A project that proves you're human failed to prove its own private key is secure

Written by: ChandlerZ, Foresight News

On June 9th, according to on-chain analyst Specter's monitoring, wallets that have interacted with the digital identity project Humanity are under sustained attack. So far, hundreds of addresses holding H tokens have been compromised, with total losses exceeding $31 million. Approximately $9 million of this has been converted to ETH, while another $9.9 million remains in H tokens.

Terence Kwok, founder of Humanity, later confirmed the security incident, which involves the private key leak of a foundation member. As a precautionary measure, he advised users to temporarily avoid interacting with Humanity's cross-chain bridge or any liquidity pools until further security confirmation. The team is working with security experts and exchange partners to handle the situation and will continue to update the community on progress.

The price of H token plummeted from around 0.7 USDT to a low of 0.052 USDT, a 24-hour drop of over 90%! As of press time, H is trading at 0.1368301 USDT, with its market cap falling from $2 billion to around $35.7 million.

As of 11:00 on June 9th, the attacker is suspected of newly minting 100 million Humanity Protocol tokens (H) and is selling them to convert into BNB.

A Project That Failed to Truly "Prove Humanity"

Founded in 2024, Humanity Protocol positions itself as a decentralized digital identity network, with its core selling point being the use of palm print biometrics and zero-knowledge proofs to verify whether users are real people. Built on Polygon CDK (zkEVM), the project claims to solve problems like Sybil attacks, fake accounts, and AI-generated identities without exposing personal information.

This narrative attracted significant capital attention in 2024. Humanity Protocol completed two rounds of funding totaling $50 million. The seed round raised $30 million at a $1 billion valuation, with investors including Kingsway Capital, Animoca Brands, Blockchain.com, and Shima Capital. A round in January 2025 was led by Pantera Capital and Jump Crypto, raising $20 million and pushing the valuation to $1.1 billion.

The Humanity Foundation also brings together many well-known figures, led by Yat Siu, Chairman of Animoca Brands. Co-founders include Mario Nawfal, founder of an international blockchain consulting firm, and Yeewai Chong, a senior investment expert from Morgan Stanley and Ortus Capital.

On June 25, 2025, the H token launched via the Fairdrop mechanism, claiming to be the first token distribution in Web3 history exclusively for verified real people. However, two days after launch, DL News reported a leaked conversation between founders. In the conversation, Kwok admitted that out of the 9 million Human IDs created on the network, only about 1 million had completed biometric verification, meaning up to 88% of users may be bots.

Additionally, according to exposés from X platform users SCoin (@LianFang_) and AB Kuai.Dong (@_FOR AB), Humanity Protocol (H) may be a "domestic project disguised as a foreign entity". Images from Shenzhen access control vendor Zhangteng Information were still present in the APP's code asset library, casting doubt on its authenticity. Netizens claim that much of its social media traction was self-orchestrated using the project's sock puppet accounts, and actual user engagement is questionable.

AB Kuai.Dong stated that those who previously authenticated with Humanity need to be careful. Zhangteng Information is backed by a Shanghai outsourcing company specializing in full-set identity recognition outsourcing. Additionally, whistleblower SCoin claims the project collected a large amount of user palm print information, raising privacy and security concerns.

This was fatal for a project whose core value proposition is "proving humanity". The H token dropped over 61% within two days of launch, falling from around $0.05 to a low of $0.018.

The Founder's Previous Unicorn Burned Through $170 Million

Terence Kwok's personal resume also adds risk notes to this project. In 2012, the 20-year-old Terence Kwok dropped out of the University of Chicago. After receiving a $900 roaming bill during a trip, he founded Tink Labs, which provided free smartphones (brand name Handy) in hotel rooms for guests to use abroad instead of paying high roaming fees. This concept once impressed the capital market: Tink Labs raised $170 million from Foxconn, SoftBank, Sinovation Ventures, and the founder of Meitu, with a valuation reaching $1.5 billion, making it Hong Kong's first unicorn. At its peak, Handy devices covered 82 countries and 600,000 hotel rooms worldwide.

However, Kwok's aggressive expansion strategy soon encountered real-world resistance. Global roaming fees continued to drop, and hotels were unwilling to pay for Handy devices, leading the company to start losing money in 2017. According to the Financial Times, SoftBank cut funding for key projects after discovering that Tink Labs may have diverted funds from its Japanese joint venture to other loss-making markets. In July 2019, over 100 employees in Europe, Middle East, and Africa offices did not receive their salaries. Laid-off employees smeared cake on the walls and floors when leaving the Oxford office. On August 1, Tink Labs officially closed, and entered bankruptcy liquidation in January 2020. A former HR director told FT that Kwok only cared about "making money", and the $170 million investment evaporated entirely.

Six years later, Kwok returned to the market with Humanity Protocol, once again securing a unicorn valuation from Pantera Capital and Jump Crypto.

Private Key Management: An Old Problem, New Cost

Based on current information, this attack does not involve smart contract vulnerabilities or protocol-level security flaws. The attacker obtained a foundation member's private key, which is a classic case of security management failure.

The security situation in the crypto industry was already severe in 2026. According to CCN statistics, DeFi hacks caused losses exceeding $1 billion in the first four months of 2026, and most of the stolen funds remain unrecovered. On April 1, Drift Protocol suffered a $286 million attack, the largest single incident this year. Attackers are increasingly targeting validators, RPC nodes, and governance systems, not just smart contract vulnerabilities. However, private key leaks remain one of the most costly attack types, as they bypass all on-chain security mechanisms and directly gain control of assets.

For a project that has faced controversy over 88% bot users and whose token has dropped more than 90% from its peak, a $31 million private key leak may be the final blow to trust. As of press time, Kwok stated in a declaration that the team is working with security experts and exchange partners to handle the situation, but did not mention any user compensation plan, nor did he explain why the foundation member's private key did not adopt basic protection measures such as multi-signature or hardware isolation.