North Korean state-linked hackers stole up to $36 million in cryptocurrency from Humanity Protocol, a privacy-focused blockchain identity verification platform, after compromising a company executive through a targeted phishing email. The theft, disclosed by Humanity Protocol in a report published Saturday and investigated by blockchain security firm Quantstamp, saw attackers move and mint a combined 193,617,148 Humanity ($H) tokens on June 8. Quantstamp attributed the campaign to DPRK actors based on tooling and tradecraft consistent with prior North Korean operations.
What Happened
On June 5, attackers sent a phishing email to Chong Yee Wai, a Humanity Protocol director. The message impersonated South Korean cryptocurrency exchange Bithumb, a counterparty Chong was already corresponding with, and referenced a routine token circulation update to lower suspicion. Chong clicked a link to download a compressed folder, filled out a spreadsheet inside it, and replied to the email, also copying colleague Terence Kwok, who had received the same lure.
Opening the archive deployed a malware loader signed with a digital certificate tied to South Korean office software company Hancom, whose proprietary file formats are frequently abused in DPRK intrusions. The loader gave attackers access to the executive's machine and, through it, the stolen credentials used to reach Humanity Protocol's systems. On June 8, the attackers leveraged that access to move roughly 141.18 million $H tokens and mint additional currency, reaching a total of 193,617,148 $H tokens stolen, worth as much as $36 million.
What Was Taken
The losses were entirely in cryptocurrency and minting privileges rather than personal data. According to the company, attackers siphoned approximately 141.18 million existing $H tokens and abused minting access to generate further supply, bringing the combined total to 193,617,148 $H tokens. The unauthorized minting is particularly damaging because it allows an attacker to inflate token supply beyond what was held in compromised wallets, diluting legitimate holders and undermining confidence in the protocol's economics. The valuation of up to $36 million reflects the scale at the time of the heist.
Why It Matters
This incident extends North Korea's standing as the world's most prolific cryptocurrency thief and confirms decentralized services remain a priority target. It follows other major DPRK-linked campaigns this year, including the $290 million KelpDAO and $285 million Drift Protocol heists in April. The pattern shows that attackers are not breaking cryptography or smart contracts directly; they are compromising the humans who hold privileged access. For any organization operating a token, exchange relationship, or protocol with administrative or minting keys, a single executive's inbox is now a critical attack surface. The abuse of a Hancom-linked code-signing certificate also signals continued supply-chain and trust-abuse tradecraft that defeats naive trust-the-signature controls.
The Attack Technique
The operation was social engineering from start to finish. Attackers chose a believable pretext by impersonating Bithumb, an exchange the target already trusted, and themed the lure around a mundane token circulation update. The malicious payload arrived as a compressed archive containing a decoy spreadsheet, encouraging the victim to engage and even reply, which deepened the attacker's foothold and pulled in a second employee. The deployed loader carried a digital signature linked to Hancom, lending false legitimacy and helping evade endpoint trust checks. Once the executive's computer was infiltrated, the attackers harvested credentials and used that valid access to move and mint tokens, blending into normal administrative activity.
What Organizations Should Do
- Treat code-signing and digital certificates as compromisable: do not auto-trust signed binaries, and verify executables against known-good hashes and behavior rather than signature alone.
- Harden privileged and minting operations with multi-party approval, hardware-backed keys, withdrawal allowlists, and time-locks so no single compromised endpoint can move or mint funds.
- Treat unsolicited attachments, especially compressed archives and Hancom or office documents, as high risk, and enforce sandboxed detonation before they reach executives.
- Verify counterparty communications out of band; confirm any document or update purportedly from an exchange like Bithumb through a known, separate channel before acting.
- Deliver targeted anti-phishing training to executives, directors, and finance or treasury staff, who are the specific roles DPRK actors prioritize.
- Deploy EDR with credential-theft and loader detection on executive endpoints, and monitor for anomalous on-chain administrative actions to enable rapid response.
Sources: North Korean hackers steal $36M from blockchain service using phishing email | NK PRO