Key Takeaways
1 | A multisig wallet requires multiple private keys to approve a transaction. But if enough of those keys are stored on one device, the security model collapses. |
2 | Humanity Protocol lost $36 million in June 2026 after malware on a developer's laptop exposed seven private keys, including enough to control two separate blockchain bridges. |
3 | Operational security (OpSec) matters just as much as the wallet technology itself. Proper key distribution across separate hardware devices is what actually makes multisig safe. |
Introduction: A Security Tool That Was Used Unsafely
Multisignature wallets are widely considered one of the most secure ways to manage cryptocurrency. Instead of relying on a single private key, they require multiple keys held by multiple people to approve any transaction. The logic is simple: if one key is stolen, it is not enough. The attacker needs more.
That logic holds, but only if the keys are actually kept apart. In June 2026, Humanity Protocol, a decentralized identity project backed by Pantera Capital and Jump Crypto, lost an estimated $36 million after an attacker compromised a developer's laptop. The machine held enough private keys to meet the approval threshold on two separate blockchain bridges.
The multisig did not fail because the technology is flawed. It failed because the keys were not properly separated. This article explains how multisig wallets work, what went wrong at Humanity Protocol step by step, and what good operational security actually looks like in practice.
What Is a Multisig Wallet?
A multisignature wallet (multisig) is a crypto wallet that requires a set number of private key signatures before any transaction can be executed. This is called an M-of-N configuration, where N is the total number of keys and M is how many are required to approve an action.
Some common configurations include:
2-of-3: Any two out of three keyholders must approve
3-of-5: Three out of five must sign
3-of-6: Three out of six, as used by Humanity Protocol on Ethereum
3-of-5: As used by Humanity Protocol on BNB Smart Chain
Why is this useful? Because it eliminates the single point of failure that comes with a standard wallet. In a regular wallet, one private key controls everything. Lose it or have it stolen, and the funds are gone. In a multisig, an attacker must compromise multiple independent keys to gain control. This makes multisig the default standard for managing DAO treasuries, protocol admin controls, and large institutional holdings.
For Ethereum-based projects, the most widely used multisig solution is Gnosis Safe (now called Safe), a battle-tested smart contract wallet. Humanity Protocol used Gnosis Safe for both its Ethereum and BNB Smart Chain bridges.
Multisig vs Standard Wallet: A Quick Comparison
Feature | Standard Wallet | Multisig Wallet |
Keys required to transact | 1 | Multiple (e.g. 2-of-3) |
Single point of failure | Yes | No, if keys are separated |
Risk if one key is stolen | Total loss of funds | Attacker still needs more keys |
Ideal for | Personal use | Teams, DAOs, protocol admin |
Common tool (Ethereum) | MetaMask, hardware wallets | Gnosis Safe / Safe{Wallet} |
What Happened at the Humanity Protocol?
Humanity Protocol is a decentralized identity project that uses palm biometrics and zero-knowledge proofs to verify that users are real humans. The project raised $20 million from Pantera Capital and Jump Crypto and launched its mainnet in June 2025.
On the night of June 8, 2026, the project's token bridges on Ethereum and BNB Smart Chain were compromised. The attacker stole or minted an estimated 447 million H tokens, resulting in approximately $36 million in losses at the time of the attack.
Step-by-Step Breakdown of the Attack
Step | What Happened |
1. Malware infection | A developer's laptop was infected with malware that gained root (full administrator) access to the machine. |
2. Key theft | The malware extracted seven private keys stored on the device: one hot wallet key, three Ethereum Safe owner keys, and three BNB Smart Chain Safe owner keys. |
3. Threshold met | On Ethereum, the attacker had 3 of the 6 required Safe keys. On BNB Smart Chain, 3 of 5. Both met the minimum approval threshold. |
4. Ownership seized | Using the compromised keys, the attacker transferred ownership of the bridge ProxyAdmin contracts to wallets they controlled. |
5. Malicious upgrade (ETH) | The attacker upgraded the Ethereum bridge contract to a malicious version and drained approximately 141.2 million H tokens in a single transaction. |
6. Unlimited mint (BNB) | On BNB Smart Chain, the attacker deployed a contract with an unlimited mint function and created approximately 200 million additional H tokens. |
7. Market dump | Tokens were sold into the market. The H token price fell from roughly $0.70 to approximately $0.05 within hours, a drop of over 90%. |
Why the Multisig Protection Failed
Here is the core problem. A multisig wallet is only as secure as the physical and organizational separation of its keys. If those keys end up on the same device, you no longer have a true multisig. You have a single point of failure dressed up as distributed security.
