedly Behind Humanity Protocol's $36M Breach, Says Quantstamp

Blockchain security firm Quantstamp reports that a fraudulent Bithumb email employed in Humanity Protocol's $36 million theft bears hallmarks of North Korean cybercriminal groups.

Blockchain security firm Quantstamp has determined that a harmful file distributed via phishing email indicates the participation of threat actors with ties to North Korea in the recent Humanity Protocol security breach.

The firm specializing in decentralized identity reported that attackers successfully extracted $36 million worth of Humanity (H) tokens on Monday after compromising a staff member's laptop computer.

The harmful file attachment was masked to appear as an updated token lockup schedule originating from Bithumb, a cryptocurrency exchange based in South Korea. The malware installation provided the attackers with complete remote control of the compromised laptop, according to Quantstamp's incident response analysis.

Phishing email that led to Humanity Protocol compromise — The deceptive email that resulted in the Humanity Protocol security breach. Source: Quantstamp

According to Quantstamp, the malicious software bore a digital signature from Hancom, a South Korean technology company, representing a technique that is "characteristic of DPRK intrusions." The installed malware allowed the attackers to extract MetaMask wallet credentials and private keys belonging to Chong Yee Wai, a director at Humanity Protocol.

The suspected connection to North Korea would represent another entry in an ongoing sequence of significant cryptocurrency thefts linked to the nation. Threat actors associated with North Korea were connected to a minimum of $578 million out of the total $634 million taken in cryptocurrency-related security breaches during April.

North Korean hackers tied to some of the largest crypto hacks

A May report released by CertiK, a blockchain security company, reveals that these same threat actors have been associated with approximately $2 billion of the $3.4 billion lost to cryptocurrency exploits throughout 2025, despite representing only 12% of total incident counts. According to CertiK, these statistics demonstrate a strategic emphasis on "precision and scale."

Throughout the last ten years, threat actors linked to North Korea have successfully stolen an estimated total of $6.75 billion in cryptocurrency spanning 263 documented security incidents, according to the report's findings.

CertiK further noted that North Korea has transformed crypto theft into an "industrialized" operation that functions as a primary state revenue generation mechanism, with these criminal operations contributing a significant portion of the regime's income from external sources.

Total DPRK crypto theft over the years — Cumulative DPRK cryptocurrency theft throughout the years. Source: CertiK/Skynet

North Korea infrequently addresses accusations related to cybercrime activities, however on May 3, a representative from the Foreign Ministry dismissed such allegations in an official statement published by the Korean Central News Agency, the nation's official state media outlet.

The ministry spokesperson criticized the US for disseminating "incorrect" narratives regarding the "non-existent 'cyber threat'" from North Korea.