Humanity Protocol, the palm-scan biometric identity project positioned as a rival to Sam Altman’s Worldcoin, lost more than $32 million on June 9, 2026, after attackers drained 17 foundation wallets, swapped the stolen H tokens for ETH, and then minted an additional 100 million H tokens on BNB Chain. The H token fell from $0.67 to a low of $0.05 intraday, a collapse of more than 90%, before stabilizing around $0.12 to $0.13. Market capitalization dropped from roughly $1.3 billion to approximately $225 million in hours. Trading volume surged to over $600 million as panic selling dominated every venue where H was listed.
The team attributed the incident to compromised private keys belonging to a member of the Humanity Foundation. Founder Terence Kwok confirmed this publicly on X and said the team was working with security experts and exchange partners. What the team did not explain: how a single foundation member’s keys gave an attacker the ability to drain 17 separate wallets, mint 100 million new tokens on BNB Chain, and take over the H token’s proxy administrator contract. On-chain investigator ZachXBT has called the incident “possibly staged” and suggested the team colluded with a market maker. He also noted that three of the four project leaders have histories involving lawsuits, financial fraud, and management failures. The question of whether this was an external attack or an inside job has not been resolved.
How It Happened
The attack began early Tuesday morning UTC. On-chain analyst Specter was the first to flag suspicious wallet activity, reporting that addresses which had interacted with Humanity Protocol were being continuously targeted. Within minutes, PeckShieldAlert confirmed active wallet compromises across the ecosystem. The initial losses appeared to be around $5 million before the full scale became clear.
The mechanics of the attack went in two distinct phases. Phase one: the attacker used compromised private keys to directly access and drain at least 17 wallets associated with the Humanity Foundation, converting stolen H tokens into ETH through decentralized exchanges. Of the $32 million total, $23.7 million was swapped into ETH and approximately $7.9 million remained in H tokens at the time of reporting. Because the attacker was simultaneously dumping H into the market, every swap suppressed the token price further, creating a self-reinforcing collapse.
Phase two was more alarming. Security firm Blockaid reported that the attacker had taken control of the H token’s proxy administrator contract on BNB Chain. This gave them the ability to mint new H tokens from nothing. They minted 100 million H tokens, worth approximately $11 to $12.9 million at the time, and transferred them to a fresh wallet. Proxy administrator access is not obtained from a single employee’s private key under any standard security architecture. Gaining proxy admin control requires access to the contract’s upgrade authority, which is a separate and more privileged key than the wallet keys that were supposedly compromised. This is the detail that made ZachXBT’s “possibly staged” assessment credible to the on-chain security community.
How the Humanity Protocol Hack Unfolded
June 9, 2026 · UTC timeline | Sources: Specter, PeckShieldAlert, Blockaid, Lookonchain | @cryptonewsbytes
~04:30 UTC · On-chain analyst Specter
First alert: wallets draining
Specter flags continuous wallet compromise. Pattern suggests shared exposure to Humanity Protocol. Initial estimate: $5M+.
Phase 1: 17 wallets drained, H dumped for ETH
$32M exits via DEX swaps, H token collapses
Attacker uses compromised keys to drain 17 foundation wallets. $23.7M converted to ETH, $7.9M remains in H. Simultaneous selling drives H from $0.67 toward $0.13.
Phase 2: Proxy admin takeover on BNB Chain
100M H minted from nothing, transferred to fresh wallet
Blockaid confirms attacker took control of H token proxy admin on BSC. Mints 100M H (~$11-12.9M). Mint tx: 0x5a8f82f1064a7846ab3eb77bd1d36ec52dfd773c3957ad0aeea28da95fe9c5fb. H touches intraday low of $0.05.
~06:00 UTC · Terence Kwok
Founder confirms on X: private keys of foundation member compromised
Team urges users to avoid the cross-chain bridge and liquidity pools. States it is working with security experts and exchange partners. No compensation plan announced.
~08:00 UTC · ZachXBT
ZachXBT calls the incident “possibly staged”
On-chain investigator flags discrepancies, suggests team colluded with market maker, notes 3 of 4 project leaders have records of lawsuits, financial fraud, and mismanagement.