According to Humanity Protocol founder Terence Kwok, the multisig was originally set up across four individuals, which is correct practice. However, during the mainnet launch in June 2025, some keys were accidentally backed up to a developer's machine. That machine was later compromised.
The forensic report published by the project confirmed that a single compromised laptop held backups of seven private keys. This gave the attacker everything needed to meet the signing threshold on both chains without touching any other device.
The technical security of the smart contract was not the issue. The issue was operational: keys that were supposed to be distributed were concentrated on one machine. The attacker did not need to find a bug in the code. They only needed the keys.
What Is Operational Security (OpSec) in Crypto?
Operational security, often shortened to OpSec, refers to the set of practices and procedures that protect sensitive information from being exposed or stolen. In the context of crypto wallets and protocol administration, this means controlling how private keys are generated, stored, backed up, and used.
Good OpSec is not just about using the right tools. It is about how people use those tools day to day. You can set up a technically perfect multisig configuration and still undermine it completely through poor key management habits.
Common OpSec Failures That Lead to Exploits
Storing key backups in cloud services or on internet-connected devices
Generating all keys on the same machine during setup and failing to move them apart
Using hot wallets (software wallets connected to the internet) as multisig signers
Not verifying the security of a device before using it for key operations
Backing up seed phrases or private key files to unencrypted folders or shared drives
Failing to monitor wallet activity for unauthorized transactions
What Proper Multisig Key Management Looks Like
Security organizations like SEAL (Security Emergency Alliance) and leading wallet providers publish guidance on multisig best practices. The following table summarizes the core principles.
Best Practice | Why It Matters |
Each key held by a different person on a different device | Eliminates the single device as a point of failure |
Use hardware wallets (Ledger, Trezor, etc.) for each signer | Keys never touch an internet-connected machine |
Geographic separation of signing devices | Reduces risk from physical compromise or natural events |
Never back up keys to shared or cloud storage | Backups are often the weakest point in key security |
Monitor multisig wallets for unexpected activity | Enables early detection of unauthorized signature attempts |
Use time-locked transactions for large or admin actions | Gives the team time to detect and cancel malicious proposals |
Include at least one external signer (security partner, advisor) | Reduces risk from internal compromise or social engineering |
Document all signers and rotate regularly | Keeps access current and reduces stale key risk |
What Is a Hardware Wallet and Why Does It Matter Here?
A hardware wallet is a physical device (examples include Ledger and Trezor) that stores a private key offline. The key never leaves the device and is never exposed to an internet-connected computer. When you sign a transaction using a hardware wallet, the signing happens inside the device itself.
In a properly configured multisig, each signer uses their own separate hardware wallet. Even if a signer's computer is infected with malware, the attacker cannot extract the private key because it exists only inside the offline hardware device, not on the machine itself.
This is exactly what Humanity Protocol's setup was missing. The keys were stored on a software-accessible device rather than in offline hardware. When the device was compromised, all those keys became accessible.
How Humanity Protocol Responded
After the attack, Humanity Protocol took several containment steps:
Halted all bridge deposits and withdrawals on the affected chains
Used unaffected multisig wallets to freeze the Ethereum H token contract
Published a live tracker of attacker addresses and token movements
Offered a $1 million USDT bounty for information leading to asset recovery
Engaged external security firms for forensic investigation
Coordinated with exchanges to freeze or flag stolen funds
Reported the incident to law enforcement
The project also noted that other chains, including Arbitrum, were not affected because those bridge controls remained under properly secured keys.
On-chain investigator ZachXBT initially raised the possibility the incident was staged, but later revised that assessment after reviewing the laundering trail, concluding the private key compromise and suspicious market-maker activity appeared to be separate events.
