One of crypto’s hottest identity narratives just collapsed in real time. Humanity Protocol $H, the project that had been riding a wave of buzz around biometric identity on blockchain, has been exploited for more than $30 million.
The token has crashed up to 90% in a matter of hours, the attacker is still holding tens of millions of dollars worth of $H ready to sell, and ZachXBT is already on the scene with accusations that cut far deeper than the hack itself.
Contents
The Exploit Unfolds In Real Time
Lookonchain was one of first to flag the attack, reporting that wallets linked to or previously interacting with Humanity Protocol were being drained as an active exploit unfolded. Initial loss estimates came in around $19 million before climbing rapidly. Within hours, the figure had crossed $30 million and was still moving.
Humanity(@Humanityprot) has been exploited, with losses exceeding $30M!
The hacker is currently dumping $H and swapping it for $ETH.$H has already crashed ~90%.https://t.co/0Bhtu6TZDr pic.twitter.com/cNGO70PHDH
— Lookonchain (@lookonchain) June 9, 2026
The attacker’s method was aggressive and straightforward. They began dumping $H tokens immediately, rotating the proceeds into ETH to lock in value before the market could fully process what was happening.
By the time the full picture emerged, the hacker had already obtained 18,510 ETH worth approximately $30.83 million and an additional 1,548 BNB worth around $924,000 purely from selling $H into whatever liquidity remained.
$H responded the way any token does when a large seller with unlimited supply hits an illiquid market, it collapsed. The token crashed between 80% and 90% from its intraday highs in the space of a few hours, erasing months of price appreciation and the entire identity narrative that had been built around the project.
The Hacker Mints 200 Million Tokens On BSC
Then things got significantly worse. A follow-up alert from Lookonchain revealed that the Humanity hacker had minted 100 million $H tokens on Binance Smart Chain, and then minted another 100 million on top of that.
Note that the #Humanity hacker has minted another 100M $H on BSC.
By selling $H, the hacker has already obtained 18,510 $ETH($30.83M) and 1,548 $BNB($924K).
The hacker still holds 111.36M $H($14M) ready to be sold.
However, on-chain liquidity is nearly exhausted. 🚨 https://t.co/vSArj5j185 pic.twitter.com/aA56QhdNDr
— Lookonchain (@lookonchain) June 9, 2026
Two separate minting events, 200 million tokens created from nothing, each worth tens of millions of dollars at pre-crash prices and still carrying meaningful sell value even at the decimated post-crash price.
At the time of reporting, the attacker still holds 111.36 million $H valued at approximately $14 million, a loaded gun pointed at whatever on-chain liquidity remains. The problem is that liquidity is nearly exhausted. The market has already absorbed an enormous volume of forced selling, and the depth to absorb another $14 million exit simply may not be there. What happens when an attacker with $14 million in tokens cannot find buyers is a question the Humanity Protocol community is now staring down directly.
The minting events are the most alarming part of this story because they go beyond a standard private key compromise or bridge exploit. Someone was able to create new token supply at will, which raises fundamental questions about the protocol’s smart contract architecture and access control design that the team has not yet answered.
The Team Confirms a Private Key Compromise
We're aware of a security incident involving the compromise of private keys belonging to a member of the Humanity Foundation. The safety of our community is our top priority, and we want to be fully transparent about what we know.
As a precaution, please do NOT interact with the…— Humanity (@Humanityprot) June 9, 2026
Humanity Protocol’s official account posted a statement acknowledging the incident. The team confirmed they are aware of a security incident involving the compromise of private keys belonging to a member of the Humanity Foundation. They urged the community to stop interacting with the bridge or any liquidity pools immediately, stating it is the single most important step users can take to protect their funds right now.
The statement said the team is working with leading security experts and exchange partners to assess the scope of the incident and secure all affected systems. They apologised directly, “we’re deeply sorry that this has happened”, and committed to sharing only verified updates rather than speculating before facts are confirmed. Official updates, they stressed, will come only from the main account or co-founder Terence Kwok’s personal account.
The acknowledgment of a private key compromise is significant. It suggests this was not purely a smart contract vulnerability but rather a situation where someone with privileged access, either a team member or someone who gained access to their credentials, was able to execute the minting and draining operations. That distinction matters for how the community and exchanges respond going forward.
ZachXBT Fires At The Project’s Credibility
While the team was issuing damage control statements, ZachXBT arrived with a different kind of message. The on-chain investigator was not interested in sympathy for the project. His post was blunt: the team chose to pump their token for weeks with zero fundamentals and now expects Crypto Twitter to blindly trust their story. He demanded the team disclose their active market maker agreements with a Hong Kong entity before asking for community trust.
You choose to crime pump your token for weeks with zero fundamentals and think CT will blindly trust your story?
Disclose your active MM agreements with the HK entity first….
— ZachXBT (@zachxbt) June 9, 2026
The accusation is serious and lands hard in the context of what just happened. If the token was being artificially pumped through coordinated market making activity with no fundamental backing, then the exploit did not just destroy a legitimate project, it destroyed a project that was already operating in questionable territory. That changes the moral calculus of community sympathy significantly and explains why ZachXBT is not treating this purely as a victim story.
What the Humanity Protocol Collapse Means for Identity Tokens
The broader lesson here cuts across the entire identity narrative space in crypto. Humanity Protocol had all the surface ingredients that attract attention, biometric verification, a compelling vision for on-chain identity, partnerships, and a price chart that suggested momentum. None of that survived contact with a compromised private key and an attacker who knew exactly how to monetise unlimited minting access.
When a token loses trust in its supply integrity, the road back is significantly harder than recovering from a bear market or a bad news cycle. Markets can forgive price crashes.
They struggle to forgive the revelation that someone was able to create unlimited tokens at will and drain tens of millions of dollars out the door before anyone could stop them. Until Humanity Protocol publishes a full post-mortem, discloses the scope of the minting exploit, and addresses ZachXBT’s market maker allegations directly, the community has no reliable foundation on which to rebuild confidence, and the attacker still has $14 million in tokens ready to sell.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!
