Quantstamp Links Humanity Protocol’s $36M Hack to Suspected N. Korea Group

Humanity Protocol’s latest security incident appears to be tied to North Korea-linked cyber activity, according to an investigation by Quantstamp. The blockchain security firm says a phishing email carrying a malicious attachment compromised an employee device and enabled the theft of $36 million worth of Humanity (H) tokens.

The attack chain, as described by Quantstamp, started with a message that masqueraded as a “token lockup schedule” update reportedly from South Korean exchange Bithumb. Once delivered, the malware granted full remote access to the compromised laptop and ultimately facilitated access to sensitive cryptocurrency wallet materials tied to a project executive.

Key takeaways

• Quantstamp attributes the Humanity Protocol compromise to a phishing attachment that installed remote-access malware on a staff member’s laptop.
• The incident led to theft of $36 million in Humanity (H) tokens, tied to unauthorized access of MetaMask credentials and private keys.
• Quantstamp says the malware was signed with a South Korean Hancom digital certificate, a pattern it associates with DPRK intrusion activity.
• Recent reporting and research link North Korea-linked threat actors to a large share of crypto theft losses and incidents, emphasizing “precision and scale.”
• The broader pattern reinforces that operational security—especially around email and endpoints—remains a primary weak point even for decentralized projects.

Phishing to wallet theft: how the compromise worked

Quantstamp reported that a compromised employee’s laptop was the entry point for the attackers. In its incident response, the firm said the phishing email delivered a malicious attachment that was disguised as a token-related schedule update.

Crucially, the malware did more than trigger basic compromise indicators. Quantstamp said it gave the attackers full remote access to the laptop and enabled them to copy Humanity Protocol director Chong Yee Wai’s MetaMask wallet credentials and private keys. That access, according to the firm’s account of events, was leveraged to steal $36 million in Humanity (H) tokens on Monday.

From an investor and user standpoint, the incident highlights a persistent reality in crypto security: even when projects operate on decentralized infrastructure, centralized operational practices—like handling attachments and securing staff devices—can still determine whether funds remain protected.

Why Quantstamp points to DPRK-linked activity

Quantstamp did not rely solely on the phishing technique itself. The firm also analyzed the malware’s signing and behavior, stating that the malicious software was signed with a South Korean Hancom digital certificate.

Quantstamp characterized this detail as “characteristic of DPRK intrusions,” suggesting the attackers used tooling and operational steps commonly observed in past North Korea-linked campaigns. The combination of targeted social engineering (fake Bithumb-related content), endpoint takeover (remote access), and credential harvesting (MetaMask credentials and private keys) forms a cohesive attack narrative consistent with the firm’s attribution.

For readers tracking attribution in cyber incidents, the key takeaway is that this is not a generic accusation: Quantstamp’s conclusion is based on specific technical artifacts found during its incident response.

North Korea-linked theft: large numbers across recent years

The alleged DPRK connection to Humanity Protocol comes amid a broader set of statistics from blockchain security research. In a May report, CertiK linked the same category of actors to about $2 billion of the $3.4 billion lost to crypto exploits in 2025, and said they accounted for 12% of total incidents. CertiK described these losses as reflecting a focus on “precision and scale.”

Looking further back, the report cited an estimate that North Korea-linked actors stole about $6.75 billion in cryptocurrency across 263 documented incidents over the past decade. While such totals naturally depend on methodology and classification criteria, the report’s underlying message is consistent: DPRK-associated operations have repeatedly translated cyber capabilities into high-value thefts.

CertiK further argued that North Korea has “industrialized” crypto theft into a core state revenue mechanism, framing these activities as a meaningful share of the regime’s external income. That characterization matters because it suggests sustained institutional investment rather than isolated criminal hacking.

Denials and the persistence of cyber allegations

North Korea typically does not respond in a sustained way to cybercrime allegations. However, the reporting also referenced a denial carried by Korean Central News Agency coverage on May 3, in which a North Korean Foreign Ministry spokesperson rejected claims about crypto hacks.

In that statement, the spokesperson accused the United States of circulating “incorrect” narratives about a “non-existent ‘cyber threat’” from North Korea. The denial underscores a recurring tension in attribution: while investigators and researchers present technical evidence and pattern-based assessments, state actors continue to reject the framing publicly.

For users and teams building in crypto, the practical implication is to treat attributions as indicators of threat models rather than as proof of political intent. Regardless of who denies what, the operational lesson remains the same—phishing and endpoint compromise can rapidly convert into on-chain losses when wallet access is taken.

Next, readers should watch for updates from Humanity Protocol and Quantstamp on remediation steps and security controls—particularly any changes to how wallets are secured, how staff devices are hardened against social engineering, and what indicators will be shared publicly to prevent similar follow-on attacks.