In June 2026, crypto firm Humanity’s $H token was hijacked . There was no contract bug and no on-chain exploit. The attacker simply convinced one employee to open a file.
The target was Humanity, the team behind a privacy-first decentralized identity network and the issuer of the compromised token. The post-mortem was run by Quantstamp, a web3 security firm, whose findings tie the tooling and tradecraft to actors linked to North Korea (DPRK). The lesson is one every crypto company should absorb: the blockchain held, the human did not.
Key Takeaways
- The breach started with a single spear-phishing email impersonating an exchange the victim was already talking to.
- One compromised employee handed the attacker remote control of a machine, and with it, the private keys behind the token.
- The keys were used to seize the token contracts, mint and move supply, then dump it on decentralized exchanges, crashing the price by nearly 90%.
- The tooling matched tradecraft characteristic of North Korea-linked intrusions.
- The weak point was human trust, not anything on-chain. That is what makes this attack class so hard to stop with code.
How the Attack Unfolded
The on-chain damage was loud, but the real attack happened quietly, in an inbox.
- Target selection. The attacker singled out an employee with access to keys, who happened to be in an active conversation with a crypto exchange.
- The pretext. A spear-phishing email impersonated that exchange, themed around a routine token lockup schedule. It looked like the next message in a conversation already underway.
- The payload. The email carried a malicious attachment. Because the sender looked like a trusted counterpart, opening it felt normal.
- The compromise. A signed loader installed remote-access malware and slipped past the endpoint security on the host. The attacker now had full remote control of the machine.
- Key theft. With hands-on access, the attacker copied the wallet keys stored on the device.
- The cash-out. Using those keys, they took control of the token contracts, minted and moved supply, and dumped it across decentralized exchanges over roughly eight hours. The open-market price crashed by nearly 90%, with over USD 21 million in proceeds traced to attacker wallets, hitting holders and liquidity providers.
The phishing email involved in the attack, as shared by Humanity in its incident report
The Social Engineering Pattern
Strip away the chain-specific details and this is a textbook targeted social engineering operation built on three moves:
- Borrowed trust. Impersonating a counterpart the victim was already talking to meant the attacker never had to earn trust, only borrow it. People, not systems, are the prime social engineering target in crypto.
- A boring pretext. "Routine update" is the opposite of a scam-sounding subject line. Low drama keeps the target relaxed and compliant.
- Targeting the human with the keys. The attacker ignored the contracts and went after a person, because a privileged employee is the fastest path to the same outcome. This is the recurring shape of social engineering threats against crypto teams.
Why Audits Don't Catch This
A smart contract audit, however rigorous, would not have stopped this. The contracts behaved as designed, operated by someone holding legitimate keys. The compromise lived entirely upstream of the chain, in an email client and on an endpoint.
That is the gap on-chain security cannot close, and the one security leaders have to plan for. The inbox of every key-holder is now part of the attack surface, which is why a social engineering checklist for crypto CISOs matters as much as an audit report.
Train the Attack Before It Happens
You cannot patch human trust, but you can train it.
- Arsen's phishing simulation platform lets you recreate this exact flow safely: a targeted email impersonating a known partner or exchange, themed around a routine update, carrying a realistic link or attachment. Because the lures are contextual rather than generic spam, they reflect how real targeted attacks actually look, and they show you who would have clicked before a real attacker finds out.
- AI-driven voice phishing attacks are evolving rapidly, with crypto firms increasingly becoming prime targets, as illustrated by the Figure case. To stay ahead of these threats, Web3 companies should implement realistic voice phishing simulations that train employees to recognize vishing attempts and strengthen their ability to protect the organization from social engineering attacks.
Defend the People Behind Your Protocol
In crypto, your attack surface is your team. Contracts can be audited and frozen; a single employee's trust, once exploited, moves at the speed of one click. Arsen helps crypto and web3 companies train the people who are most targeted. Explore our security awareness solution for crypto teams.
Frequently Asked Questions
Through a spear-phishing email impersonating an exchange the victim was already in contact with. A malicious attachment installed remote-access malware, giving the attacker control of the employee's machine, where the wallet keys were stored.
No. The contracts were not exploited, they were operated with legitimate stolen keys. Preventing this means securing the people and devices with privileged access, not just the code.
Quantstamp's investigation concluded the tooling and signing patterns were characteristic of DPRK-linked intrusions, a recurring profile in attacks on crypto organizations.
Train the humans who are targeted. Run realistic phishing simulations that mimic impersonation of known partners, enforce out-of-band verification before opening attachments or signing anything, and treat every key-holder's inbox as part of the protocol's attack surface.
See How Your Team Holds Up Against Social Engineering
Protect exchanges, DeFi platforms, and blockchain teams from social engineering attacks.