Sources: CoinDesk, The Block, BeInCrypto, CryptoTimes, Blockaid, Specter, ZachXBT | @cryptonewsbytes
How the Attack Unfolded: Two-Phase Exploit
June 9, 2026 · Sources: Specter, PeckShieldAlert, Blockaid, Lookonchain, ZachXBT | @cryptonewsbytes
Attacker
Origin unknown
Foundation member’s private key stolen
Direct wallet access and no code exploit
Phase 1 and Drain and Dump
17 foundation wallets drained
$32M total extracted
$23.7M swapped to ETH
via DEX and dumps H price live
$7.9M remains in H
Ongoing sell pressure
Phase 2 and Proxy Admin Takeover (BNB Chain)
Proxy admin control seized on BNB Chain
Separate privilege and not explained by one stolen key
100 million new H tokens minted
~$11-12.9M · Mint tx: 0x5a8f82f1…fe9c5fb
H token: $0.85 → $0.05 intraday (-94%)
Stabilised ~$0.13 · Market cap $1.3B → $225M · Volume $600M+
ZachXBT:
“possibly staged”
Not financial advice. Sources: CoinDesk, The Block, BeInCrypto, CryptoTimes, Blockaid, Specter, Lookonchain | @cryptonewsbytes
The Impact
The H token was at approximately $0.67 to $0.85 before the incident. It fell to a low of $0.05 intraday and stabilized around $0.12 to $0.13 as of the time of writing, representing a loss of approximately 82 to 83% on the 24-hour period and a collapse of roughly 90% from the recent high of $0.84 to $0.85. The market capitalization fell from approximately $1.3 billion pre-incident to around $225 million. Trading volume surged to over $600 million in 24 hours, almost entirely driven by panic selling, not buying.
The timing made the collapse especially painful for recent buyers. In the days before the hack, H had surged nearly 875% above its yearly low, meaning a large number of investors had entered the token at elevated prices in the days immediately before the collapse. Those holders have been almost entirely wiped out. The 100 million H tokens minted on BNB Chain remain a source of ongoing selling pressure: that supply is worth approximately $12 to $13 million at current prices and has not yet fully hit the market.
A secondary concern is the June 25 token unlock. On-chain data shows approximately 266 million H tokens worth around $28 million at pre-hack prices are scheduled to unlock across six allocations including the foundation treasury and a strategic reserve. At current depressed prices those tokens are worth considerably less, but the unlock date creates a hard deadline for any recovery narrative. If the team has not demonstrated meaningful progress by June 25, the unlock will add further sell pressure to a token already trading 90% below its recent high.
H Token Price Collapse: $0.85 to $0.05 in Hours
June 9, 2026 · Intraday | Sources: CoinDesk, Cryip, The Block | @cryptonewsbytes
Watch: June 25 unlock
266 million H tokens ($28M at pre-hack prices) unlock across 6 allocations including foundation treasury and strategic reserve. At $0.13 that is now worth ~$35M. Adds significant sell pressure if confidence does not recover.
Not financial advice. Sources: CoinDesk, Cryip, The Block, DropsTab | @cryptonewsbytes
ZachXBT Says “Possibly Staged”: Here Is Why That Is Credible
ZachXBT is the on-chain investigator whose track record includes identifying the Lazarus Group connection to multiple billion-dollar DeFi hacks before law enforcement confirmed it. When he calls an incident “possibly staged,” it is not speculation for engagement. It is a specific technical and behavioral assessment. His reasoning in this case rests on several points.
First, the proxy admin access. A single foundation member’s compromised private key should not grant proxy admin control over the BNB Chain H token contract. These are separate privileges in any properly structured token architecture. The attacker’s ability to mint 100 million new H tokens suggests either extraordinarily poor key management where a single key controlled multiple critical functions, or insider knowledge of which keys to target and what those keys could authorize.
Second, the team background. ZachXBT noted that three of the four project leaders have documented histories of lawsuits, financial fraud, and ineffective management. HTX and Foresight News reporting adds that Humanity Protocol had previously faced controversy: reports suggesting only around 1 million of 9 million registered identities had completed biometric verification, indicating 88% of user registrations may have been bots or incomplete. The project denied this but never fully addressed it. For a project already carrying this level of reputational baggage, the timing of a hack that wiped out nearly all recent gains immediately after a near-9x pump from yearly lows raises legitimate questions about whether holders were positioned to absorb or benefit from the collapse.
Third, the response. The team confirmed the hack relatively quickly but provided no technical details about how a single key granted multi-contract access, offered no compensation framework, and did not immediately freeze the token or seek emergency exchange suspensions as most credible projects do in the first hour of a confirmed exploit. CryptoTimes notes the team also suggested it was working with a market maker, which ZachXBT flagged as a potential vector for coordinated selling.
