Humanity Protocol Says North Korean Hackers Behind H Token Breach

Humanity Protocol said a North Korea-linked hacking group was responsible for a recent major security breach that led to a collapse in its token price. The attackers used a sophisticated phishing campaign to seize critical access rights and then dumped a large volume of tokens on the market.

In a post on its official X account on June 13, Humanity Protocol said an independent investigation by blockchain security firm Quantstamp found that the attackers in the June 8 H token breach used tools and tactics characteristic of North Korean hackers.

The hackers sent a phishing email impersonating South Korean crypto exchange Bithumb to a Humanity Protocol executive. After the executive opened a malicious attachment, a signed first-stage loader installed remote-control malware. The attackers then bypassed endpoint security and gained full remote desktop access to the device.

Quantstamp, which conducted the security audit, said indicators including a malicious loader carrying a Hancom signature, the use of a specific remote desktop wrapper, a binary disguised as Microsoft Defender's Network Inspection Service and a hidden guest user profile all matched intrusion patterns typically associated with North Korean hacking groups.

Using wallet data and private keys taken from the compromised device, the attackers quickly moved on-chain. On Ethereum, they upgraded a smart contract and siphoned off about 141.18 million H tokens. On BNB Smart Chain, or BSC, they seized contract permissions and minted new tokens without authorization. The stolen and newly minted tokens were sold over about eight hours on decentralized exchanges including Uniswap and PancakeSwap, draining liquidity and sending the price sharply lower.

Humanity Protocol said the H token contract on Ethereum has been safely frozen through a multisignature wallet outside the hackers' control. On BSC, however, the attackers still retain administrator privileges and can mint additional tokens. The project added that it is working with crypto exchanges to contain the fallout and plans to announce a recovery plan for the community through its official channels soon.

After the hack, H token slumped more than 80% from its peak to about $0.05. It has since rebounded more than 50% on strong dip buying and recovered to around $0.3.