H Token Exploit Linked to Malware on Developer Device, Seven Keys Compromised

The team behind the H token exploit said the incident stemmed from a malware-infected developer machine that exposed seven private keys, enabling an attacker to take over key bridge administration and execute one of the month's largest token incidents. In a postmortem, the project said the attacker drained 141 million H tokens on Ethereum and minted an additional 300 million H tokens on BNB Chain after obtaining administrative bridge permissions. The team emphasized there was no vulnerability in the bridge contracts, token contracts, or the multisig setup itself. "There was no bug in the bridge, the token, or the Safe," the team wrote. The report said the attacker first compromised an externally owned account associated with bridge administration, then assumed control of the protocol's ProxyAdmin contracts. With that access, the attacker could upgrade bridge implementations, drain Ethereum-side liquidity, and mint large amounts of H tokens on BNB Chain. The team said the BNB Chain portion of the token supply is now considered "unrecoverable" because the attacker still controls bridge permissions tied to the compromised infrastructure. The incident effectively escalated from a private key leak into a full bridge administration takeover. Unlike many DeFi incidents driven by smart contract bugs or protocol logic flaws, the H exploit appears rooted in operational security failures. The postmortem said a single infected machine exposed seven production keys tied to bridge and administrative systems, allowing the attacker to act with legitimate permissions rather than bypassing onchain security mechanisms. The event also reignited broader concerns across the industry about how decentralized systems can suffer catastrophic failures when private key management and endpoint security remain concentrated. Online scrutiny expanded beyond the technical details. Onchain investigator ZachXBT questioned the project's market-making and OTC activity before later clarifying that his concerns appeared unrelated to the exploit. In follow-up posts, he said further analysis suggested the "private key compromise" and "sketchy MM / OTC" activity were "independent of one another and not related." Final Summary: The H token exploit was traced to a malware-infected developer machine that exposed seven private keys used for bridge administration. ZachXBT later said separate concerns around market-making and OTC activity did not appear directly connected to the private key compromise.