Wallets tagged as the June 8 Humanity Protocol exploiters began depositing stolen funds into KuCoin on June 20, according to blockchain analytics firm Lookonchain. The attacker addresses converted stolen $H tokens to USDC through Uniswap and PancakeSwap before routing the proceeds to the exchange. The deposits represent the first confirmed laundering activity since the breach.
How the funds were routed
The movement followed a standard obfuscation pattern: funds split across multiple wallets in 10- to 50-ETH increments, with at least one transfer of approximately 500 ETH, before being swapped into stablecoins and deposited on a centralized exchange. Splitting across addresses breaks the on-chain trail before funds reach a venue that requires identity verification.
How the June 8 exploit happened
The breach began with a phishing email disguised as a message from a South Korean exchange, installing malware that gave attackers remote access to an employee's device. The compromised device held three of six Gnosis Safe owner keys on Ethereum and three of five on BNB Smart Chain, enough signing authority to cross approval thresholds on both chains simultaneously. Attackers drained approximately 141 million $H on Ethereum, minted roughly 300 million more on BNB Smart Chain, and took around 6 million from a compromised hot wallet, about 447 million $H tokens in total, with the exploit valued at $36 million.
KuCoin yet to freeze attacker wallets
KuCoin published a detailed breakdown of the exploit and noted the Humanity Protocol team is "working with security experts and exchanges on a resolution," but has not confirmed whether it has frozen the attacker's deposit addresses. The $H token fell roughly 80% in the hours after the June 8 disclosure and was trading at $0.20 on June 21, still far below pre-hack levels.
