A single phishing email pretending to be from South Korean exchange Bithumb cost Humanity Protocol $36 million. Blockchain security firm Quantstamp traced the malware used in the attack to North Korean threat actors, adding yet another entry to Pyongyang’s growing resume of crypto heists in 2026.

The breach drained approximately 141 million H tokens from an Ethereum bridge contract, with attackers also minting additional tokens on the BNB Smart Chain. The result was a near-total collapse of confidence in the token, which cratered by 80-90% within hours as stolen assets were dumped across decentralized exchanges.

How a fake email became a $36M problem

The attack started on June 5, three days before the exploit itself was executed on June 8. The entry point was a phishing email designed to look like it came from Bithumb, one of South Korea’s largest crypto exchanges.

That email carried malware. When a Humanity Protocol director opened it, the malicious software compromised their device and gave attackers access to seven private keys stored on a developer’s machine.

With those keys in hand, the attackers moved quickly. They siphoned 141 million H tokens from the project’s Ethereum bridge contract, a component that allows tokens to move between different blockchains. The hackers also minted additional tokens on the BNB Smart Chain. The stolen and minted tokens were then rapidly sold on Uniswap and PancakeSwap, two of the largest decentralized exchanges. Some reports indicate intraday declines approached 90%.

While the Ethereum side of the exploit has since been mitigated or frozen, the BNB Smart Chain deployment remains what Quantstamp described as irreparably compromised.

North Korea’s crypto playbook keeps working

Quantstamp’s forensic analysis identified malware tools consistent with those used by DPRK-affiliated hacking groups. North Korean operatives have repeatedly used social engineering, specifically targeted phishing emails, to compromise individual employees at crypto projects.

This incident fits into a broader trend for 2026. North Korean hacking groups have been responsible for a significant share of crypto asset thefts this year. The Bybit hack earlier in the year, attributed to the Lazarus Group, demonstrated that even major centralized exchanges with professional security teams are not immune. Humanity Protocol, a smaller project focused on biometric decentralized identity solutions, was an even softer target.

The core vulnerability here wasn’t a smart contract bug or a DeFi protocol flaw. It was a human being opening an email. The attack exploited the gap between technical security and operational security, meaning no amount of code auditing would have prevented this breach.

What this means for investors and the broader market

The fact that private keys for a bridge contract were stored on a developer’s machine, accessible through a single compromised device, raises serious questions about key management practices. Industry best practices call for multi-signature wallets, hardware security modules, and air-gapped signing processes for high-value operations. Seven private keys on one machine connected to an email client is not that.