🟢 Verified 📰 News

Hackers are going after people, not just code — the $36M lesson behind one laptop

· ✍️ altrookie editorial · 👁️ Read-only

A decentralized identity startup called Humanity Protocol lost about $36 million in June, and the break-in did not begin…


A decentralized identity startup called Humanity Protocol lost about $36 million in June, and the break-in did not begin with a clever piece of code. It began with an employee opening a booby-trapped email attachment. That small detail says a lot about where crypto crime is heading in 2026.

According to the company's founder, the trouble traced back to its mainnet launch last year, when several sensitive keys were quietly backed up onto a laptop — including hot wallet keys and some of the multisig keys that are supposed to require several people to approve a transaction. When that laptop was compromised, the attackers had what they needed. Security firm Quantstamp said the malware arrived through a phishing email whose attachment was disguised as a routine token-schedule update from a well-known Korean exchange, and pointed to North Korea-linked hackers, who investigators tie to the bulk of stolen crypto this year.

This is the shift worth noticing. For years, the scary crypto headlines were about smart contract bugs — flaws in the code that runs a protocol. Increasingly, the money is being taken by going after the humans instead. The security firm CertiK found that phishing drove most losses in the first quarter of 2026, and that wallet compromises — someone getting access to keys they should not have — became the single biggest category in the second quarter.

There is a real debate about how much artificial intelligence changes this. Dragonfly's Haseeb Qureshi argues the feared AI-powered hacking wave has not arrived: the number of incidents hit a record, but the typical hack has gotten smaller, suggesting AI tools are mostly helping attackers pick off small or abandoned projects rather than large, well-defended ones. Others, like OpenZeppelin's founder, are less relaxed. Total losses actually fell about 47% in the first half of the year to $1.32 billion, though that comparison flatters 2026 — the year before was inflated by the record $1.4 billion Bybit theft.

For a beginner, the practical lesson is that most of these attacks are not magic. They rely on someone clicking, approving, or signing something they did not fully understand. Treat unexpected attachments and messages — even ones that look official — as suspect. Use a hardware wallet for anything you would be upset to lose, reach services through addresses you typed yourself rather than links you were sent, and never approve a transaction or sign a message you cannot explain in plain language. The code is getting safer; the person at the keyboard is now the target.