Humanity Protocol, a decentralized identity network based on biometric palm verification, suffered a exploit which resulted in losses exceeding USD 31 million.
According to on-chain analyst Specter, more than 17 wallets that they had interacted with the protocol they were emptied in a matter of hours. Initial estimates placed the damage at USD 5 million, A figure that escalated rapidly as the attack progressed.
Humanity Protocol founder Terence Kwok confirmed the cause in a social media post: the compromise of private keys belonging to a member of the Humanity Foundation.
Kwok specified that the team works with security experts and exchange partners to contain the incident, and warned users not to interact with the protocol bridge or any liquidity pool until receiving confirmation that it is safe to do so.
According to onchain data compiled by Lookonchain, the attacker obtained approximately 18,510 ETH —equivalent to about USD 30.83 million— and an additional 1,548 BNB through the mass sale of the stolen H tokens. The token price fell from around $0.67 to a low of $0.05. A contraction of around 89% in a few hours, before partially recovering ground.
The vector of the attack It was not limited to the draining of wallets. According to Humanity Protocol reports, the attacker took advantage obtained proxy administrator rights on BNB Chain to mint an additional 100 million H tokens, which he then sold for BNB, increasing selling pressure on a market with already depleted liquidity.
The community demands answers and opens the debate
The handling of the incident generated controversy in the community. Blockchain researcher ZachXBT publicly questioned if he team had to reveal additional information before the community accepted the official explanation. He referred to market-making agreements with an entity in Hong Kong.
According to Coinmania, ZachXBT later qualified its claims after additional analysis suggested that key compromise and security issues market-making They would be separate incidents.
Humanity Protocol is a layer 2 protocol, built on zkEVM technology and Polygon’s chain development kit. It competes directly with Worldcoin in the decentralized digital identity segment. Your verification system, by palm scanning, had been pointed out as an alternative for greater privacy compared to iris-based models.
The incident is part of a trend documented during 2026: losses from DeFi attacks reportedly exceeded $1 billion in the first four months of the year, with the theft of private keys as the dominant vector, above vulnerabilities in smart contracts. Cases like Drift Protocol —USD 285 million in April after the capture of an administrative key— illustrate the pattern now affecting Humanity Protocol.
kwok did not announce a compensation plan for affected usersnor did it specify which member of the foundation had custody of the compromised keys. At this time, the investigation is still ongoing. ZachXBT and other on-chain researchers continue to track the funds. The community demands answers before the protocol reactivates its operations.
This incident once again highlights one of the most serious risks in young projects: poor management of private keys by team members. The lesson for other biometric identity projects is clear: they must implement identification schemes. multisigand greater security measures from early stages, rather than relying on individual cues.