What This Means for Everyday Crypto Users
Most people reading this will never manage a DeFi protocol or run a multisig treasury. But the lessons here apply at every level of crypto participation.
Even a personal multisig wallet, or even a standard single-key wallet, can be undermined by poor key management. Here are the practical habits that matter:
Never store a seed phrase or private key on a device that connects to the internet
Never photograph your seed phrase or save it to a cloud service
If you use a hardware wallet, buy it directly from the manufacturer, not a third-party reseller
Treat device security (antivirus, OS updates, phishing awareness) as part of your crypto security
For significant holdings, consider a hardware wallet as the minimum standard
For teams or organizations, require each signer to use a dedicated hardware wallet with keys generated on that device
The Humanity Protocol incident is a reminder that blockchain security does not end at the smart contract level. The human layer, how keys are created, stored, and managed, remains the most common attack surface.
Want to go deeper? Read our Wallet Security Fundamentals tutorial in the Crypto University library for a full guide to private keys, seed phrases, hardware wallets, and building a personal security setup from scratch.
Frequently Asked Questions
What is a multisig wallet?
A multisig (multi-signature) wallet requires a set number of private keys to approve any transaction. For example, a 2-of-3 setup means two out of three designated keyholders must sign before funds can move. This prevents a single stolen key from being enough to take control.
How did the Humanity Protocol attacker beat the multisig?
The attacker did not beat the cryptography of the multisig itself. Instead, they infected a developer's laptop with malware, which extracted seven private keys stored on that one device. Those keys were enough to meet the signing threshold on both Ethereum and BNB Smart Chain bridges without needing to compromise any other person or device.
What is operational security (OpSec) in crypto?
Operational security (OpSec) refers to the real-world practices that protect sensitive data, including private keys and seed phrases, from being accessed or stolen. Having strong cryptographic tools means little if keys are stored carelessly. OpSec covers how keys are generated, where they are stored, who has access, and how devices are secured.
What is a hardware wallet and does it prevent this kind of attack?
A hardware wallet is a physical offline device that stores private keys in a way that never exposes them to an internet-connected computer. If each multisig signer uses a dedicated hardware wallet and keys are never backed up to an online device, then a malware infection on a laptop cannot extract those keys. Hardware wallets are a key part of proper multisig OpSec.
Was Humanity Protocol's multisig set up correctly?
According to the project's founder, the multisig was originally distributed across four individuals, which is correct practice. The problem was that during mainnet setup, some keys were accidentally backed up to a single device. That device was later compromised, giving the attacker access to multiple keys from multiple signers without needing to breach multiple people.
What is Gnosis Safe (Safe Wallet)?
Gnosis Safe, now branded as Safe{Wallet}, is the most widely used multisig smart contract wallet on Ethereum and EVM-compatible chains. It allows teams and DAOs to configure M-of-N signing thresholds for shared fund management or protocol administration. It was the multisig platform used by Humanity Protocol for its bridge admin controls.
Can a multisig wallet ever be truly secure?
Yes, but security depends on how it is implemented. A multisig is technically sound when keys are genuinely distributed across separate people, devices, and locations, and when each key is held in offline hardware. When those conditions are met, a single compromise does not give an attacker enough control. The Humanity Protocol case shows that the weakest link is almost always operational, not technical.
What should a project do after a multisig hack?
Immediate steps typically include halting affected bridges or contracts, using remaining unaffected keys to freeze tokens where possible, notifying exchanges to flag stolen assets, engaging security firms for forensic analysis, publishing transparent updates for the community, and reporting to law enforcement. Long-term recovery also requires a security audit, new key management policies, and in some cases a token migration or compensation plan.
Disclaimer: This content is for educational and informational purposes only and is not financial advice. Nothing here is a recommendation to buy or sell any asset or use any platform. Do your own research and manage your risk.
How to Evaluate a Web3 Protocol: An On-Chain Due Diligence Framework
MetaMask Agent Wallet: A Complete Beginner's Guide
AI Agents in Crypto Wallets: Technical Foundations and Security Considerations
Tokenized Assets Go Institutional: What Standard Chartered's 2028 Projection Means
Need deeper training?
Join our structured modules with live examples and expert checklists for effective implementation.
JOIN THE ACADEMY





