How a Single Infected Laptop Triggered a $36 Million Crypto Heist — An On-Chain Forensic Analysis of the Humanity Protocol Hack

TL;DR: On June 8–9, 2026, an attacker exploited a catastrophically mismanaged multisig setup on Humanity Protocol — all keys on one laptop — to drain $36M+ across Ethereum and BNB Chain. This report traces the money. It went to KyberSwap, 0x Protocol, a BNB intermediary hub, NomiswapPair DEX, and ultimately to Binance. 711 ETH remains dormant at an unattributed address. The attacker's structuring pattern — identical 2,992,500 H token batches sold dozens of times — is textbook layering.

1. Background: What Is Humanity Protocol?

Humanity Protocol was a decentralized identity project that used palm-scan biometrics and zero-knowledge cryptography to let users prove their humanity without revealing personal data — positioning itself as a direct rival to Sam Altman's Worldcoin. The project raised $50 million from 27 investors including Jump Crypto, Pantera Capital, Hex Trust, Animoca Brands, and Kingsway Capital, reaching a peak valuation of $1.1 billion.

The native token, H, had been trading near all-time highs of ~$0.80 in the week preceding the attack. A major token unlock of 2.86% of total supply (over 15% of free float) was scheduled for June 25 — just 16 days away.

That context matters.

2. The Attack: One Laptop to Rule Them All

On the night of June 8, 2026, a malware infection on a single developer's machine exposed seven private keys simultaneously.

These included:

• 3 of 6 Ethereum multisig keys (sufficient for threshold)
• 3 of 5 BNB Chain multisig keys (sufficient for threshold)
• The private key for one of the protocol's hot wallets

The attacker seized proxy admin control over the ERC-BNB bridge, enabling unauthorized minting of H tokens directly. Within hours, Humanity Protocol's founder Terence Kwok confirmed on-chain that attackers had compromised the keys of a foundation member.

3. The Attacker's Wallet

Primary attacker address: 0x6aa22cb8420e94fc2119364b4c7885710ae753bb

Current balance at time of investigation: $0.54 (BNB dust only). The community has already tagged this address with commemorative tokens: H-HACKER, FUCKH (Fuck Humanity), and Humanity Hacker — an ironic but forensically useful confirmation that this is the correct address.

The address is not registered in any threat intelligence database as of the time of analysis, suggesting a freshly created operational wallet — a common DPRK Lazarus Group pattern (more on this later).

4. Fund Flow Analysis: Following the Money

This is where it gets interesting. The attack was not just a theft — it was a pre-planned, structured liquidation operation executed with disciplined speed.

4.1 Ethereum Path: The Silent Hoard

The attacker moved stolen H → ETH on Ethereum and immediately forwarded the ETH to a single receiving address:

TX 1:

0x2ec21c7f25e54f39e9e12c2e5144d0b28fc0b704a8048b91f37be90e63805a9c
Sender:   0x6aa22cb8420e94fc2119364b4c7885710ae753bb (Attacker)
Receiver: 0x59eff548cd9bcfbc169b6340f734e442c764a814
Amount:   688.81 ETH
Date:     2026-06-09

TX 2:

0xc7356ba6cfbd44cba4670015efa7edb251aea1018375403544aafd6bd9ead8ff
Sender:   0x6aa22cb8420e94fc2119364b4c7885710ae753bb (Attacker)
Receiver: 0x59eff548cd9bcfbc169b6340f734e442c764a814
Amount:   22.61 ETH
Date:     2026-06-10

Total Ethereum outflow: 711.42 ETH (approximately $2.37M at time of transfer)

The receiving address 0x59eff548cd9bcfbc169b6340f734e442c764a814 shows no subsequent outbound Ethereum activity in the 30-day trace window. This is a dormant holding address — the funds are parked, waiting. Law enforcement should flag this address for real-time monitoring; any movement should trigger immediate exchange notification.

4.2 BNB Chain Path: The Structured Liquidation Machine

The BNB Chain operation was far more sophisticated. The attacker ran what forensic analysts call a peel chain / structuring fan-out — selling stolen H tokens in precisely identical batches, routing through multiple DEX aggregators to obscure the origin.

Step 1 — Mass H token dumps via DEX aggregators:

The attacker submitted hundreds of transactions routing H tokens through:

• KyberSwap Meta Aggregation Router v2 (0x6131b5fae19ea4f9d964eac0408e4408b66337b5)
• 0x Protocol Allowance Holder (0x0000000000001ff3684f28c67538d4d072c22734)
• PancakeSwap Router v2 (0x10ed43c718714eb63d5aa57b78b54704e256024e)

The structuring pattern is unmistakable:

The ratio of 99.75% / 0.25% is consistent across every batch — a programmatic split strongly suggesting automated bot execution, not manual trading.

