Date of Incident: 2026-06-09
On 2026-06-08 to 2026-06-09, the Humanity’s H token was attacked across two chains via three coordinated attacks:
Attack 1 — EOA Key Theft (ETH): An admin hot wallet 0x0fd9c51999ae46a0e1b21a235e0a529bbcc4612a had its private key compromised. The direct theft was 6,045,060 H sent to attacker wallet 0x9e995952eF7665B243eeEF0693acD7FEd7150504: [tx].
Attack 2 — ETH Bridge Drain: Three of six Safe owner keys controlling the Bridge ProxyAdmin were compromised. The attacker used these to transfer ProxyAdmin ownership to their wallet, then upgraded the bridge contract to a malicious implementation and swept 141,182,632 H in a single transaction .
Attack 3 — BSC Mint: Three of five BSC Safe owner keys (different keys from the ETH set) were also compromised. Same ProxyAdmin seizure playbook. Three mint() calls executed: 300,000,000 H total minted to the attacker (3 × 100M at 02:09, 03:51, and 08:58 UTC Jun 9). BSC H supply inflated from 141M to 441M (+212%). Attacker retains ProxyAdmin on BSC and continued to mint additional tokens.
Total unique impact (no double-counting): ~6M H (EOA direct theft) + ~141M H (ETH bridge drain, includes 15M H pre-load) + 300M H (BSC mints) = ~447M H stolen/minted across both chains. Attacker retains ProxyAdmin on both the ERC-BSC bridge and the BSC token — further BSC mints remain possible at any time.
| Role | Address | Status |
|---|---|---|
| H Token (ETH) | 0xcf5104D094e3864CfCBDa43B82e1cEFD26A016eB |
✅ Safe — upgradeable proxy, owner renounced, clean 4-of-7 Safe controls ProxyAdmin |
| Bridge (ETH) | 0x44F161aE29361E332dEA039DFA2F404E0bC5B5Cc |
🔴 COMPROMISED — malicious implementation active; attacker owns ProxyAdmin |
| Bridge ProxyAdmin | 0xd73Cd1117646625FFE23a55860035aC62fa8720D |
🔴 ATTACKER-OWNED — owner() = 0xD1ea823D421E0c829ee11F772AF487fd352678EA |
| ETH Safe (3-of-6) | 0x576412843C35af26a16Cff903363F6dc429f8A2a |
🔴 PARTIALLY COMPROMISED — 3 of 6 owner keys stolen |
(Already drained the ETH lockbox that this Safe controls.) |
| Admin Hot Wallet | 0x0fd9c51999ae46a0e1b21a235e0a529bbcc4612a | 🔴 DRAINED — EIP-7702 smart account; private key stolen |
| Canonical Arbitrum Bridge | 0x8620F893F6321C31909e4a58bcEb6948A289e0fD | ✅ UNAFFECTED — holds ~87M H |
| Role | Address | Status |
|---|---|---|
| BSC H Token (HypERC20) | 0x44F161aE29361E332dEA039DFA2F404E0bC5B5Cc |
🔴 UNRECOVERABLE — same address on BSC; malicious implementation; attacker owns ProxyAdmin |
| BSC ProxyAdmin | 0xd73Cd1117646625FFE23a55860035aC62fa8720D |
🔴 ATTACKER-OWNED — owner() = 0x6Aa22CB8420E94Fc2119364b4c7885710aE753bB |
| BSC Safe | 0x2F41C9Bc3Ffb0D60358533e7d3D8B39B37C4D2D9 |
🔴 PARTIALLY COMPROMISED — 3 of 5 owner keys stolen; ProxyAdmin already transferred |
| BSC H Implementation | 0xd18cdc9f07733ca207e9977879c51e22e9b57fcb |
🔴 MALICIOUS — deployed by attacker |
| Role | Address | Notes |
|---|---|---|
| ETH Attacker Wallet | 0xD1ea823D421E0c829ee11F772AF487fd352678EA |
Received ~141M H from bridge drain; currently holds ~0.2 ETH, 0 H (dispersed) |
| BSC Attacker Wallet | 0x6Aa22CB8420E94Fc2119364b4c7885710aE753bB |
Minted 300M H (3 × 100M); BSC contract remains in attacker control — minting ongoing |
| H Aggregation Wallet | 0x9e995952... |
Received ~101.7M H from ETH attacker + 22.64M H from other drained sources |
| Bridge Deployer | 0xbb0034e7d417479813026fb6a73890214a31b0da |
Deployed both bridges Jun 20, 2025 |
Threshold: 3-of-6
| Status | Address | Added |
|---|---|---|
| 🔴 COMPROMISED | 0xA44EbEbb23AB0E6421f1D3Db7BA10F85A705e732 |
Original |
| 🔴 COMPROMISED | 0x7ed451069fd7cCc22210AcA96c8c67a3D659a40b |
Original |
| 🔴 COMPROMISED | 0xD4ea14E59C0a676604a9E0b3262368cE975f0f0c |
Original |
| ✅ Clean | 0x5C2a1Fd7E31c608e4945A90f21D029Ff7F88cA76 |
Jul 4, 2025 |
| ✅ Clean | 0x5Fe5C0343053e105738de577Ef45B34Dfc4bfebC |
Jul 4, 2025 |
| ✅ Clean | 0x0b00e6adE429CC451fB7Ba58Be7B91fa59bB23a5 |
Jul 4, 2025 |