BREAKING
Jun 13Japan Has $7.4 Trillion Sitting in Near-Zero Savings Accounts. Metaplanet Just Bought a License to Redirect It Into Bitcoin.Jun 12You Can't Use Your Bored Ape as Collateral Anymore: NFTfi Shuts Down After $737M in LoansJun 12SpaceX Just Pulled the Largest IPO in History — and Had 18,712 Bitcoin Nobody Knew AboutJun 11The EU Just Built a Crypto Kill Switch — Russia Fired Back the Same DayJun 11Japan Kills Its 55% Crypto Tax: Parliament Passes Bill That Could Awaken the Sleeping GiantJun 10Someone Just Bet $290M on Ethereum Hours Before a Secret White House Crypto MeetingJun 10Trump Made $2.3B From Crypto. His Investors Lost $2.3B. Reuters Did the Math.Jun 9ZachXBT Says the $32M Humanity Protocol 'Hack' Was Possibly Staged — Token Down 90%Jun 9Paradigm, a16z, and Ribbit Just Co-Signed DeFi's Biggest Raise Ever — While Everyone Else Is SellingJun 8Trump's Stablecoin Has a Secret Freeze Button. Justin Sun Just Found Out the Hard Way.Jun 13Japan Has $7.4 Trillion Sitting in Near-Zero Savings Accounts. Metaplanet Just Bought a License to Redirect It Into Bitcoin.Jun 12You Can't Use Your Bored Ape as Collateral Anymore: NFTfi Shuts Down After $737M in LoansJun 12SpaceX Just Pulled the Largest IPO in History — and Had 18,712 Bitcoin Nobody Knew AboutJun 11The EU Just Built a Crypto Kill Switch — Russia Fired Back the Same DayJun 11Japan Kills Its 55% Crypto Tax: Parliament Passes Bill That Could Awaken the Sleeping GiantJun 10Someone Just Bet $290M on Ethereum Hours Before a Secret White House Crypto MeetingJun 10Trump Made $2.3B From Crypto. His Investors Lost $2.3B. Reuters Did the Math.Jun 9ZachXBT Says the $32M Humanity Protocol 'Hack' Was Possibly Staged — Token Down 90%Jun 9Paradigm, a16z, and Ribbit Just Co-Signed DeFi's Biggest Raise Ever — While Everyone Else Is SellingJun 8Trump's Stablecoin Has a Secret Freeze Button. Justin Sun Just Found Out the Hard Way.
BTC -- --%
ETH -- --%
Fear & Greed F&G 13 Extreme Fear
ESC
Type to search articles
ZachXBT Says the $32M Humanity Protocol 'Hack' Was Possibly Staged — Token Down 90%
BREAKING

ZachXBT Says the $32M Humanity Protocol 'Hack' Was Possibly Staged — Token Down 90%

June 9, 2026 · 3 min read · 706 words

A biometric identity project positioning itself as the next Worldcoin just lost $32 million — and the most-feared on-chain investigator in crypto thinks the team did it to themselves.

What Happened

In the early hours of June 9, 2026, wallets linked to Humanity Protocol were drained of more than $32 million. The attacker didn’t find a smart contract vulnerability — they held private keys belonging to a Humanity Foundation member and used them to bleed the project dry across two chains.

The damage unfolded in two stages:

  1. 17+ wallets drained — At least $23.7 million was swapped directly to Ethereum. Another ~$7.9 million sat in $H tokens.
  2. Mint attack on BNB Chain — The attacker seized proxy admin control of the H token contract and minted an additional 100 million H tokens (~$12.9M at time of mint), sending them to a fresh wallet.

$H collapsed from ~$0.72 to briefly touching $0.05 — a 90%+ intraday wipeout. The token’s market cap shed over $280 million in hours.

Founder Terence Kwok confirmed the breach: private keys belonging to a Humanity Foundation member were compromised. The core protocol and smart contracts were not exploited.

