News

Join Mainnet

Select Language

English

News

Investigation
Summary

View the full report

INVESTIGATION SUMMARY

Compromise of the Humanity Protocol $H token, 8 June 2026

Date: 11 June 2026

Prepared for: Humanity Protocol

Prepared by: Quantstamp, Inc. — Incident Response

Re: Compromise of the Humanity Protocol $H token, 8 June 2026 (Ethereum and BSC)

Status: May be updated as the investigation continues.

1. Engagement

Humanity Protocol engaged Quantstamp on 8 June 2026 after the $H token was minted and sold without authorization on Ethereum and BNB Smart Chain (BSC). We reconstructed the on-chain activity and examined the two devices belonging to Mr Chong Yee Wai, a director of the issuer, whose keys the attacker stole and used. This is our summary of findings to date.

2. What happened on-chain

The attacker ran a coordinated operation across both chains on 8 June 2026. Everything below is on-chain and verifiable by transaction hash.

● Ethereum: using Mr Chong's stolen account key (0xe943dbD064Ec283bDc95c39FaEE6184E9D26d026), the attacker replaced the implementation of a Hyperlane warp-route proxy and moved about 141.18 million $H to 0xd1ea823d421e0c829ee11f772af487fd352678ea.

● BSC: using his three stolen Safe signer keys, the attacker took ownership of a ProxyAdmin contract (0xd73cd1117646625ffe23a55860035ac62fa8720d) via Safe transaction 0xb5cb1f2e0e246fcdde9ddaa7f36037341948158f4c4a0c3ec6fea121cbf0194b, then minted about 100 million new $H to a new address (0x6Aa22CB8420E94Fc2119364b4c7885710aE753bB).

● The attacker sold the $H on Uniswap and PancakeSwap over roughly eight hours for ETH and BNB, crashing the open-market $H price by about 89% and hitting liquidity providers and remaining holders.

● Proceeds at known attacker addresses already exceed USD 21 million in ETH; BNB proceeds are still being tallied.

The Ethereum account and BSC Safe are Humanity Protocol's own assets, used by the attacker with stolen keys — as were roughly 150 operational $H wallets and the wallet that funded their gas, all of which the attacker drained (see Section 4).

3. How the attacker got in

The attacker phished Mr Chong, installed remote-access malware on his Windows machine, and stole the keys used on-chain. Mr Chong has confirmed the user actions below.

3.1 The phishing email

Mr Chong received an email impersonating the Korean exchange Bithumb about a circulating-supply lockup schedule, with a malicious attachment, Bithumb_Circulating_Supply_Lockup_Schedule.zip. The link pointed to an attacker-controlled host (celuweb.com).

Believing it was genuine, Mr Chong clicked the link and downloaded the attachment on 2026-06-05 02:00 UTC. He filled out the spreadsheet, replied to the email, and cc’d his colleague Terence Kwok, who independently received the same phishing mail.

The underlying link to the documents was different for Yee and Terence. A common technique used by threat actors to be able and distinguish between infections:

- Yee: https://go.skimresources[.]com/?id=71026X1587439&isjs=1&jv=15.4.2-stackpath&url=https%3A%2F%2Fceluweb.com%2Fwp-includes%2Fjs%2Fcommon%2Finc%2F%3FtPJJpfBGwYVraw=9TGx5xfaKrktAj7DsKCILSzcqTqw7HUiq8dFc2VtDv3aZt_AABcBK1ZxijlmkcF385FohXGTg5MpTEnSbvqQHcuG9i8pMS6n

- Terence: https://go.skimresources[.]com/?id=71026X1587439&isjs=1&jv=15.4.2-stackpath&url=https%3A%2F%2Fceluweb.com%2Fwp-includes%2Fjs%2Fcommon%2Finc%2F%3FePhlLYmqIQpDd=4L2ro9T2P7fLN0bOlVi9KrbCnQg3YrnXs1MV2KVeSsuH1K9k70RzpnBlrD2GLRdz0Wb405A9Cex1AdRtF0TtXREszQ

3.2 The loader and remote access

The attachment delivered hncagent.exe, a first-stage loader signed with a South Korean Hancom certificate — a pattern characteristic of DPRK intrusions.

● C:\Users\GuestUser\Downloads\SETALLBROWSERINFO_260209.EXE executed 8 times between 2026-06-07 17:47 UTC to 2026-06-08 15:16 UTC, it installed malware that gave the attacker full remote-desktop control of the host.

● To support and hide that access, the attacker installed Stas'm RDP Wrapper and two binaries posing as Microsoft Defender's Network Inspection Service (nissrvs.exe, nissrvsu.exe), and created a hidden GuestUser profile at 2026-06-07 16:56 UTC.

● Neither Sophos nor Windows Defender on the host detected any of it.

3.3 Key theft and use

With this access the attacker copied Mr Chong's MetaMask wallet (the Chrome extension store and its encryption key) and the private keys on the host, then used them on 8 June to run the on-chain attack. Mr Chong's Mac was closed and asleep when the BSC transaction was broadcast and played no part in it.

3.4 Timeline

● 2026-06-05 02:00 UTC — Mr Chong clicked the link and downloaded the Bithumb attachment.

● interim — hncagent.exe ran; remote-access malware installed.

● 2026-06-07 16:56 UTC — GuestUser profile created; attacker had remote-desktop access.

● 2026-06-08 (~8 hours) — on-chain attack: contract upgrades, mint, and sale of $H on both chains.

4. What was drained, and where it went

The keys on Mr Chong's device controlled Humanity Protocol's on-chain operations — the Ethereum account and the three BSC Safe signer keys described above, together with roughly 150 operational wallets holding $H and a central wallet that supplied them with gas. These had been funded over the preceding months from Humanity's own exchange accounts. Using the stolen keys, the attacker drained all of them.

On 8 June the attacker funnelled the drained assets into a small set of newly created wallets, sold the $H into Uniswap and PancakeSwap liquidity for ETH and BNB, and consolidated the proceeds. Those wallets currently hold over USD 21 million in ETH; tracing of the BSC-side proceeds