Step 2 — BNB consolidation through an intermediary hub:

Converted BNB was funneled through 0xad7baae94959317929723a277694f3ecbd7358e1:

TX: 0xd7afb62182857ab63ec28caabcf000f2e4a5fdbb0ccf815efb017cb30e5b5528
Amount: 1,101 BNB → intermediary hub (2026-06-09)

TX: 0x740625ad7393851b3b1a92d064ca08fdc14c45a14de2a05826b57a79106a4a29
Amount: 366.61 BNB → intermediary hub (2026-06-09)

TX: 0xa3d2ad2d8019c2b7b609fb5b1849d2cdfaeb9beebe05dd1f7f6535e642735f1c
Return: 1,467.66 BNB returned to attacker for redistribution

Step 3 — DEX-based layering via NomiswapPair:

Significant BNB was routed through 0xe82e2d3b9db59f7c7b438239d92e2190a64e26ce (NomiswapPair), which received 200 BNB in 8+ identical

transactions on June 9 alone:

TX: 0xe821458e8d908a60c680ef0c1ff1b0e1395f9cd04b7936e416a21bd874ebc904 — 200 BNB
TX: 0x2381acb7501c7a63504655c74472a29514b65b8f3f77e29b4de36f1bdd264774 — 200 BNB
TX: 0x68d2d45cce2f520c9e6bd6208079b7393e641faa39e4df700b74c82e3feb987b — 200 BNB
TX: 0x1d4ffd1187b20e8ee370e3a5c9450b1b3b760361405131af75b259359de2c6fd — 200 BNB
TX: 0x4dbc7aafc0cac2dc9d14a7aaed09e9c5d1b01bdce39fa56c8ef7ba25f08fa3e9 — 200 BNB
TX: 0x1b932f80c4a52ea78abfd8c37fd4ec09b4dde06e0aec55e3b7a34ab08c4590c — 200 BNB

NomiswapPair served as a high-velocity mixer proxy — the attacker exploited the DEX's normal user traffic to blend stolen funds with legitimate transactions.

Step 4 — Final cash-out: Binance:

The trail terminates at Binance. On-chain data confirms a value-bearing transfer to:

Binance Deposit Address: 0xb300000b72deaeb607a12d5f54773d1c19c7028d

TX: 0x0068ddd18d... (BNB Chain)
Assets deposited: USDC + USDT (post-swap)

This is the critical KYC link. Binance's deposit address system assigns individual addresses to verified users. The entity that controls this deposit address has a verified Binance account — KYC documents exist and are obtainable via legal process.

Step 5 — Cross-chain bridge attempt:

The attacker also used the Din CrossChain Forwarder (0x663dc15d3c1ac63ff12e45ab68fea3f0a883c251) to move assets to an additional chain. The destination chain and receiving address require further tracing but constitute a separate laundering leg.

5. The DPRK Question

Multiple forensic indicators overlap with known Lazarus Group (DPRK) operational signatures:

On-chain sleuth ZachXBT raised the possibility that this incident was "possibly staged" — citing aggressive market-making practices before the hack and the suspicious timing ahead of the June 25 token unlock.

This remains an analytical inference (not confirmed on-chain) and would require examination of off-chain communications, market-maker agreements, and internal wallet clustering to substantiate.

6. Complete On-Chain Evidence Trail

Key Addresses

Key Transactions

7. What Remains Untraced

711 ETH ($2.37M equivalent) sitting at 0x59eff548cd9bcfbc169b6340f734e442c764a814 on Ethereum — no outbound movement detected in the 30-day trace window.

Cross-chain destination via Din Bridge — the receiving chain and address have not yet been identified. This constitutes a second active laundering leg.

Residual BNB distributed across 340+ addresses via the DEX layering operation — the bulk has likely been converted to stablecoins and is either parked or slowly bleeding into OTC desks.

8. Recommended Actions for Investigators

Immediate (within 24 hours):

1. 🔴 Submit freeze request to Binance Compliance for deposit address 0xb300000b72deaeb607a12d5f54773d1c19c7028d — cite TX hash and wallet attribution. Binance has cooperated in similar cases.
2. 🔴 Register 0x59eff548cd9bcfbc169b6340f734e442c764a814 for real-time monitoring — 711 ETH dormant, may move at any time. Flag with all major exchanges.
3. 🟠 Report to relevant FIU — the structuring pattern (repeated identical batch sizes, DEX layering) meets the threshold for suspicious transaction reporting under FATF Recommendation 16 / applicable national AML law.

Within 30 days:

1. Trace the Din CrossChain Bridge destination — identify the receiving chain and address.
2. Subpoena market-maker communications referenced by ZachXBT — determine whether the "staged hack" thesis has merit.
3. Submit MLAT/legal assistance request to Binance's home jurisdiction for KYC records tied to the deposit address.
4. Cross-reference the attacker wallet with known Lazarus Group infrastructure clusters.

9. Conclusion

The Humanity Protocol hack is a masterclass in what happens when operational security is treated as an afterthought. Seven keys on one laptop. A multisig that wasn't. A pre-hack price rally that now looks suspicious in retrospect. And a June 25 unlock that would have diluted the supply anyway.

On-chain, the attacker was disciplined: structured selling in identical batches, rapid DEX hops to obscure origin, an intermediary hub that bounced BNB before redistribution, and a final exit through Binance. The 711 ETH parked on Ethereum is the most actionable frozen asset remaining — if law enforcement moves quickly, that money is recoverable.

The DPRK attribution remains a working hypothesis, not a confirmed finding. The behavioral overlap is significant, but attribution requires corroborating intelligence beyond what on-chain data alone can provide.

What is certain: the funds are not gone. They are traceable. The Binance KYC link exists. The dormant ETH address is known. The window is

open — but it won't stay open forever.

🔗 All on-chain data cited in this report is publicly verifiable on BscScan and [filtered]. Analysis was performed using SentinelTX Blockchain Forensic Intelligence System as of June 17, 2026.

⚠️ This report constitutes analytical findings only. DPRK attribution and internal staging allegations are working hypotheses and have not been confirmed by law enforcement. All addresses and transaction hashes are presented in full for independent verification.