Terence Kwok, founder of Humanity, acknowledged a "serious lapse" in their security protocol which allowed attackers to abscond with over $36 million worth of the project's H token. According to CoinDesk, the breach was initiated when an employee's laptop, which hosted crucial multisig keys, was compromised.

This fundamental oversight in key management came despite backing from prominent investors like Pantera and Jump Crypto. Humanity's multisignature wallets, meant to safeguard the project’s token bridges across blockchains, paradoxically became its Achilles heel when all keys were stored on a single device, CoinDesk reported.

The attacker gained control of Humanity's bridge on Ethereum by acquiring three of the six keys to its admin account. This was enough to swap out the bridge's code for a malicious version and drain approximately 141 million H tokens in a single transaction.

Kwok commented on the incident via Telegram, emphasizing that while they used a licensed custodian for most of their token treasury, "some of the keys were accidentally backed up to a compromised device during setup."

The breach wasn't isolated to Ethereum. The attacker mirrored their strategy on BNB Chain, snagging three of five keys to introduce code with an unlimited mint function, minting about 200 million new H tokens into their wallet.

In response, Humanity removed its team page from its website and has halted bridge transactions. They’re now working with exchanges and law enforcement to recoup the stolen funds.

ZachXBT, an on-chain investigator, pointed out that there were also unusual market activities involving the H token, with prices jumping from 20 cents to 70 cents before the breach. After plummeting to 5 cents during the attack, the token clawed back to around 20 cents, CoinGecko data shows.

The breach underscores the critical need for rigorous security practices in the crypto industry. Despite the promises of decentralization, a single point of failure can unravel even the most high-profile projects.

Humanity's $36 million exploit tied to compromised laptop hosting a 'multisig' wallet highlights a basic security failure for a startup backed by Pantera and Jump Crypto. The decentralized identity project explained how attackers were able to steal more than $36 million of its H token, and the cause was a serious lapse in how it secured its keys.

More from Coin Times

MACRO

Financial Concerns Hit Four-Year High — Inflation Tensions Persist

In an incident update shared with CoinDesk, the decentralized identity project said the breach started when an employee's laptop was compromised. The machine held several keys that controlled the project's token bridges, the tools that move H (and other tokens) between blockchains.

Those bridges ran through multisignature wallets, which require a number of separate keys to approve any change. A multisignature wallet is supposed to spread keys across different people and devices so that no single machine can move funds. In this case, all the keys were stored on a single device, meaning a compromise allowed the exploier to cross the approval threshold on both chains, Humanity said.

The attacker obtained three of the six keys controlling the bridge's admin account on Ethereum, enough to seize controls linked to the project's deployment on the network. The attacker then transferred ownership to their own wallet, swapped the bridge's code for a malicious version and drained about 141 million H in one transaction.

In a Telegram message to CoinDesk, Humanity founder Terence Kwok said the team had set up a multisig wallet across four individuals (as it should have). Humanity suspects that "some of the keys were accidentally backed up to a compromised device during setup," Kwok said. "We use a licensed custodian for the majority of token treasury, mpc for operations treasury, and for certain contracts multisig keys were set up in one place and then dispersed."

Unfortunately in this scenario, the keys were backed up on a compromised device," he said. The attacker executed similar steps on BNB Chain with three of five keys. This time, installing code with an unlimited mint function, which allowed the creation of tokens at will, and minted about 200 million new H straight to their wallet.

Humanity has since removed the team page from its website. The project said it has halted deposits and withdrawals on the affected bridges and is working with exchanges and the police to recover funds.

Humanity raised $20 million from Pantera Capital and Jump Crypto last year at a $1.1 billion valuation.

ZachXBT, a prominent onchain investigator, said the key compromise and a separate round of suspicious market-making in the token were not connected. He also raised questions about how the token traded in the weeks before the breach, ahead of a large scheduled token unlock, as H token prices shot up from 20 cents to 70 cents within two weeks. The token has clawed back some of the lost ground. After falling as low as about 5 cents during the attack, it recovered to around 20 cents, according to CoinGecko data. It remains well below the roughly pre-breach level of 67 cents.