A token that lost $36 million to thieves on Monday is up 210% by the weekend. That is the kind of sentence that makes you read it twice.
Humanity Protocol's H token led the gainers board this week. The rebound landed almost on top of one of the uglier security disclosures of the month. Both things are true: the decentralized identity project got drained, and its token still went vertical. Markets do not always behave the way the headlines suggest they should.
The hack behind the rally
The theft reads like a case study in how these operations actually work now, which is to say through people, not code. According to security firm Quantstamp's incident response, the attackers did not break the protocol. They broke an employee.
The entry point was a phishing email dressed up as a token lockup schedule update from Bithumb, the South Korean exchange. Open the attachment, and malware took hold of the laptop with full remote access. From there the attackers lifted MetaMask credentials and private keys belonging to a Humanity Protocol director, Chong Yee Wai, as Cointelegraph reported. Roughly $36 million in H tokens walked out the door.
Quantstamp flagged a detail worth pausing on. The malware carried a signature from a South Korean Hancom digital certificate, which the firm called typical of North Korean intrusions. That is not a confession, and it is not a smoking gun either. Call it a fingerprint that lines up with a known crew.
And the crew has a resume. Of the $634 million lifted from crypto across April's incidents, investigators traced at least $578 million back to actors with North Korean links, better than nine of every ten dollars stolen that month. A May report from CertiK measured 2025's full-year exploit losses at $3.4 billion, and attributed about $2 billion of that figure to the same actors, while accounting for only about 12% of the total number of incidents. Fewer hits, bigger hauls. CertiK described the approach as built on precision and scale, and across the past decade pegged the total at an estimated $6.75 billion over 263 documented events.
Pyongyang, as usual, is not playing along. On May 3 a Foreign Ministry spokesperson, in a statement carried by the state news agency KCNA, dismissed the accusations and accused Washington of inventing a cyber threat that does not exist. North Korea rarely engages with these claims at all, so even a flat denial counts as a response.
Why a drained token went up
So why does H rally after all that? The cleanest answer is that hack news and token price often move on separate clocks.
A stolen treasury is a balance-sheet problem. A 210% candle is a liquidity-and-sentiment problem. Thin order books on a small-cap token mean a burst of speculative buying, or a coordinated bid, can swamp whatever fear the exploit generated. There is a recurring pattern here: traders treat the post-hack dip as an entry, betting the project survives and the headline fades. Sometimes that bet pays. Sometimes it is the exit liquidity for whoever is quietly selling. I would not read the rally as the market clearing Humanity Protocol of risk. I would read it as the market doing what thin markets do.
What the price action does not change is the underlying lesson, and it is the one the industry keeps relearning. The weak point was not a smart contract. It was an inbox. The most sophisticated attribution analysis in the world still traces back to someone clicking an attachment that looked like routine paperwork from a familiar exchange.
That is the uncomfortable middle ground crypto security keeps landing in. Auditors can stress-test code until it is airtight, and the money still leaves through a director's laptop. The economics reward exactly this shift: a credential-based intrusion sidesteps the audited surface entirely, and CertiK's own math, a fraction of the incidents producing the bulk of the losses, is what a pivot from breaking contracts to compromising people looks like in aggregate. Immunefi's CEO recently warned that AI tooling is pushing the offense even further ahead, the kind of speed advantage that makes a single phishing success far more dangerous than it used to be.
Watch two things from here. First, whether Humanity Protocol publishes a recovery or reimbursement plan, because token holders rallying on hope will eventually want something more concrete than a price chart. Second, whether the H rally holds past the week, or whether it cools as fast as it spiked. A 210% move that round-trips inside a fortnight tells a very different story than one that sticks. Either way, the $36 million is still gone, and the people who took it, as the April and May figures make plain, have done this before.