Humanity Discloses H Token Dual-Chain Attack Details, With Losses on Ethereum and BSC Exceeding $36 Million

On June 9, according to TechFlow, Humanity released a new statement on the H token security incident, saying that attackers carried out a coordinated attack on related contracts across both Ethereum and BSC on the evening of June 8. The total amount stolen and sold across the two chains has now exceeded $36 million.

According to the project team, the incident was caused by the compromise of an employee’s laptop, which led to the leakage of multiple owner keys for the Gnosis Safe that controlled the Hyperlane bridge ProxyAdmin.

Based on Humanity’s disclosed attack path, the attacker first gained control of the ProxyAdmin on Ethereum and upgraded the contract to a malicious implementation. In a single transaction, the attacker then transferred approximately 141.2 million H tokens. After that, the attacker used a similar method on BSC, taking control of the ProxyAdmin, deploying a malicious implementation with unlimited minting functionality, and minting 200 million H tokens in two transactions before continuing to sell them into the market.

Humanity said it has paused deposits and withdrawals for the related cross-chain bridge and is working with exchanges and law enforcement to investigate the incident. The team also said it is attempting to recover part of the stolen assets.

The core issue in this case is not a traditional bridge exploit in the narrow sense. Instead, the incident highlights the failure of administrative permissions supporting the bridge and token management system. In other words, the attacker obtained the key authority needed to upgrade contract logic, rather than simply gaining access to a normal transfer wallet.

Once the ProxyAdmin and multisig control path were compromised, the attacker was able to directly rewrite token logic through contract upgrades. This allowed the attacker to transfer assets, mint new tokens, and then use on-chain liquidity to sell them.

Different sources have reported different figures, and some details still require official confirmation. Earlier on-chain monitoring and third-party reports cited losses of more than $19 million, $31 million, and $34 million, with different accounts of the number of affected wallets, minted tokens, and selling activity.

However, based on Humanity’s latest statement, the incident has clearly expanded into a dual-chain coordinated attack involving contract upgrades, malicious minting, and token dumping. The full impact is still being clarified as the investigation continues.

Why It Matters

The market impact of this type of incident lies first in permission risk, rather than a single smart contract vulnerability. Even when a project uses multisig, cross-chain infrastructure, and upgradeable contracts, weaknesses in administrator key management can still allow attackers to bypass surface-level security designs and directly rewrite asset logic.

For projects that rely on bridges, proxy contracts, and multi-chain issuance, this incident raises the market’s requirements for operational security, key custody, and separation of upgrade permissions.

Second, a dual-chain token dumping event can directly disrupt pricing anchors across exchanges and on-chain markets. When the same asset trades across different chains, liquidity pools, and centralized platforms at the same time, continuous selling of stolen or newly minted tokens can amplify price discovery confusion, drain liquidity, and distort cross-market spreads.

Some key data points remain inconsistent at this stage. Further disclosure from Humanity, trading platforms, and on-chain security firms will be needed to clarify the full scope of the incident.

WEEX View

The core market question is no longer simply whether Humanity was hacked. The real issue is whether the stolen and newly minted H tokens can continue moving through market infrastructure and trigger a second round of forced clearing.

For CEXs, the first-line impact usually appears in three areas: whether deposits and withdrawals remain isolated, whether spot and derivatives pricing begin to depeg, and whether market makers are still willing to provide two-sided liquidity.

If tainted on-chain tokens continue flowing into external addresses while platforms have not completed address profiling and risk control synchronization, arbitrage traders may be the first to step in and capture spreads. But these spreads come with liquidation, freeze, and compliance risks, leaving very little safe room for execution.

The more practical business conflict is also clear. The project team wants to secure pauses, freezes, and recovery cooperation. Exchanges care more about asset tradability, user exposure, and potential compensation disputes. Market makers will quickly reassess inventory value and hedging costs.

If on-chain spot prices, cross-chain mapped token prices, and CEX derivatives prices remain split for too long, H could enter a fragmented “same name, different price” state. In that environment, institutional capital and high-frequency liquidity usually withdraw first, leaving behind a high-friction and low-depth risk market.

The next four variables are the most important to watch. First, whether Humanity discloses the affected contracts, the number of leaked keys, and a complete remediation plan. Second, whether exchanges expand quantitative risk controls, including freezing suspicious deposits, adjusting leverage parameters, or delisting related trading pairs. Third, whether any residual malicious permissions remain on BSC or Ethereum. Fourth, whether the team can provide a verifiable supply repair and circulating supply reconstruction plan.

As long as any of these remain unclear, liquidity recovery is likely to be slow, while arbitrage, liquidation, and legal recovery efforts continue to pressure each other.

Timeline

• 2026-06-07: Humanity Protocol announced the launch of staking and supported cross-chain deposits through its official bridge.
• 2026-06-08 23:59: Early monitoring indicated that wallets related to Humanity may have been attacked, with more than 17 wallets affected and reported losses initially exceeding $19 million.
• 2026-06-09 00:34: On-chain monitoring later suggested that losses from related addresses had exceeded $31 million, and the attacker began swapping H tokens for ETH.
• 2026-06-09 09:36: Further monitoring showed that the attacker was still minting and selling H tokens on BSC, with cumulative proceeds reported at around $34 million.