A DPRK-linked attacker compromised seven high-privilege Humanity Protocol keys stored on one director's laptop, giving them enough signatures to defeat both Ethereum and BSC Gnosis Safe thresholds. The attacker transferred ProxyAdmin ownership, upgraded the Ethereum bridge to drain 141,182,632 H, and upgraded the BSC H token to a malicious implementation that minted more than 122 billion H. The report attributes the loss to operational security failure, key concentration, and missing ProxyAdmin timelocks rather than smart contract logic bugs. Humanity froze the Ethereum token with an uncompromised multisig and began a token replacement and compensation plan, while the BSC deployment remained under attacker control at the time described.