A malicious attachment delivered through a phishing email points to the involvement of North Korea-linked threat actors in Humanity Protocol’s recent hack, according to blockchain security company Quantstamp.
The decentralized identity company said a compromised employee’s laptop enabled attackers to steal $36 million in Humanity (H) tokens on Monday.
The malicious attachment was disguised as a token lockup schedule update from South Korean cryptocurrency exchange Bithumb. It installed malware that gave attackers full remote access to the laptop, Quantstamp said in its incident response.
The phishing email that led to the Humanity Protocol compromise. Source: Quantstamp
Quantstamp added that the malware was signed with a South Korean Hancom digital certificate, a pattern it described as “characteristic of DPRK intrusions.” The malware enabled attackers to copy Humanity Protocol director Chong Yee Wai’s MetaMask wallet credentials and private keys.
The suspected North Korean link would add to a series of major crypto thefts attributed to the country. North Korea-linked threat actors were tied to at least $578 million of the $634 million stolen in crypto-related incidents in April.
North Korean hackers tied to some of the largest crypto hacks
According to a May report by blockchain security company CertiK, the same actors have been linked to about $2 billion of the $3.4 billion lost to crypto exploits in 2025, while accounting for 12% of total incidents. CertiK said the figures reflect a focus on “precision and scale.”
Over the past decade, North Korea-linked actors stole an estimated $6.75 billion in cryptocurrency across 263 documented incidents, the report said.
Related: CZ sounds alarm as ‘SEAL’ team uncovers 60 fake IT workers linked to North Korea
CertiK added that North Korea has “industrialized” crypto theft into a core state revenue mechanism, making these operations a substantial share of the regime’s external income.
Total DPRK crypto theft over the years. Source: CertiK/Skynet
North Korea rarely responds to cybercrime allegations, but on May 3, a Foreign Ministry spokesperson rejected them in a statement carried by the Korean Central News Agency, the country’s state media.
The spokesperson accused the US of spreading “incorrect” narratives about the “non-existent ‘cyber threat’” from North Korea.
Magazine: Coinbase hack shows the law probably won’t protect you — Here’s why