Blockchain security firm Quantstamp has linked North Korean threat actors to a $36 million hack of decentralized identity company Humanity Protocol. The breach occurred after an employee opened a malicious phishing email disguised as an update from South Korean exchange Bithumb. The malware installed provided attackers with remote access, leading to the theft of Humanity (H) tokens.
A phishing email has been tied to North Korea-linked actors in the hack of Humanity Protocol. The attack resulted in the theft of $36 million in Humanity (H) tokens on Monday after an employee’s laptop was compromised.
The malicious attachment was disguised as a token lockup schedule update from South Korean cryptocurrency exchange Bithumb. According to Quantstamp, it installed malware that gave attackers full remote access to the device.
Quantstamp stated the malware was signed with a South Korean Hancom digital certificate, a pattern “characteristic of DPRK intrusions.” This allowed the attackers to copy a director’s MetaMask wallet credentials and private keys.
This suspected link adds to a series of major crypto thefts attributed to the country. North Korea-linked actors were tied to at least $578 million of the $634 million stolen in crypto-related incidents in April alone.
A recent report by blockchain security company CertiK notes these actors have been linked to about $2 billion of the $3.4 billion lost to crypto exploits in 2025. Over the past decade, they are estimated to have stolen $6.75 billion across 263 documented incidents.
North Korea has “industrialized” crypto theft into a core state revenue mechanism. CertiK’s report states these operations now constitute a substantial share of the regime’s external income.
On May 3, a North Korean Foreign Ministry spokesperson rejected the allegations in a statement carried by state media. The spokesperson accused the US of spreading incorrect narratives about a “non-existent ‘cyber threat.’”