ZachXBT Says: “Possibly Staged”

On-chain investigator ZachXBT dropped the bombshell the community was already thinking. He called the incident “possibly staged” and accused the team of running a “crime pump” before the drain — inflating the token before the coordinated exit.

Independent analyst Elton backed up the thesis with raw chain data:

  • Attacker wallets were pre-funded weeks before the incident — not the behavior of an opportunistic hacker
  • The minting authority had been quietly “warmed up” over time
  • Coordinated dumps occurred across Ethereum and BNB Chain simultaneously

ZachXBT has a near-perfect track record on exit scam calls. His conclusion: this fits the profile of either a pre-planned insider operation, or an external attacker who had quietly held a compromised key for weeks and was watching for the right moment.

What Is Humanity Protocol?

Humanity Protocol was one of the more high-profile Web3 identity plays of the last 18 months. It uses palm-scan biometrics + zero-knowledge cryptography to let users prove they’re human without surrendering personal data — a direct rival to Sam Altman’s Worldcoin (now World).

The project raised significant backing and built a community around the idea that biometric identity could be decentralized and private. If the hack is staged, that pitch has a dark punchline: the insiders who built a privacy-first protocol used it to quietly drain their own community.

The Attack Vector: Private Keys, Not Code

This incident follows a brutal pattern that’s dominated 2026 — attackers going after keys, not contracts. Off-chain attacks (social engineering, key compromise, insider theft) now account for the majority of all crypto theft by dollar value.

Private key exploits are a different class of problem from smart contract bugs:

  • There’s no patch. If the key is gone, the money is gone.
  • Decentralized protocols are only as secure as the humans who hold admin privileges.
  • “Not a smart contract exploit” is cold comfort when $32M walks out the door.

The team urged users to halt all interactions with Humanity’s bridge and liquidity pools. Mitigation efforts were ongoing as of writing.

Why This Matters for Crypto Jobs

Every exploit of this scale reshapes the hiring market:

  • Key management and custody engineering is now a premium skill set. Projects that haven’t invested in HSMs, multi-sig, and key ceremony protocols are scrambling.
  • Security auditors who specialize in operational security (opsec) — not just Solidity review — are commanding top rates.
  • On-chain investigators and compliance analysts are in demand as projects try to catch insider threats before they execute.
  • If the staged-hack theory holds, team vetting and background check processes will become a formal hiring requirement at funded protocols.
  • Projects building biometric or identity infrastructure face a particular trust cliff — security engineers with experience in privacy-preserving systems (ZK, MPC, HSM) are extremely scarce.

The irony of a decentralized identity protocol being potentially undone by its own team’s keys won’t be lost on anyone hiring in this space.

Looking to work in crypto security or protocol infrastructure? Thousands of web3 jobs — including security, smart contract, and protocol engineering roles — are listed at Cryptogrind. Find teams building the right way.

How did this hit?
breaking-newshacks-exploitsdefisecurityzachxbt

More stories

Polymarket Left a 6-Year-Old Key Unlocked. Someone Just Took $700K.

Polymarket Left a 6-Year-Old Key Unlocked. Someone Just Took $700K.

May 22
An AI Just Proved You Could Print Infinite Zcash — And Nobody Knows If Someone Already Did

An AI Just Proved You Could Print Infinite Zcash — And Nobody Knows If Someone Already Did

Jun 5
Someone Stole the Keys to a $5.4M Bridge — And Laundered It Through Binance Before Anyone Noticed

Someone Stole the Keys to a $5.4M Bridge — And Laundered It Through Binance Before Anyone Noticed

May 30

Discussion

Comments are powered by GitHub. Sign in with your GitHub account to chime in.

Related jobs on Cryptogrind

View all
🏦 DeFi Engineer 🔒 Security Engineer

Looking for your next crypto role?

Browse hundreds of Web3 and crypto positions on Cryptogrind — from smart contract engineers to DeFi analysts.

Browse jobs