On June 9th, according to on-chain analyst Specter's monitoring, wallets that have interacted with the digital identity project Humanity are under sustained attack.
So far, hundreds of addresses holding H tokens have been stolen, with total losses exceeding $31 million. Approximately $9 million has already been converted to ETH, and about $9.9 million remains in the form of H tokens.
Humanity founder Terence Kwok later confirmed the security incident, which involved the leak of a private key belonging to a foundation member.
As a precautionary measure, he advised users to temporarily avoid interacting with the Humanity cross-chain bridge or any liquidity pools until further safety confirmation. The team is working with security experts and exchange partners to address the issue and will continue to update the community on progress.
The H token price plummeted from around 0.7 USDT to a low of 0.052 USDT, a drop of over 90% in 24 hours. As of the time of writing, H is trading at 0.1368301 USDT, with its market capitalization falling from around $2 billion to approximately $35.7 million.
As of 11:00 on June 9th, the attacker allegedly newly minted 100 million Humanity Protocol H tokens and is dumping them in exchange for BNB.
A Project That Hasn't Truly "Proven Humanity"
Humanity Protocol was founded in 2024, positioning itself as a decentralized digital identity network. Its core selling point is verifying users as real humans using palm print biometrics and zero-knowledge proofs. The project is built on Polygon CDK (zkEVM), claiming to solve issues like Sybil attacks, fake accounts, and AI-generated identities without exposing personal information.
This narrative attracted significant capital attention in 2024. Humanity Protocol completed two rounds of funding totaling $50 million. A $30 million seed round valued the project at $1 billion, with investors including Kingsway Capital, Animoca Brands, Blockchain.com, and Shima Capital, among others.
In January 2025, a round led by Pantera Capital and Jump Crypto raised $20 million, increasing the valuation to $1.1 billion.
The Humanity Foundation also gathered many prominent figures, led by Animoca Brands Chairman Yat Siu. Co-founders include Mario Nawfal, founder of the international blockchain consulting firm, and Yeewai Chong, a senior investment expert from Morgan Stanley and Ortus Capital.
On June 25, 2025, the H token launched via a Fairdrop mechanism, touted as the first token distribution in Web 3.0 history exclusively for verified real humans. However, two days after launch, DL News reported leaked conversations from the founder. Kwok admitted in the dialogue that out of the 9 million Human IDs created on the network, only about 1 million had completed biometric verification, meaning up to 88% of users could be bots.
Furthermore, according to claims by users like SCoin(@ LianFang _) and AB Kuai . Dong(@_FOR AB) on platform X, Humanity Protocol (H) might be a "re-packaged Chinese project," with its app's code asset library still containing images from the Shenzhen access control manufacturer Zhang Teng Information, raising authenticity doubts. Netizens alleged that its social media hype was largely orchestrated by the project's own sock puppet accounts, with actual user engagement being questionable.
AB Kuai.Dong warned that those who previously did verification with Humanity should be careful. Zhang Teng Information is backed by a Shanghai outsourcing company specializing in full-service identity recognition outsourcing. Additionally, whistleblower SCoin claimed the project collected large amounts of user palm print information, raising privacy and security concerns.
This was fatal for a project whose core value proposition is "proving humanity." The H token fell over 61% within two days of launch, from around $0.05 to a low of $0.018.
The Founder's Previous Unicorn Burned Through $170 Million
Terence Kwok's personal history adds a risk footnote to this project. In 2012, 20-year-old Terence Kwok dropped out of the University of Chicago. After receiving a $900 roaming bill during a trip, he founded Tink Labs, which provided free smartphones (branded Handy) in hotel rooms for guests to use abroad to avoid high roaming fees.
This concept once captivated the capital market. Tink Labs raised $170 million in total from Foxconn, SoftBank, Innovation Works, and the founder of Meitu, reaching a valuation of $1.5 billion and becoming Hong Kong's first unicorn. At its peak, Handy devices covered 600,000 hotel rooms across 82 countries.
However, Kwok's aggressive expansion strategy soon met reality. Global roaming fees continued to fall, hotels were unwilling to pay for Handy devices, and the company began losing money from 2017. According to the Financial Times, after discovering that Tink Labs might have diverted funds from its Japanese joint venture to other loss-making markets, SoftBank cut off funding for the key project.
In July 2019, over 100 employees in European, Middle Eastern, and African offices did not receive their salaries. Laid-off employees smeared cake on the walls and floors as they left the Oxford office. On August 1st, Tink Labs officially shut down, entering bankruptcy liquidation in January 2020. A former HR executive told the FT that Kwok only cared about "making money," and the entire $170 million investment was lost.
Six years later, Kwok returned to the market with Humanity Protocol, securing a unicorn valuation once again from Pantera Capital and Jump Crypto.
Private Key Management: An Old Problem, A New Price
From the current information, this attack does not involve smart contract vulnerabilities or protocol-level security flaws. The attacker obtained a private key from a foundation member, representing a failure of the most traditional security management.
The security situation in the crypto industry was already severe in 2026. According to CCN statistics, losses from DeFi hacks in the first four months of 2026 exceeded $1 billion, with most stolen funds still unrecovered. The $286 million attack on Drift Protocol on April 1st was the single largest event this year.
Attackers are increasingly targeting validators, RPC nodes, and governance systems, not just smart contract vulnerabilities. However, private key leaks remain one of the most devastating attack types, as they bypass all on-chain security mechanisms and directly obtain asset control.
For a project already burdened with the controversy of 88% bot users and a token down over 90% from its high, a $31 million private key leak could be the final blow to trust.
As of the time of writing, Kwok stated in a declaration that the team is working with security experts and exchange partners, but did not mention any user compensation plan or explain why the foundation member's private key lacked basic protections like multi-signature or hardware isolation.
