Humanity’s $36 million exploit tied to compromised laptop hosting a ‘multisig’ wallet

Humanity Protocol explained how attackers were able to steal more than $36 million of its H token, and the cause was a serious lapse in how it secured its keys.

In an incident update shared with CoinDesk, the decentralized identity project said the breach started when an employee’s laptop was compromised. The machine held several keys that controlled the project’s token bridges, the tools that move H (and other tokens) between blockchains.

Those bridges ran through multisignature wallets, which require a number of separate keys to approve any change. A multisignature wallet is supposed to spread keys across different people and devices so that no single machine can move funds.

In this case, all the keys were stored on a single device, meaning a compromise allowed the exploier to cross the approval threshold on both chains, Humanity said.

The attacker obtained three of the six keys controlling the bridge’s admin account on Ethereum, enough to seize controls linked to the project’s deployment on the network.

The attacker then transferred ownership to their own wallet, swapped the bridge’s code for a malicious version and drained about 141 million H in one transaction.

In a Telegram message to CoinDesk, Humanity founder Terence Kwok said the team had set up a multisig wallet across four individuals (as it should have).

Humanity suspects that “some of the keys were accidentally backed up to a compromised device during setup,” Kwok said. “We use a licensed custodian for the majority of token treasury, mpc for operations treasury, and for certain contracts multisig keys were set up in one place and then dispersed.

“Unfortunately in this scenario, the keys were backed up on a compromised device,” he said.

The attacker executed similar steps on BNB Chain with three of five keys. This time, installing code with an unlimited mint function, which allowed the creation of tokens at will, and minted about 200 million new H straight to their wallet.

Humanity has since removed the team page from its website. The project said it has halted deposits and withdrawals on the affected bridges and is working with exchanges and the police to recover funds.

Humanity raised $20 million from Pantera Capital and Jump Crypto last year at a $1.1 billion valuation.

ZachXBT, a prominent onchain investigator, said the key compromise and a separate round of suspicious market-making in the token were not connected.

He also raised questions about how the token traded in the weeks before the breach, ahead of a large scheduled token unlock, as H token prices shot up from 20 cents to 70 cents within two weeks.

The token has clawed back some of the lost ground. After falling as low as about 5 cents during the attack, it recovered to around 20 cents, according to CoinGecko data. It remains well below the roughly pre-breach level of 67 cents.