Humanity Protocol, a decentralized identity project focused on palm-recognition technology, confirmed a major security breach on June 9, 2026 after credentials linked to a Humanity Foundation member were compromised. The incident resulted in losses of more than $30 million and led to the unauthorized minting of millions of H tokens on BNB Chain.
The breach appears to have differed from a typical DeFi exploit because the initial failure occurred at the administrative level, not through a publicly identified smart contract vulnerability. Humanity Protocol founder and CEO Terence Kwok said the project’s security team detected the compromised credentials, which gave the attacker access to project-linked wallets.
We've detected a security incident involving the compromise of private keys belonging to a member of the Humanity Foundation. As a precaution, please do not interact with the bridge or any liquidity pools until we confirm it's safe.
We're already working with security experts…
— Terence Kwok 「 🖐️ ✦ 🌏 」 (@terencekwok) June 9, 2026
Compromised Credentials Trigger Wallet Drains
According to the project’s official incident report, more than 17 project-linked wallets were drained during the attack. On-chain monitoring tools initially estimated the losses at about $19 million, before the figure later rose above $30 million as the attacker consolidated funds and swapped assets into ETH and BNB.
The compromise then expanded beyond the theft of existing reserves. Market monitors flagged that the attacker gained proxy administrator rights over the H token contract on BNB Chain, giving them control over sensitive token functions.
That access was allegedly used to mint approximately 100 million new H tokens from the null address, with an estimated value of roughly $11.6 million at the time of the mint. The unauthorized issuance added a second layer of pressure to the protocol’s already damaged liquidity position.
The market reaction was immediate and severe. As stolen assets were dumped through decentralized exchanges including Kyber Network and PancakeSwap, the H token price reportedly fell nearly 90%, dropping from a daily high near $0.73 to a low close to $0.07 within 24 hours.
Protocol Advises Users to Stop Interactions
Humanity Protocol has advised users to cease interactions with its bridge and liquidity pools until further notice. The team has maintained that while foundation keys were compromised, its current assessment is that core protocol infrastructure and user biometric data remain secure.
The project is reportedly working with external security specialists and exchange partners to trace the movement of funds. The assets have been consolidated into wallets holding more than 18,000 ETH and 2,400 BNB.
The incident adds to a broader pattern of privileged-access failures in 2026, following cases such as the StablR Protocol multisig misconfiguration in May. For Humanity Protocol, the breach underscores the operational risk created by administrative key control, even when the underlying protocol is not presented as the direct attack vector.
A full technical post-mortem and any roadmap for potential reimbursement remain pending from the Humanity Foundation. Until those details are released, the protocol remains in containment mode as it works to manage the fallout from the loss of administrative control.