
Humanity Protocol got hit hard. On June 8-9, 2026, attackers drained over $36 million from the protocol. The H token collapsed roughly 85-90% within hours. The exploit spanned Ethereum and Binance Smart Chain.
The entry point? Reportedly a compromised employee laptop.
That single device reportedly handed attackers enough private keys to defeat the protocol’s shared wallet security entirely. Humanity Protocol ran a Gnosis Safe multisig on Ethereum. That’s a standard setup. It distributes signing authority across multiple keyholders. Three of the six required keys were compromised, according to the protocol’s official incident update. That met the threshold. Attackers could authorize transactions freely. No remaining signers could stop it.
On Ethereum, on-chain analyst Specter tracked at least 17 wallets linked to the protocol. All drained. The Block cited Specter’s findings.
It didn’t stop there.
The attackers also hit Binance Smart Chain. They minted H tokens without authorization. The protocol confirmed this in its official incident update. A KuCoin flash note spelled out the damage: roughly 300 million H tokens minted. Around $34 million cashed out across both chains. All within 13 hours. Those minted tokens got swapped into ETH. That flooded the market with sell pressure on top of the wallets already drained.
The H token didn’t survive the combination. CoinDesk and CoinTelegraph both reported the collapse: between 85% and 90% in hours. Direct selling from stolen supply. A sudden collapse in confidence. Both at once.
The laptop is still the critical detail. It’s not confirmed through forensic investigation yet. But the implication is clear. A multisig wallet is only as strong as the devices holding its keys. One compromised endpoint is enough. Doesn’t matter how many total signers exist.
The BSC component makes it worse. Cross-chain deployments are common now. Security standards don’t always travel with them. The Binance Smart Chain minting capability relied on either a separate compromised key or a shared key reused across chains. Either way, it’s a gap. The protocol’s security posture beyond Ethereum wasn’t airtight.
For DAO treasuries and protocol teams running multisig setups, this is the lesson. Distributed key custody isn’t enough. The devices holding those keys are high-value targets. They need to be treated that way. This attack makes that cost concrete: $36 million and a token that lost nearly everything in under a day.
