- Exploiter converted stolen Humanity Protocol funds into USDC before transfers.
- Stolen assets were split across wallets to complicate blockchain tracking.
- Attack stemmed from phishing malware that exposed critical admin keys.
The attacker behind the recent Humanity Protocol breach has begun moving and converting stolen assets. Blockchain tracking data shows that part of the funds was swapped into USDC before being transferred to crypto exchange KuCoin. The latest movements come weeks after the $36 million exploit that compromised the protocol’s systems and triggered a sharp decline in its native token.
Stolen Funds Routed Through Multiple Wallets
Blockchain analytics platform Lookonchain reported that the Humanity Protocol exploiter converted a portion of the stolen assets into USDC and deposited the funds into KuCoin. The transfers were detected through on-chain activity linked to wallets associated with the attacker.
The movement of funds followed a pattern often seen in major crypto exploits. Assets were divided among multiple wallets and transferred in several transactions. On-chain records showed repeated ETH transfers ranging from 10 ETH to 50 ETH, alongside a larger transfer of roughly 500 ETH.
The attacker also conducted several token swaps before the KuCoin deposit. Transactions included conversions into stablecoins such as USDT and USDC. Analysts noted that the funds were routed through different addresses to make tracking more difficult and obscure the origin of the assets.
The #Humanity Protocol exploiter swapped part of the stolen funds for $USDC and deposited it to #KuCoin.https://t.co/ZcsrKWUQiP pic.twitter.com/iSMcluWjxk
— Lookonchain (@lookonchain) June 20, 2026
Some of the stolen funds also moved through decentralized exchanges, including Uniswap and PancakeSwap. These swaps allowed the attacker to convert tokens while maintaining control of the assets across multiple blockchain addresses.
Phishing Attack Led to $36 Million Breach
The exploit occurred on June 8 after a project director reportedly received a phishing email disguised as a communication from a major South Korean crypto exchange. The email contained a malicious file that installed malware on the victim’s device.
The malware enabled the attacker to gain remote access and extract sensitive information, including private keys and wallet credentials. With those credentials, the attacker obtained control of critical administrative accounts connected to Humanity Protocol.
After securing access, the attacker upgraded smart contracts on Ethereum and moved approximately 141 million H tokens. Control of a ProxyAdmin contract on BNB Smart Chain also allowed unauthorized minting of new H tokens, increasing supply and disrupting the token ecosystem.
The newly created and stolen tokens were later sold through decentralized exchanges, placing significant pressure on the market. Following the exploit, Humanity Protocol froze its Ethereum contract and secured remaining assets through an unaffected multisignature wallet.
However, the BNB Smart Chain deployment remains compromised, prompting the project to focus recovery efforts on affected users and its broader ecosystem.
Leave feedback about this