Humanity Loses $31 Million, a Private Key Causes Token Price to Plunge 90%

Author: ChandlerZ, Foresight News

On June 9, according to on-chain analyst Specter's monitoring, wallets that have interacted with the digital identity project Humanity are under sustained attack. Hundreds of addresses holding H tokens have been compromised so far, with total losses exceeding $31 million. Approximately $9 million has been swapped for ETH, with another $9.9 million still held in the form of H tokens.

Humanity founder Terence Kwok subsequently confirmed the security incident, involving the leakage of a private key belonging to a foundation member. As a precaution, he advised users to temporarily refrain from interacting with the Humanity cross-chain bridge or any liquidity pools until further safety confirmation. The team is working with security experts and exchange partners to handle the situation and will continue to update the community on the progress.

The price of the H token plummeted from around 0.7 USDT to a low of 0.052 USDT, a drop of over 90% within 24 hours. At the time of writing, H is trading at 0.1368301 USDT, with its market capitalization falling from around $2 billion to approximately $35.7 million.

As of 11:00 AM on June 9, the attacker is suspected of minting 100 million new Humanity Protocol H tokens and is currently selling them off for BNB.

A Project That Never Truly 'Proved Humanity'

Humanity Protocol was founded in 2024, positioning itself as a decentralized digital identity network. Its core selling point was using palm print biometrics and zero-knowledge proofs to verify whether a user is a real human. Built on Polygon CDK (zkEVM), the project claimed to solve issues like Sybil attacks, fake accounts, and AI-generated identities without exposing personal information.

This narrative attracted significant capital attention in 2024. Humanity Protocol completed two rounds of funding totaling $50 million. A $30 million seed round at a $1 billion valuation included investors like Kingsway Capital, Animoca Brands, Blockchain.com, and Shima Capital. In January 2025, another $20 million round led by Pantera Capital and Jump Crypto raised the valuation to $1.1 billion.

The Humanity Foundation also assembled numerous well-known figures, led by Animoca Brands Chairman Yat Siu. Co-founders included Mario Nawfal, founder of the international blockchain consulting firm, and Yeewai Chong, a senior investment expert from Morgan Stanley and Ortus Capital.

On June 25, 2025, the H token launched via a Fairdrop mechanism, touted as the first-ever token distribution in Web3 history exclusively to verified humans. However, two days after launch, DL News reported leaked conversations from the founder. In the dialogue, Kwok admitted that out of the 9 million Human IDs created on the network, only about 1 million had completed biometric verification, implying that up to 88% of users might be bots.

Furthermore, according to revelations from X platform users SCoin (@ LianFang _) and AB Kuai . Dong (@_FOR AB ), Humanity Protocol (H) might be a "repackaged domestic project," with APP code material libraries still containing images from Shenzhen access control manufacturer Zhangteng Information, raising doubts about its authenticity. Netizens claimed much of its social media hype was self-generated by project-side accounts, with actual user participation questionable.

AB Kuai.Dong stated that those who previously completed verification with Humanity should be cautious. Zhangteng Information is allegedly backed by a Shanghai-based outsourcing company specializing in full identity recognition outsourcing. Additionally, whistleblower SCoin claimed the project collected large amounts of users' palm print data, raising privacy and security concerns.

This was fatal for a project whose core value proposition was "proving humanity." The H token fell over 61% within two days of launch, from around $0.05 to a low of $0.018.

The Founder's Previous Unicorn Burned Through $170 Million

Terence Kwok's personal resume added a footnote of risk to the project. In 2012, 20-year-old Terence Kwok dropped out of the University of Chicago and, inspired by a $900 roaming bill received during a trip, founded Tink Labs. The company provided free smartphones (branded Handy) to hotel rooms for guests to use abroad, replacing expensive roaming fees. This concept once captivated the capital market. Tink Labs raised $170 million successively from Foxconn, SoftBank, Innovation Works, and the founder of Meitu, reaching a valuation of $1.5 billion and becoming Hong Kong's first unicorn. At its peak, Handy devices covered 600,000 hotel rooms across 82 countries.

However, Kwok's aggressive expansion strategy soon met reality. Global roaming fees continued to decline, hotels were unwilling to pay for Handy devices, and the company began losing money from 2017. According to the Financial Times, SoftBank cut off funding for a key project after discovering that Tink Labs might have diverted funds from its Japanese joint venture to other loss-making markets. In July 2019, over 100 employees from its European, Middle Eastern, and African offices did not receive their salaries. Laid-off employees smeared cake on the walls and floors as they left the Oxford office. On August 1, Tink Labs officially shut down, entering bankruptcy proceedings in January 2020. A former HR director told the FT that Kwok only cared about "making money," and the entire $170 million investment evaporated.

Six years later, Kwok returned to the market with Humanity Protocol, once again securing a unicorn valuation from Pantera Capital and Jump Crypto.

Private Key Management: An Old Problem, a New Cost

Based on current information, this attack does not involve smart contract vulnerabilities or protocol-level security flaws. The attacker obtained a private key belonging to a foundation member, representing a failure in the most traditional security management.

The security landscape for the crypto industry in 2026 was already severe. According to CCN statistics, losses from DeFi hacks in the first four months of 2026 exceeded $1 billion, with most stolen funds still unrecovered. The $286 million attack on Drift Protocol on April 1 was the largest single incident of the year. Attackers are increasingly targeting validators, RPC nodes, and governance systems, not just smart contract vulnerabilities. However, private key leaks remain one of the most devastating attack types because they bypass all on-chain security mechanisms, directly granting control of assets.

For a project already burdened with the controversy of 88% bot users and a token down over 90% from its peak, a $31 million private key leak could be the final blow to trust. As of the time of writing, Kwok stated in his declaration that the team is working with security experts and exchange partners to handle the situation but did not mention any user compensation plan or explain why the foundation member's private key lacked basic protections like multi-signature or hardware isolation.