Quantstamp attributed the June 8 $H token compromise to tooling and methods characteristic of DPRK hackers. The attacker used stolen director keys to upgrade an Ethereum contract, move about 141.18 million $H, seize a BSC ProxyAdmin contract, and mint new $H. Initial access came through a targeted phishing email impersonating Bithumb, which delivered a malicious attachment and a signed first-stage loader that installed remote-access malware. Reported tradecraft included a Hancom-signed loader, Stas'm RDP Wrapper, binaries disguised as Microsoft Defender's Network Inspection Service, and a hidden GuestUser profile.