H Token Exploit Linked to Malware on Developer Device, Not Smart-Contract Flaw

CoinMarketCap cited a post-incident review from the H project team saying the breach stemmed from a malware infection on a developer's device, not a vulnerability in the protocol's contracts. The compromise exposed seven production private keys, giving attackers legitimate administrative access. According to the postmortem, the attacker first took over an external account tied to cross-chain bridge operations, then obtained control over the ProxyAdmin contract permissions. With that access, the attacker upgraded the bridge implementation, drained liquidity from the Ethereum side of the bridge, and minted new H tokens on BNB Chain. The team reported that 141 million H were withdrawn from the Ethereum side. On BNB Chain, an additional 300 million H tokens were minted. The project said the cross-chain bridge contract, token contract and multisig architecture were not exploited at the logic level. Instead, the attacker used valid admin permissions obtained via leaked keys, turning the incident into an effective takeover of the bridge management system. The team added that the H supply minted on BNB Chain is currently considered unrecoverable, as key bridge permissions remain under the attacker's control through the compromised infrastructure. The review also highlighted operational security failures, noting that multiple production private keys had been backed up on the same infected device. Following the incident, on-chain investigator ZachXBT questioned the project's market-making and OTC activity, prompting speculation about potential internal factors. He later said further analysis suggested the private-key leak appeared separate from, and unrelated to, the market-making and OTC issues.