Phish & chips: North Korea-linked malware reels in $36M from Humanity Protocol 🪝

A phishing email disguised as a token lockup schedule update from South Korean exchange Bithumb enabled attackers to drain $36 million in Humanity (H) tokens from Humanity Protocol on Monday, according to blockchain security firm Quantstamp. Quantstamp's incident response said a compromised employee laptop was used to install malware that granted full remote access, allowing attackers to copy the credentials and private keys of Humanity Protocol director Chong Yee Wai's MetaMask wallet.

Quantstamp reported that the malicious attachment was signed with a South Korean Hancom digital certificate, a pattern it described as "characteristic of DPRK intrusions." The firm attributed the operation to North Korea-linked threat actors, placing the incident alongside a string of major crypto thefts linked to the regime.

Blockchain security company CertiK, in a May report, said North Korea-affiliated hackers have been tied to roughly $2 billion of the $3.4 billion lost to crypto exploits in 2025, accounting for 12% of total incidents. CertiK described the activity as reflecting a focus on "precision and scale." The same actors were tied to at least $578 million of the $634 million stolen in crypto-related incidents in April, CertiK added. Over the past decade, North Korea-linked actors have stolen an estimated $6.75 billion in cryptocurrency across 263 documented incidents, according to the report.

North Korea has generally declined to address cybercrime allegations, but on May 3 a Foreign Ministry spokesperson rejected the accusations in a statement carried by the Korean Central News Agency, the country's state media. The spokesperson said the US was spreading "incorrect" narratives about the "non-existent 'cyber threat'" from North Korea.