A June 8, 2026 compromise of Humanity Protocol's $H token infrastructure began with a Bithumb-themed spear-phishing email that infected a director's Windows laptop and exposed MetaMask data plus production signer keys. The attacker used stolen Ethereum and BSC Safe owner keys to seize ProxyAdmin control, upgrade bridge contracts, drain bridge funds, and mint or move hundreds of millions of $H tokens, with known attacker-controlled proceeds exceeding USD 21 million in ETH and additional BSC-side tracing still in progress. Quantstamp assessed the loader-signing pattern and tooling as characteristic of DPRK intrusions, but the available reporting does not identify a specific named actor cluster beyond DPRK-linked tradecraft.