Humanity Protocol key storage error, malware infection lead to massive token breach

There is no indication that the palm biometrics “Proof-of-Trust” nee “Proof-of-Humanity” startup Humanity Protocol uses for identity verification have failed. Instead, the company traces a massive breach it suffered this week resulting in 447 million H tokens worth an estimated stolen or illicitly minted to improperly stored private keys.

A developer’s computer infected with malware was storing backups of seven private encryption keys. The keys had been inadvertently backed up around when Humanity Protocol launched its mainnet last June, according to the company’s incident report.

Three coordinated attacks against Humanity Protocol were then carried out across two chains using the exposed keys on Monday and Tuesday. The attacks resulted in 300 million new H tokens being minted, plus an EOA direct theft and ETH bridge drain accounting for the stolen tokens.

Humanity Protocol described the incident as a “human and operational security failure.”

South Korea’s ChosunBiz reports that the biometric identity verification feature could be spoofed, but does not offer any evidence, and fails to acknowledge the actual attack vector used in the breach.

The response from Humanity Protocol includes the creation of a web page that tracks the wallet addresses controlled by the attacker and the movement of funds, as well as a $1 million USDT bounty for information that leads to the recovery of its tokens.

“We are still determining the full root cause of how the device was compromised and the exact timeline of when the attacker gained access,” the company said in its statement on the breach. “We have engaged external security experts to conduct a forensic investigation of the compromised devices. We will share further findings with the community as the investigation progresses. We are also working on recovery program for victims affected.”

The price of Humanity Protocol’s tokens fell from highs above $0.80 earlier this month to around $0.16 in Thursday trading, according to CoinMarketCap.

Humanity Protocol recently announced a shift in its focus to differentiating people from bots and AI agents to user attribute and identity verification.

Article Topics

biometrics  |  cryptocurrency  |  Humanity Protocol  |  malware  |  palm biometrics