Skip to main content

Quantstamp Links Humanity Protocol’s $36M Hack to Suspected NK Actors



Blockchain security firm Quantstamp says a phishing email and a compromised laptop were key steps in the recent Humanity Protocol incident that resulted in the theft of $36 million worth of Humanity (H) tokens. The company’s investigation points to North Korea-linked threat activity, citing technical indicators such as a South Korean digital certificate and malware behavior consistent with DPRK intrusion patterns.



Quantstamp reports that the attackers used a malicious attachment disguised as a token lockup schedule update supposedly connected to Bithumb, one of South Korea’s major cryptocurrency exchanges. After the file was delivered to a staff member, malware installed itself and provided attackers with full remote access—allowing them to reach sensitive wallet material used in the protocol’s operations.



Key takeaways



  • Quantstamp attributes the Humanity Protocol compromise to a phishing attachment that enabled full remote access to a compromised employee laptop.

  • The malware is reported to have been signed with a Hancom digital certificate associated with DPRK-like intrusion patterns.

  • Attackers were able to extract wallet credentials, including MetaMask wallet data and private keys, from a Humanity Protocol director.

  • Security firms continue to link North Korea-linked actors to a substantial share of crypto theft losses across recent years and 2025.

  • Quantstamp’s findings add to a growing pattern where targeted social engineering is used to reach individuals inside crypto projects.



Phishing attachment becomes the access point


In its incident response, Quantstamp said the Humanity Protocol attackers gained leverage through a compromised employee’s laptop. The method, according to the firm, was a phishing email with a malicious attachment that impersonated a token-related update.



The attachment was disguised as what appeared to be a token lockup schedule update from Bithumb. Once opened, the payload installed malware that Quantstamp says granted attackers full remote access to the device.



This matters because it shifts the incident from a purely on-chain exploit narrative to a more human-infrastructure risk narrative: the immediate breach mechanism relied on end-user compromise rather than a direct vulnerability in smart contract code.



Wallet credential theft and the role of remote access


Quantstamp added that the malware’s capabilities extended beyond general control of the laptop. The firm said the attackers used the access to copy Humanity Protocol director Chong Yee Wai’s MetaMask wallet credentials and private keys.



That workflow—stealing wallet material following remote compromise—can enable fast movement of funds. It also highlights why crypto incidents often hinge on endpoint security controls, such as phishing-resistant authentication and strong key-handling procedures, rather than only contract-level defenses.



Technical signals Quantstamp links to DPRK intrusions


Beyond the phishing and remote access, Quantstamp pointed to a technical detail it described as “characteristic of DPRK intrusions.” The firm said the malware was signed with a South Korean Hancom digital certificate.



Quantstamp’s attribution is consistent with how many threat reports are built in cyber investigations: while exact attribution is rarely confirmed publicly, analysts often use combinations of tooling, signing behavior, and operational patterns. In this case, the presence of a specific signing certificate and the observed malware behavior are presented as correlating indicators.



How this fits a broader pattern of North Korea-linked crypto theft


The suspected North Korean link does not appear in isolation. Quantstamp’s report is framed against a backdrop of major crypto thefts that multiple security assessments have attributed to North Korea-linked groups.



Cointelegraph previously reported that North Korea-linked threat actors were tied to at least $578 million of the $634 million stolen in crypto-related incidents in April, referencing an earlier analysis.



Separately, a May report by blockchain security company CertiK said the same actors have been linked to about $2 billion of the $3.4 billion lost to crypto exploits in 2025, while accounting for 12% of total incidents. CertiK characterized the operations as reflecting “precision and scale,” emphasizing that the focus is not only volume but effective execution.



Looking at longer time horizons, a report cited in the article states that over the past decade North Korea-linked actors stole an estimated $6.75 billion in cryptocurrency across 263 documented incidents. CertiK also said North Korea has “industrialized” crypto theft as a core state revenue mechanism, positioning the activity as a meaningful component of external income.



Denial from North Korea, and why attribution stays contentious


North Korea typically does not respond directly to cybercrime allegations. However, the article notes that on May 3, a Foreign Ministry spokesperson rejected claims of involvement in crypto hacks in a statement carried by the Korean Central News Agency.



