Stolen Keys Let Attacker Mint 300M H Tokens on BSC

by ddos · Published June 17, 2026 · Updated June 17, 2026

H token key compromise diagram showing stolen Safe keys, ProxyAdmin takeover, and malicious minting on Ethereum and BSC

The attack on Humanity Protocol’s H token was not a smart contract exploit at all. Instead, it served as a painful reminder of one of crypto’s oldest problems: lose control of your private keys, and even flawless infrastructure becomes a weapon in someone else’s hands. An attacker gained control over several of the project’s keys simultaneously and, within a matter of hours, stole or minted roughly 447 million H tokens across the Ethereum and BSC networks.

The Attack Begins on Ethereum

The incident began on June 8, 2026, when the attacker compromised an administrative hot wallet and withdrew 6,045,060 H to their own address. The attack soon escalated to target the bridge connecting Ethereum and BSC. The attacker had obtained three of the six Safe owner keys responsible for managing the bridge’s ProxyAdmin contract, a sufficient threshold to transfer ProxyAdmin control to their own wallet, upgrade the bridge contract to a malicious version, and drain 141,182,632 H in a single transaction.

A Second, More Damaging Strike on BSC

A similar pattern repeated the following day on the BSC network, though with even more severe consequences. The attacker obtained three of the five BSC Safe owner keys, seized control of the H token’s ProxyAdmin, and swapped in a malicious contract implementation. From there, they invoked the minting function three separate times, creating 300 million new H tokens. As a result, the total H supply on BSC ballooned from roughly 141 million to 441 million tokens, more than tripling in size.

Ongoing Control Over the Compromised Assets

According to the Humanity Protocol team’s incident update, the attacker continues to control the ProxyAdmin on BSC, meaning they retain the ability to mint additional tokens, halt the contract entirely, or alter its logic at will. The BSC version of H has effectively been declared irrecoverably compromised. The Ethereum-BSC bridge likewise remains under the attacker’s control, still running the malicious contract implementation.

What Survived Unscathed

Fortunately, the project reports that the primary H token on Ethereum itself was not affected. The team managed to freeze it in time using an untouched Safe wallet requiring four of seven signatures, and contract upgrade authority remains firmly in the team’s hands. The canonical Arbitrum bridge also escaped the attack entirely and continues to hold roughly 87 million H.

The Root Cause: Malware, Not a Contract Flaw

Crucially, the underlying cause had nothing to do with a flaw in the smart contracts, the bridge, or the Safe multisig setup itself. Humanity’s team confirmed that an employee’s computer had been infected with malware, granting the attacker full remote access to the device. Roughly a year earlier, during the launch of Humanity’s mainnet, backup copies of several private keys were mistakenly stored on this same machine, including the hot wallet key, three Ethereum Safe keys, and three BSC Safe keys.

In total, the attacker obtained seven private keys, all compromised through this single point of failure. It remains unclear exactly when the device was first infected, how the attacker gained full access to it, or how long they held the stolen keys before launching the operation.

Indistinguishable From Legitimate Activity

The project’s team emphasized that the attacker’s actions appeared entirely legitimate at the time, since every transaction was signed using genuine, valid keys. The attacker never broke the contracts’ underlying logic. Instead, they simply exercised privileges that the system itself had been designed to trust. Humanity has brought in outside specialists to conduct a forensic review of the infected devices and has promised to share further findings once that investigation concludes. The project is also developing a support program for affected users.