A spear-phishing email impersonating Bithumb reportedly led to malware infection on a Humanity Protocol director's Windows laptop, exposing MetaMask data and production signer keys in activity Quantstamp said was characteristic of DPRK intrusions. With three Ethereum Safe keys and three BSC Safe keys recoverable from one endpoint, the attacker crossed multisig thresholds, seized ProxyAdmin control without a timelock, drained bridge funds, and enabled unauthorized $H minting. Humanity Protocol acknowledged 447.227 million $H affected, while QuillAudits documented additional BSC mint transactions totaling about 1.64 billion $H in on-chain token activity. Researchers disagreed on whether unusual market-maker flows indicated a staged event, but the report's supported technical finding is a private-key leak and administrative takeover enabled by poor key custody and missing upgrade-delay controls.