On June 9, according to on-chain analyst Specter, wallets that interacted with the digital identity project Humanity were under continuous attack.
Several hundred addresses holding the H token have been compromised, with total losses exceeding $31 million. Approximately $9 million has been exchanged for ETH, while around $9.9 million is still in the form of H tokens.
Humanity founder Terence Kwok later confirmed a security incident involving the leak of a foundation member's private key.
As a precautionary measure, users are advised not to interact with Humanity's cross-chain bridge or any liquidity pools until security is further confirmed. The team is collaborating with security experts and exchange partners to address the issue and will continue to update the community on progress.
The price of the H token plummeted from around $0.7 USDT to a low of $0.052 USDT, with a more than 90% decrease in the last 24 hours. At the time of writing, H is trading at $0.1368301 USDT, with the market cap dropping from $2 billion to around $35.7 million.
As of June 9, 11:00, the attacker has reportedly minted 100 million Humanity Protocol tokens (H) and is in the process of selling them for BNB.
A Project Yet to Truly Demonstrate "Humanity"
Founded in 2024, Humanity Protocol positions itself as a decentralized digital identity network. Its core proposition is to use palm print biometrics and zero-knowledge proofs to verify if users are real individuals. The project is built on the Polygon CDK (zkEVM) and claims to address issues like Sybil attacks, fake accounts, and AI-generated identities without exposing personal information.
This narrative attracted significant capital in 2024, with Humanity Protocol completing two fundraising rounds totaling $50 million. The seed round raised $30 million at a $1 billion valuation, with investors including Kingsway Capital, Animoca Brands, Blockchain.com, and Shima Capital.
In January 2025, a round led by Pantera Capital and Jump Crypto raised $20 million, valuing the company at $1.1 billion.
The Humanity Foundation also brought together a group of prominent figures, led by Animoca Brands Chairman Yat Siu, with co-founders including Mario Nawfal, founder of an international blockchain advisory firm, and investment experts Yeewai Chong from Morgan Stanley and Ortus Capital.
On June 25, 2025, the H token launched through a Fairdrop mechanism, claiming to be the first token distribution in Web 3.0 history targeted only at verified real individuals. However, two days after the launch, DL News reported a leaked founder's conversation. Kwok admitted in the conversation that out of the 9 million Human IDs created online, only about 1 million had completed biometric verification, meaning as much as 88% of users could be bots.
Furthermore, according to users on platforms like X Platform SCoin (@LianFang_) and AB Kuai.Dong (@_FORAB), it was revealed that Humanity Protocol (H) may be a "domestic project in disguise." The app's source code repository still contained images from a Shenzhen access control manufacturer, raising doubts about its authenticity. Netizens claimed that much of the social media buzz around the project was orchestrated by fake accounts controlled by the project team, calling into question the actual level of user engagement.
AB Kuai.Dong warned that those who had previously undergone verification with Humanity should be cautious. Behind Zontech Info is a Shanghai outsourcing company specializing in full-suite identity verification outsourcing. In addition, the whistleblower SCoin stated that the project extensively collected user palm print information, sparking concerns over privacy and security.
For a project whose core value proposition is to "prove humanity," this was a fatal blow. Within two days of the H token's launch, it plummeted over 61%, dropping from around $0.05 to a low of $0.018.
Founder's Previous Unicorn Burned Through $170 Million
Terence Kwok's personal history also added a risk footnote to this project. In 2012, at the age of 20, Terence Kwok dropped out of the University of Chicago after receiving a $900 roaming bill during a trip. He then founded Tink Labs, providing free smartphones (branded as Handy) in hotel rooms for guests to use abroad, replacing high roaming fees.
This concept once captivated the capital markets. Tink Labs raised a total of $170 million from Foxconn, SoftBank, Innovation Works, and Meitu's founder, reaching a valuation of $1.5 billion and becoming Hong Kong's first unicorn. At its peak, Handy devices were available in 600,000 hotel rooms across 82 countries worldwide.
However, Kwok's aggressive expansion strategy soon faced real-world challenges. Global roaming fees continued to decline, hotels were reluctant to pay for Handy devices, and the company started losing money in 2017. According to the Financial Times, SoftBank cut off funding for key projects after discovering that Tink Labs might have diverted funds from its Japanese joint venture to other loss-making markets.
In July 2019, over 100 employees in Europe, the Middle East, and Africa offices did not receive their salaries. When laid-off employees left the Oxford office, they smeared cake on the walls and floors. On August 1st, Tink Labs officially closed its doors, entering bankruptcy liquidation proceedings in January 2020. A former HR director told the FT that Kwok only cared about making "money," and the $170 million investment evaporated completely.
Six years later, Kwok returned to the market with Humanity Protocol, achieving unicorn status once again with investments from Pantera Capital and Jump Crypto.
Private Key Management: An Old Issue with a New Cost
From the current information available, this attack did not involve a smart contract vulnerability or a protocol-level security flaw. The attacker obtained a foundation member's private key, a classic case of security management failure.
The security landscape of the crypto industry in 2026 was already dire. According to CCN, in the first four months of 2026, DeFi hacks resulted in losses exceeding $1 billion, with most of the stolen funds still unrecovered. On April 1st, Drift Protocol suffered a $286 million attack, marking the largest single event of the year.
Attackers are increasingly targeting validators, RPC nodes, and governance systems, not just smart contract vulnerabilities. However, private key leaks remain one of the most devastating types of attacks as they bypass all on-chain security mechanisms, directly granting control of assets to the attacker.
For a project that once faced an 88% bot user controversy and saw its token plummet over 90% from its all-time high, a $31 million private key leak may have been the final blow to shattered trust.
As of the time of publication, Kwok stated in the announcement that the team is working with security experts and exchange partners to address the issue, but did not mention any user compensation plan, nor did they explain why the foundation members' private keys were not secured using basic protection measures such as multi-signature or hardware isolation.
Welcome to join the official BlockBeats community:
Telegram Subscription Group: https://t.me/theblockbeats
Telegram Discussion Group: https://t.me/BlockBeats_App
Official Twitter Account: https://twitter.com/BlockBeatsAsia
