GoPlus Security Analyzes $30M Humanity Protocol Exploit

Humanity Protocol has been hit by an exploit today, June 9, 2026, and the attackers have managed to steal more than $30 million in tokens after compromising a Humanity Foundation member’s private keys. The protocol’s H token has plunged because of this exploit and dropped down to almost 90% in the last 24-hours.

This incident has shaken confidence in the identity verification project, which had seen its token surge nearly 400% earlier this week to a $1 billion valuation before the crash took place.

What Happened: Private Keys Compromised

Humanity Protocol issued an official statement on social media platform X where the post stated that private keys belonging to a member of the Humanity Foundation were compromised. The team then urged users to avoid interacting with the protocol’s bridge or liquidity pools till the time the situation is brought under control.

“We’re deeply sorry that this has happened. Protecting this community is our responsibility,” the team wrote in its official post.

Humanity Protocol said that it is working with security experts and exchange partners to assess the damage and secure affected systems. All official updates will come only from Humanity Protocol’s main account or from CEO Terrence Kwok, with warnings about scammers trying to exploit the situation.

How the Attack Worked

Security firm GoPlus Security detailed the attack mechanism in a 7-part thread, where it explained as to how the exploit took place.

1. Multisig wallet compromised: Attackers stole signatures from 3 owners of a 3/5 Safe multisig wallet controlling Humanity Protocol’s ProxyAdmin for $H contract.
2. Owner rights hijacked: The attacker changed the ProxyAdmin owner to their own address, gaining full control over the $H proxy contract.
3. Contract upgraded: Using those privileges, the attacker upgraded the $H proxy to a new attack contract they had deployed.
4. Tokens minted: The attacker called the mint function and created 100 million new $H tokens, then swapped them for $BNB in multiple batches.
5. Attack ongoing: About two hours after the first mint, the attacker then minted another 100 million $H tokens. GoPlus said the attack is still continuing.

Initial reports estimated losses around $20 million but on-chain trackers later revised the figure to over $30 million as more wallets were drained.

Token Price Plummets, Volume Surges

Following the hack, the $H token dropped more than 90% within hours. At press time, the price of the token stands at $0.1416 with a drop of 79.65% in the last 24-hours as per CoinMarketCap.

The token had just reached an all-time high near $0.8534 on June 2, which was just a few days ago. Daily trading volume surged above $605 million during the sell-off, while the market cap fell to about $222 million.

More than 17 wallets holding H tokens were emptied, with the number of compromised addresses growing into the hundreds.

Community Skepticism and “Crime Pump” Allegations

The breach drew sharp criticism from prominent blockchain sleuth ZachXBT, who questioned Humanity Protocol’s recent token behaviour.

“You choose to crime pump your token for weeks with zero fundamentals and think CT will blindly trust your story?” ZachXBT wrote on X. He demanded disclosure of any active market maker agreements with a Hong Kong entity.

However, ZachXBT later updated that his analysis suggests the laundering activity and the private key compromise are separate incidents, not directly linked. He noted it would be “kind of funny if the team was pumping the token for weeks only to have gotten rekt shortly before the upcoming unlock later this month”.

The hack came at the worst possible time for Humanity Protocol, just when the project was gaining huge attention. Now people are questioning its security, wallet setup, and insider partnerships. The team now needs to fix the issue fast and win back community trust.