$H Incident: Tooling Linked to North Korean Actors
Contents
$H Incident: Tooling Linked to North Korean Actors
Today we’re publishing the findings of the independent investigation conducted by @Quantstamp
, Inc into the $H
token compromise on June 8, 2026. Quantstamp's findings show that the attacker used tooling and methods characteristic of DPRK hackers.
On June 8, an attacker ran a coordinated operation across Ethereum and BNB Smart Chain. Using stolen keys belonging to one of our directors, the attacker upgraded a contract on Ethereum and moved roughly 141.18M $H
, and on BSC took control of a ProxyAdmin contract to mint new $H
.
The attacker sold the $H
across Uniswap and PancakeSwap over roughly eight hours, driving the open-market price down and harming liquidity providers and holders.
How the attacker got in:
This was a targeted social-engineering attack. The director was sent a phishing email impersonating the exchange Bithumb, with whom he’d already been speaking to, themed around a general update. The link contained a …
Today we’re publishing the findings of the independent investigation conducted by @Quantstamp
, Inc into the $H
token compromise on June 8, 2026. Quantstamp's findings show that the attacker used tooling and methods characteristic of DPRK hackers.
On June 8, an attacker ran a coordinated operation across Ethereum and BNB Smart Chain. Using stolen keys belonging to one of our directors, the attacker upgraded a contract on Ethereum and moved roughly 141.18M $H
, and on BSC took control of a ProxyAdmin contract to mint new $H
.
The attacker sold the $H
across Uniswap and PancakeSwap over roughly eight hours, driving the open-market price down and harming liquidity providers and holders.
How the attacker got in:
This was a targeted social-engineering attack. The director was sent a phishing email impersonating the exchange Bithumb, with whom he’d already been speaking to, themed around a general update. The link contained a …