Humanity Protocol said more than $36mn worth of its H token was stolen in a coordinated attack on 8 Jun, but on-chain investigator ZachXBT immediately cast doubt on the explanation, writing that the incident "seems possibly staged" and calling it "a convenient way for the active MM [market maker] to have exited."
Humanity Protocol Claims $36mn Hack, but ZachXBT Says “Seems Possibly Staged”
9 June 2026 - 14:30 CEST
By Sandmark staff
The project said the breach began when an employee’s laptop was compromised, giving attackers access to multiple Gnosis Safe owner keys. Three of six keys controlling the Hyperlane bridge ProxyAdmin on Ethereum and three of five on BNB Chain were affected. The attacker used the keys to seize control of the bridge contracts, upgrade them to malicious versions, and drain approximately 141.2mn H tokens on Ethereum. On BNB Chain, the attacker deployed a contract with an unlimited mint function and created over 200mn new H tokens.
Humanity Protocol said it has halted all bridge activity and is working with exchanges, security firms and law enforcement to investigate and recover funds. Blockchain security firm Blockaid independently confirmed that the incident involved compromised keys and the minting of additional tokens on BNB Chain.
ZachXBT questions timing, narrative
ZachXBT pushed back against the team’s account within hours on 9 Jun. He pointed to high token supply concentration and noted that selling occurred primarily on decentralized exchanges. In a later update, he said further analysis indicated the market maker activity and the private key compromise were independent events, adding that it was "kind of funny" the team had been aggressively promoting the token in the weeks before the incident, only to be frontrun by the attacker shortly before an upcoming investor unlock.
The comments come weeks after Humanity Protocol’s token drew scrutiny for a sharp rally amid questions over investor vesting terms and leveraged trading. The H token fell more than 80% in the hours following news of the incident on 9 Jun.
Humanity Protocol said it would publish a detailed post-mortem in the coming days.
Why ProxyAdmin compromise matters
The Hyperlane bridge ProxyAdmin is the administrative contract that controls upgrades to the bridge itself. By seizing control of it, the attacker was able to replace the legitimate bridge logic with malicious code, effectively giving themselves the ability to move or mint tokens at will. This type of attack is particularly damaging for projects that rely on cross-chain bridges, as it can undermine confidence in the entire bridging infrastructure rather than just a single wallet or contract.
The project has not yet disclosed whether it holds insurance coverage or has access to other recovery mechanisms. Community reaction has been heavily sceptical, with multiple users questioning on X how a single employee laptop could compromise enough keys to control a multisig governing critical bridge infrastructure.
