Humanity Protocol warned users not to interact with its bridge or liquidity pools after a private key tied to a Humanity Foundation member was compromised. The first public alert came from founder Terence Kwok on June 9, 2026, when he said the team had detected a security incident involving foundation-linked private keys.
The initial warning did not include a full technical breakdown, reimbursement plan or transaction list. It confirmed only that users should avoid the bridge and liquidity pools until the team could verify safety, while Humanity worked with security experts and exchange partners on containment. That made the confirmed impact operational rather than limited to a single drained wallet.
#PeckShieldAlert Another 100M $H has been minted on #BNBChain pic.twitter.com/DpaLgaqjZT
— PeckShieldAlert (@PeckShieldAlert) June 9, 2026
Bridge Controls Became the Main Failure Point
Humanity later said the attack began on June 8 and affected H token infrastructure across Ethereum and BNB Smart Chain. According to the project’s incident update, the breach stemmed from a compromised employee laptop that exposed multiple Gnosis Safe owner keys tied to bridge administration. The incident therefore moved from a private-key breach into a bridge-control compromise.
Most confusing hack in recent time 🚶
— Specter (@SpecterAnalyst) June 9, 2026
On Ethereum, Humanity said three of six Gnosis Safe owner keys controlling the Hyperlane bridge ProxyAdmin were compromised. The attacker then transferred ProxyAdmin ownership, upgraded the bridge to a malicious implementation and moved roughly 141.2 million H tokens in a single transaction. Those details point to privileged administrative access, not a normal smart-contract logic flaw.
On BNB Smart Chain, the project said three of five Safe owner keys were also compromised. Humanity attributed a similar ProxyAdmin takeover to the attacker, followed by the deployment of a malicious implementation with an unlimited mint function. The project said the attacker minted 200,000,005 H tokens in two tranches directly to attacker-controlled wallets. That minting detail is now attributed to Humanity’s own incident update, after earlier monitoring accounts had reported a smaller 100 million H figure.
The confirmed affected services are narrower than the entire Humanity product stack. Humanity said deposits and withdrawals through the affected bridges were halted, while the earlier user warning covered bridge interactions and liquidity pools. No public statement reviewed confirmed that every identity or verification service was affected in the same way.
On-Chain Identifiers Remain Limited
Public reports and official statements reviewed did not provide full attacker wallet addresses, transaction hashes or direct block-explorer links for the main bridge takeover and minting transactions. The only visible identifier repeated in monitoring excerpts was the Ethereum H token contract reference, listed as ethereum:0xcf5104d094e3864cfcbda43b82e1cefd26a016eb. That is a token contract identifier, not a confirmed attacker wallet or transaction hash.
On-chain trackers reported that more than 17 wallets connected to, or interacting with, Humanity Protocol had been drained as the incident unfolded. Early estimates placed the loss near $19 million before later updates raised the figure above $30 million, and Humanity’s own later statement put the stolen amount above $36 million across both chains. The loss estimate increased as investigators mapped additional wallets and chain activity.
Monitoring accounts also reported that the attacker swapped part of the stolen H into ETH and routed assets through decentralized exchange liquidity. Those details remain dependent on external tracking rather than a complete official transaction table, so the laundering path should be described as active but only partially documented. The available evidence supports token selling and conversion activity, but not a fully public forensic map.
The breach shows how a compromised endpoint can become a protocol-level crisis when bridge ownership and upgrade permissions sit behind a small number of keys. Even if user-facing infrastructure advertises decentralization, admin-key concentration can still create a single operational control surface.
For now, the clean reading is serious but specific. Humanity Protocol has confirmed compromised keys, halted affected bridge deposits and withdrawals, warned users away from bridges and liquidity pools, and attributed the BNB Chain mint to a malicious bridge-control takeover. Until the promised full postmortem is published, the unresolved questions remain transaction-level attribution, recovery strategy and whether additional privileged roles were exposed.