Humanity遭駭3600萬鎂報告公開：北韓駭客如何釣魚竊走7把關鍵私鑰

Humanity Protocol suffers phishing attack by North Korean hackers, stealing 7 critical private keys from developer devices, leading to the transfer and sale of $36 million worth of assets within the cross-chain system.

North Korean hackers are suspected to have gained access through phishing attacks, causing Humanity Protocol to lose up to $36 million.

Decentralized identity verification project Humanity Protocol recently experienced a major security incident, with approximately $36 million in assets stolen by hackers. According to an investigation report released by security firm Quantstamp, the attack methods bear a high similarity to previous operations launched by North Korean hacking groups, with overlapping features in tools, procedures, and credential usage patterns.

Image source: X/@Humanityprot Quantstamp’s investigation report, showing high similarity between the attack methods and past North Korean hacker operations

The investigation shows that the hackers did not exploit smart contract vulnerabilities but instead used phishing emails and malware infections to compromise developer devices, further gaining control of key private keys. The attackers ultimately obtained 7 important private keys, including admin hot wallet keys, Ethereum Safe multi-signature keys, and BNB Chain multi-signature permissions, successfully gaining control over multiple core systems.

Since all operations were carried out through legitimate signing permissions, the related transactions appeared fully authorized on the blockchain, making it difficult for the team to detect abnormal activities in time.

A large amount of $H tokens were transferred and sold, impacting market confidence

After gaining control, the hackers first upgraded the cross-chain bridge contracts, then withdrew a large amount of $H tokens from Humanity Protocol’s cross-chain system, and performed additional minting and transfer operations on BNB Chain. Some tokens were quickly sold, eventually exchanged for ETH and sent to other addresses.

Following the incident, market panic spread rapidly, causing the price of $H tokens to plummet in a short period, with market cap evaporating accordingly. Although a technical rebound of over 200% occurred later, doubts about the project’s governance and security mechanisms remain unresolved.

This incident also highlights the potential risks of cross-chain bridges, multi-signature governance, and permission management frameworks. Even if the smart contracts themselves are free of vulnerabilities, private key theft allows attackers to operate with the same permissions as legitimate administrators.

The core issue lies in private key management and operational security

The Humanity Protocol team stated that neither the token contracts, cross-chain architecture, nor Safe multi-signature system were compromised at the technical level. The root cause of the incident was the malware infection of developer devices, which stored backup private key data during mainnet deployment.

Quantstamp pointed out that once attackers gained the highest permissions on the device, they could directly access these sensitive data. Since the private keys involved had sufficient signing authority, hackers could legitimately perform contract upgrades and asset transfers.

In recent years, this attack pattern has increasingly become a common strategy among North Korean hacking groups. Compared to spending extensive time finding smart contract vulnerabilities, directly targeting developer, operations, or system administrator devices often yields higher success rates.

Web3 security frontier expanding from code to organizational management

Recent major cryptocurrency attacks show that hacking groups are shifting their focus from solely exploiting smart contract vulnerabilities to social engineering, phishing, and endpoint device intrusions. Exchanges, cross-chain bridges, DeFi protocols, and Web3 infrastructure have all become primary targets.

The Humanity Protocol incident serves as a reminder that project security now encompasses multiple layers, including code audits, on-chain protections, private key management, device security, permission separation, and internal operational processes.

As the industry continues to grow, establishing more robust private key custody mechanisms, reducing single points of failure, and enhancing team members’ awareness of phishing threats will become crucial foundations for future Web3 project competitiveness. This also reflects that the security battlefield in the crypto industry is gradually extending from on-chain code to personnel and organizational management layers.