NewsFlash Articles Data Fundraising Skill&API

Private Key Leak Leads to Bloodbath: $31 million Stolen, Humanity Token Plunges by 90%

Foresight News

Read this article in 11 Minutes

Proof of Human project, unable to prove the security of your private key.

Original Title: "Humanity Loses $31 Million in Hack, Token Price Plummets 90% Due to Stolen Private Key"

On June 9, according to on-chain analyst Specter, wallets interacting with the digital identity project Humanity have been under continuous attack.

Several hundred addresses holding H tokens have been compromised, resulting in a total loss of over $31 million. About $9 million has been converted to ETH, while roughly $9.9 million still remains in the form of H tokens.

Humanity's founder, Terence Kwok, later confirmed a security incident involving the leak of a foundation member's private key.

As a precautionary measure, users have been advised not to interact with Humanity's cross-chain bridge or any liquidity pool until security is further confirmed. The team is collaborating with security experts and exchange partners to address the issue and will continue to update the community on progress.

The price of the H token plummeted from around $0.7 USDT to a low of $0.052 USDT, marking a greater than 90% drop in 24 hours. At the time of writing, H is trading at $0.1368301 USDT, with its market cap plunging from $2 billion to around $35.7 million.

As of June 9, 11:00, the attacker has reportedly minted 100 million Humanity Protocol tokens (H) and is currently selling them to exchange for BNB.

A Project Yet to Truly Prove "Humanity"

Founded in 2024, Humanity Protocol positions itself as a decentralized digital identity network, with its core feature being the verification of users as humans through palm vein biometrics and zero-knowledge proofs. The project is built on the Polygon CDK (zkEVM) and claims to address issues such as Sybil attacks, fake accounts, and AI-generated identities without exposing personal information.

This narrative attracted significant capital in 2024, as Humanity Protocol successfully completed two fundraising rounds totaling $50 million. The seed round raised $30 million at a $1 billion valuation, with investors including Kingsway Capital, Animoca Brands, Blockchain.com, and Shima Capital among others.

In January 2025, a round led by Pantera Capital and Jump Crypto raised $20 million, valuing the company at $1.1 billion.

The Humanity Foundation also attracted a number of well-known individuals, led by Yat Siu, Chairman of Animoca Brands. Co-founders include Mario Nawfal, founder of an international blockchain advisory firm, and Yeewai Chong, a senior investment expert from Morgan Stanley and Ortus Capital.

On June 25, 2025, the H token was launched through a Fairdrop mechanism, claiming to be the first-ever token distribution in Web 3.0 history exclusively targeted at verified real humans. However, two days after the launch, DL News reported a leaked founder conversation. Kwok admitted in the conversation that out of the 9 million Human IDs created online, only about 1 million had completed biometric verification, meaning up to 88% of users could be bots.

Furthermore, according to users on the X platform SCoin (@LianFang_) and AB Kuai.Dong (@_FORAB), Humanity Protocol (H) may be a "domestic project shell." The app's code material library still contains images from Shenzhen access control company ZTE Information, casting doubt on its authenticity. Netizens claimed that much of its social media platform activity was self-directed by the project team's sock puppets, with actual user engagement being questionable.

AB Kuai.Dong stated that those who previously underwent verification on Humanity need to be cautious. ZTE Information is backed by a Shanghai outsourcing company specialized in full-scale identity recognition outsourcing. In addition, whistleblower SCoin claimed that the project extensively collected user palm print information, raising concerns about privacy and security.

For a project whose core value proposition is to "prove humanity," this was fatal. The H token plummeted over 61% within two days of its launch, dropping from around $0.05 to a low of $0.018.

Founder's Previous Unicorn Burned Through $170 million

Terence Kwok's personal history also added a risk footnote to this project. In 2012, 20-year-old Terence Kwok dropped out of the University of Chicago after receiving a $900 roaming bill during a trip. He then founded Tink Labs, providing free smartphones (branded as Handy) in hotel rooms for guests to use overseas and avoid high roaming fees.

This concept once captivated the capital markets. Tink Labs raised $170 million in funding from Foxconn, SoftBank, Innovation Works, and the founder of Meitu, reaching a valuation of $1.5 billion and becoming Hong Kong's first unicorn. At its peak, Handy devices covered 60,000 hotel rooms in 82 countries worldwide.

However, Kwok's aggressive expansion strategy quickly encountered reality. Global roaming fees continued to decline, and hotels were unwilling to pay for Handy devices. The company started facing losses in 2017. According to the Financial Times, SoftBank cut off vital project funding upon discovering that Tink Labs might have misappropriated funds from its Japanese joint venture to other loss-making markets.

In July 2019, over 100 employees in European, Middle Eastern, and African offices did not receive their salaries. When laid-off employees left the Oxford office, they smeared cake on the walls and floors. On August 1, Tink Labs formally shut down, entering bankruptcy liquidation proceedings in January 2020. A former HR director told the FT that Kwok only cared about "making money," and the $170 million investment completely evaporated.

Six years later, Kwok returned to the market with the Humanity Protocol, once again securing a unicorn valuation from Pantera Capital and Jump Crypto.

Private Key Management: An Old Issue with a New Cost

Based on current information, this attack did not involve smart contract vulnerabilities or protocol-level security flaws. The attacker obtained a foundation member's private key, a classic case of security mismanagement.

The security situation in the crypto industry in 2026 was already dire. According to CCN, in the first four months of 2026, DeFi hacks resulted in losses exceeding $1 billion, with a significant portion of stolen funds still unrecovered. On April 1, Drift Protocol experienced a $286 million attack, the largest single event this year.

Attackers are increasingly targeting validators, RPC nodes, and governance systems, not just smart contract vulnerabilities. However, private key leakage remains one of the most devastating attack types as it bypasses all on-chain security measures, directly seizing asset control.

For a project that once faced an 88% bot user controversy and saw its token drop over 90% from its peak, a $31 million private key leak may be the final blow to trust.

At the time of publication, Kwok stated in the announcement that the team is working with security experts and exchange partners to address the issue, but did not mention any user compensation plan, nor did he explain why the foundation members' private keys were not protected by basic security measures such as multi-signature or hardware isolation.