Security incident exposes a Humanity Foundation member’s credentials, sending the biometric identity project into crisis — and raising deeper questions about insider involvement
Humanity Protocol’s H token crashed more than 80% after attackers stole the private keys behind the project and drained more than $30 million, the latest in a year of crypto thefts that target keys rather than code.
What Happened
On-chain analyst Specter was first to flag the attack, reporting that more than 17 wallets holding H had been drained. Early losses topped $5 million before reportedly rising to more than $30 million. Blockchain monitoring platform Lookonchain confirmed the scale of the damage as it unfolded in real time.
The stolen tokens were quickly swapped into Ethereum via decentralized exchanges, accelerating downward pressure on the H token. Compounding the damage, the attacker minted an additional 100 million H tokens on the BNB Chain, valued at roughly $11 million at the time, intensifying the selloff and deepening the price collapse.
According to blockchain analytics platform Lookonchain, the attacker continued minting H tokens after the exploit, first creating 100 million H tokens on BNB Smart Chain before minting another 100 million.
H fell from about $0.67 to near $0.13 and briefly touched $0.05 — an intraday drop of about 90%.
The Humanity Protocol has been exploited for more than $30 million (Source: Lookonchain)
Founder Confirms the Breach
Founder Terence Kwok confirmed that the breach stemmed from compromised private keys belonging to a Humanity Foundation member, not a flaw in the protocol’s smart contracts. The team issued an urgent advisory instructing users to halt all interactions with its bridge and liquidity pools while mitigation efforts continue.
In a public statement on X, Kwok wrote: “We’ve detected a security incident involving the compromise of private keys belonging to a member of the Humanity Foundation. As a precaution, please do not interact with the bridge or any liquidity pools until we confirm it’s safe. We’re already working with security experts.”
Security firm Blockaid reported that the attacker had taken control of the H token’s proxy administrator on BSC Chain, which gave them the ability to mint new tokens — a power that raised immediate concerns among investors, as unauthorized supply increases can significantly impact market confidence and token economics.
Humanity Protocol founder Terence Kwok Confirms the Hack
What Is Humanity Protocol
Humanity Protocol launched in 2024 as a decentralized digital identity network built around palm biometrics and zero-knowledge proofs. The project was designed to verify real human users and filter out bots and fake accounts, and that pitch helped draw serious institutional attention. The project raised $50 million across two funding rounds backed by Pantera Capital, Jump Crypto, Animoca Brands, and Blockchain.com, and it reached a reported valuation of $1.1 billion.
The project had positioned itself as a direct rival to Sam Altman’s Worldcoin, allowing users to prove their humanity without disclosing personal data — a pitch that gained momentum as concerns about AI-generated bots proliferated across the internet. Its June 2025 token launch was followed by controversy, however, with reports citing internal conversations suggesting that only around 1 million of the 9 million registered identities had completed biometric verification.
The Unlock Pressure Ahead
The timing of the hack adds another layer of concern. Data shows a larger batch of about 266 million H, worth around $28 million, is set to unlock on June 25 across six allocations that include the foundation treasury and a strategic reserve. With the token already decimated, the prospect of additional supply hitting the market has raised alarm among remaining holders.
ZachXBT Questions the Official Story
The team’s account has not gone unchallenged. Prominent on-chain sleuth ZachXBT said he does not trust the team’s explanation and raised suspicions that the incident may have been staged. “Unsure whether it’s a theft or MM (market maker),” ZachXBT wrote. “I am not buying the team’s story; it’s a convenient way for the active MM to have exited.”
ZachXBT’s post was blunt: the team chose to pump their token for weeks with zero fundamentals and now expects Crypto Twitter to blindly trust their story. He demanded the team disclose their active market maker agreements with a Hong Kong entity before asking for community trust.
ZachXBT also pointed out that three out of the four project leaders have a dubious past — facing lawsuits, financial fraud, and ineffective management. The project has not yet responded to those specific allegations.
Part of a Broader 2026 Trend
The Humanity Protocol incident is far from isolated. The hack fits the dominant pattern of 2026, in which the biggest losses have come from stolen keys rather than flawed code. Solana exchange Drift lost about $285 million in April after attackers seized an administrative key, and Kelp DAO lost roughly $292 million the same month through a single-validator bridge.
These attacks bypass protocol-level security and instead exploit operational weaknesses, often resulting in faster and more damaging outcomes. The event is likely to intensify scrutiny on key custody practices, particularly for projects promoting decentralization while maintaining centralized control points.
What Users Should Do
Humanity Protocol has urged all users to avoid interacting with its bridge or liquidity pools until the team issues an all-clear. The project has also warned users to rely only on official communication channels and remain alert to potential scams and impersonation attempts that often emerge following major security incidents.
The H token is down 89% in the past 24 hours, according to CoinGecko data. On-chain analysts continue tracking the attacker’s wallets, though recovery of funds appears unlikely at this stage. The full picture of what happened — whether an external breach or something more deliberate — remains under investigation.