In that response, the spokesperson argued that the US is spreading “incorrect” narratives about a “non-existent ‘cyber threat’” from North Korea, according to the report referenced in the piece.



For investors and operators, the key takeaway is not to treat attribution claims as courtroom-grade certainty, but to recognize that the patterns behind these incidents—especially endpoint compromise and credential theft—are actionable regardless of attribution debates. Even when state involvement is disputed, the practical defenses remain similar: harden access to personnel systems, reduce exposure to credential-harvesting malware, and ensure recovery and incident response plans assume that social engineering can succeed.



Going forward, the main things readers should watch are follow-up updates from Humanity Protocol and security monitors on whether additional wallets or related infrastructure were targeted, alongside broader tooling guidance from Quantstamp and other analysts on preventing phishing-led endpoint takeovers.



https://www.cryptobreaking.com/quantstamp-links-humanity-protocols-36m-2/?utm_source=blogger%20&utm_medium=social_auto&utm_campaign=Quantstamp%20Links%20Humanity%20Protocol’s%20$36M%20Hack%20to%20Suspected%20NK%20Actors%20
Labels:

Comments

Post a Comment

Popular posts from this blog

Coinbase's x402 launches AI agents app store for payments

Coinbase-backed x402 has unveiled Agentic.market, a dedicated marketplace aimed at increasing the usefulness of AI agents by aggregating thousands of apps and services that agents can access without any API keys. The rollout positions the platform as a central hub for agents to discover, evaluate, and deploy capabilities across a standardized payments layer. Coinbase product lead Nick Prince described Agentic.market in a video posted on X as a storefront for discovering, comparing, and using x402 services. The marketplace is designed to give both humans and their AI agents access to a wide range of tools—from data feeds to consumer apps—without the friction of managing API credentials. A storefront for discovering, comparing, and using x402 services. Thousands of services. Zero API keys. Powered by x402. Prince added that the market offers a web interface for humans to browse and assess services, alongside a programming layer that lets AI agents autonomously search, filter, and integra...
Post a Comment
Read more

Mastercard Launches AI Agent Pay System With Ripple and Solana Help

Mastercard has launched Agent Pay for Machines, a payments system built for autonomous software agents. The service allows AI agents to send and receive payments without direct human action. It brings Ripple, Coinbase, and Solana Foundation into Mastercard’s push for automated digital commerce. Ripple Brings XRPL and RLUSD to Mastercard’s Agent Pay System Mastercard introduced Agent Pay for Machines on June 10 as a tool for machine-led payments. The system targets high-volume and low-value transactions across business and consumer use cases. It also supports automated settlement between software agents and connected machines. Ripple will support the system through the XRP Ledger and its RLUSD stablecoin. The company said that settlement will become more important as automated commerce grows. It also sees blockchain rails as useful for fast and rule-based payments. RippleX senior vice president Markus Infanger said XRPL and RLUSD support enterprise-grade agent payments. He said the tool...
Post a Comment
Read more

Top Cryptocurrencies to Watch: BTC, ETH, BNB, XRP, Solana, Dogecoin & More

Market Analysis and Price Predictions for Key Cryptocurrencies Recent market dynamics reveal a cautious sentiment across the cryptocurrency landscape, with Bitcoin struggling to maintain levels above $90,000 and many major altcoins facing downward pressure. Indicators point toward reduced participation from both institutional and retail investors, raising concerns about a potential consolidation phase after notable gains earlier in the year. Bitcoin has fallen below $87,000, reflecting waning demand at higher price points. Institutional fund flows into BTC and ETH ETFs have turned negative, indicating a period of subdued market activity. Active addresses and Binance deposit/withdrawal activities are at annual lows, suggesting market indecision. Most leading altcoins are approaching support levels, with some poised for potential breakdowns. Tickers mentioned: Bitcoin, Ethereum, Binance Coin, XRP, Solana, Dogecoin, Cardano, Bitcoin Cash, Chainlink, Hyperliquid Sentiment: Neutral to Sli...
Post a Comment
Read more