Quantstamp Links Humanity Protocol’s $36M Hack to Suspected NK Actors

Blockchain security firm Quantstamp says a phishing email and a compromised laptop were key steps in the recent Humanity Protocol incident that resulted in the theft of $36 million worth of Humanity (H) tokens. The company’s investigation points to North Korea-linked threat activity, citing technical indicators such as a South Korean digital certificate and malware behavior consistent with DPRK intrusion patterns.

Quantstamp reports that the attackers used a malicious attachment disguised as a token lockup schedule update supposedly connected to Bithumb, one of South Korea’s major cryptocurrency exchanges. After the file was delivered to a staff member, malware installed itself and provided attackers with full remote access—allowing them to reach sensitive wallet material used in the protocol’s operations.

Key takeaways

• Quantstamp attributes the Humanity Protocol compromise to a phishing attachment that enabled full remote access to a compromised employee laptop.
• The malware is reported to have been signed with a Hancom digital certificate associated with DPRK-like intrusion patterns.
• Attackers were able to extract wallet credentials, including MetaMask wallet data and private keys, from a Humanity Protocol director.
• Security firms continue to link North Korea-linked actors to a substantial share of crypto theft losses across recent years and 2025.
• Quantstamp’s findings add to a growing pattern where targeted social engineering is used to reach individuals inside crypto projects.

Phishing attachment becomes the access point

In its incident response, Quantstamp said the Humanity Protocol attackers gained leverage through a compromised employee’s laptop. The method, according to the firm, was a phishing email with a malicious attachment that impersonated a token-related update.

The attachment was disguised as what appeared to be a token lockup schedule update from Bithumb. Once opened, the payload installed malware that Quantstamp says granted attackers full remote access to the device.

This matters because it shifts the incident from a purely on-chain exploit narrative to a more human-infrastructure risk narrative: the immediate breach mechanism relied on end-user compromise rather than a direct vulnerability in smart contract code.

Wallet credential theft and the role of remote access

Quantstamp added that the malware’s capabilities extended beyond general control of the laptop. The firm said the attackers used the access to copy Humanity Protocol director Chong Yee Wai’s MetaMask wallet credentials and private keys.

That workflow—stealing wallet material following remote compromise—can enable fast movement of funds. It also highlights why crypto incidents often hinge on endpoint security controls, such as phishing-resistant authentication and strong key-handling procedures, rather than only contract-level defenses.

Technical signals Quantstamp links to DPRK intrusions

Beyond the phishing and remote access, Quantstamp pointed to a technical detail it described as “characteristic of DPRK intrusions.” The firm said the malware was signed with a South Korean Hancom digital certificate.

Quantstamp’s attribution is consistent with how many threat reports are built in cyber investigations: while exact attribution is rarely confirmed publicly, analysts often use combinations of tooling, signing behavior, and operational patterns. In this case, the presence of a specific signing certificate and the observed malware behavior are presented as correlating indicators.

How this fits a broader pattern of North Korea-linked crypto theft

The suspected North Korean link does not appear in isolation. Quantstamp’s report is framed against a backdrop of major crypto thefts that multiple security assessments have attributed to North Korea-linked groups.

Cointelegraph previously reported that North Korea-linked threat actors were tied to at least $578 million of the $634 million stolen in crypto-related incidents in April, referencing an earlier analysis.

Separately, a May report by blockchain security company CertiK said the same actors have been linked to about $2 billion of the $3.4 billion lost to crypto exploits in 2025, while accounting for 12% of total incidents. CertiK characterized the operations as reflecting “precision and scale,” emphasizing that the focus is not only volume but effective execution.

Looking at longer time horizons, a report cited in the article states that over the past decade North Korea-linked actors stole an estimated $6.75 billion in cryptocurrency across 263 documented incidents. CertiK also said North Korea has “industrialized” crypto theft as a core state revenue mechanism, positioning the activity as a meaningful component of external income.

Denial from North Korea, and why attribution stays contentious

North Korea typically does not respond directly to cybercrime allegations. However, the article notes that on May 3, a Foreign Ministry spokesperson rejected claims of involvement in crypto hacks in a statement carried by the Korean Central News Agency.

In that response, the spokesperson argued that the US is spreading “incorrect” narratives about a “non-existent ‘cyber threat’” from North Korea, according to the report referenced in the piece.

For investors and operators, the key takeaway is not to treat attribution claims as courtroom-grade certainty, but to recognize that the patterns behind these incidents—especially endpoint compromise and credential theft—are actionable regardless of attribution debates. Even when state involvement is disputed, the practical defenses remain similar: harden access to personnel systems, reduce exposure to credential-harvesting malware, and ensure recovery and incident response plans assume that social engineering can succeed.

Going forward, the main things readers should watch are follow-up updates from Humanity Protocol and security monitors on whether additional wallets or related infrastructure were targeted, alongside broader tooling guidance from Quantstamp and other analysts on preventing phishing-led endpoint takeovers.

This article was originally published as Quantstamp Links Humanity Protocol’s $36M Hack to Suspected NK Actors on Crypto Breaking News – your trusted source for crypto news, Bitcoin news, and blockchain updates.