DPRK-linked attacker phished a director via email, installed remote-access malware, stole 7 multisig keys from one compromised laptop, seized ProxyAdmin on both chains, upgraded the bridge to a malicious contract, and drained 141M H on Ethereum and 122B+ H on BSC.
On June 9, 2026, a DPRK-linked attacker phished director Chong Yee Wai via an email impersonating a Korean exchange, installed remote-access malware (hncagent.exe signed with a Hancom certificate), and stole 7 multisig keys from one compromised laptop (3-of-6 ETH Safe, 3-of-5 BSC Safe). The attacker seized the ProxyAdmin on both chains, upgraded the bridge to a malicious contract, drained 141M H on Ethereum, and minted 122B+ H on BSC. The attacker sold the tokens on Uniswap and PancakeSwap, crashing the H price 89%. There was no timelock on the ProxyAdmin. Humanity Protocol was backed by Pantera and Jump Crypto.
Drained H tokens sold on Uniswap (Ethereum) and PancakeSwap (BSC), crashing the H price 89%. No recovery reported at time of writing.
N/A