Official vs ZachXBT: The Two Narratives
Team’s narrative
External attacker compromised one foundation member’s private key
17 wallets drained as a result
Working with security experts and exchanges
No comment on proxy admin access
ZachXBT’s assessment
Possibly staged or insider job
Team may have colluded with market maker
3 of 4 leaders have fraud/lawsuit histories
Proxy admin access inconsistent with single-key story
Neither narrative is conclusively proven. CryptoNewsBytes presents both. | @cryptonewsbytes
The 2026 Private Key Pattern: Third Major Attack in Two Months
CoinDesk’s reporting notes this explicitly: the Humanity Protocol hack fits the dominant pattern of 2026, in which the biggest losses have come from stolen keys rather than flawed code. DeFi hack losses surpassed $1 billion in the first four months of 2026 alone, with key management failures driving a disproportionate share of that damage. The Drift Protocol attack in April 2026 cost approximately $285 to $286 million. The Kelp DAO attack the same month cost approximately $292 to $294 million through a single-validator bridge compromise. Humanity Protocol adds another $32 million to that tally in June.
The pattern across all three is the same: attackers are not breaking smart contracts. They are obtaining the keys that control them. In the Drift and Kelp cases, the keys were obtained through long-form social engineering, conference infiltration, and trust-building over months, tactics attributed to the Lazarus Group. In the Humanity case, whether the key was obtained externally or was already known to someone inside the project is the open question.
The implication for the industry is one we have written about repeatedly this year: formal security audits of smart contract code are necessary but not sufficient. The Radiant Capital hack, which we covered in depth, involved no smart contract vulnerability at all. The Lazarus Group exploited the human layer. The Flooring Protocol exploit we covered yesterday exploited a code vulnerability hidden from auditors through gas optimization. And now Humanity Protocol shows a third attack surface: administrative key management, where the keys that control token minting and proxy contracts are not secured with the same rigor as the contracts themselves.
2026 Key-Based Hacks: The Pattern in Three Charts
All three attacks targeted keys, not code | Sources: CoinDesk, KuCoin, CNB coverage | @cryptonewsbytes
Amount stolen (USD)
Attack method: keys vs code
4 of 4
2026 major hacks: keys compromised, not code exploited
$0
Recovered across all key-based hacks in 2026
$1B+
DeFi losses in first 4 months of 2026 alone
Sources: CoinDesk, KuCoin, CryptoNewsBytes Radiant Capital coverage | @cryptonewsbytes
Frequently Asked Questions
Is my H token safe and should I use the bridge?
The Humanity Protocol team has explicitly urged users to avoid the cross-chain bridge and all liquidity pools until the security situation is confirmed as contained. This warning should be taken seriously. The attacker still holds approximately $7.9 million in H tokens and 100 million newly minted H on BNB Chain, representing ongoing sell pressure and potential further attack capability. Do not interact with the bridge or add liquidity to any Humanity Protocol pool until the team issues a confirmed all-clear with technical details.
What is Humanity Protocol and why does it matter beyond the hack?
Humanity Protocol is a decentralized identity project that uses palm-scan biometrics and zero-knowledge cryptography to allow people to prove they are human without revealing personal data. It raised $50 million from 27 investors and positioned itself as the primary alternative to Worldcoin. The project had signed up millions of users but faced persistent questions about whether the majority were genuine human verifications or bot registrations, with some reports suggesting 88% of registrations were incomplete or automated. The hack, whether external or internal, has severely damaged the trust foundation that a biometric identity project depends on more than any other category of crypto project.
What does “proxy admin takeover” mean and why is it so serious?
An upgradeable token contract uses a proxy architecture where the logic can be changed by whoever holds the proxy admin key. This is different from the wallet keys that hold tokens. If an attacker takes proxy admin control, they can not only drain existing funds but also change the contract’s rules, mint unlimited new tokens, and modify how the token behaves entirely. It is equivalent to having the master key to the building rather than just one room. The fact that the Humanity Protocol attacker obtained proxy admin access, not just wallet keys, is what makes the team’s “one foundation member’s key was compromised” explanation technically insufficient and why ZachXBT’s assessment has been taken seriously by the security community.
Further Reading on CryptoNewsBytes
The most complete case study in 2026 of what happens when key security fails. Lazarus Group used social engineering to compromise hardware wallets. Radiant lost $50M and wound down 18 months later. Sound familiar?
Yesterday’s exploit also involved code that evaded auditors. A white-hat rescue saved the NFTs. Humanity Protocol has no equivalent rescue mechanism when the attacker controls the proxy admin.
The contrast case. A white-hat researcher used AI to find a vulnerability before attackers did. Humanity Protocol’s 100M token mint shows what the malicious version of that looks like.
This article is for informational purposes only. Sources: CoinDesk, The Block, BeInCrypto, CryptoTimes (ZachXBT), KuCoin, Blockaid, Specter, Lookonchain, PeckShieldAlert, DropsTab. Published June 9, 2026.
