The team behind the H token exploit claims that a malware-infected development machine led to the compromise of seven private keys, allowing an attacker to take control of the bridge’s infrastructure and trigger one of the largest token incidents of the month.
According to the project’s autopsy report, the attacker emptied himself 141 million H tokens on Ethereum and I minted another one 300 million H tokens on BNB Chain after taking control of the administrative authorizations of the bridge.
The report highlights that there are no vulnerabilities in bridge contracts, token contracts, or the multisig architecture itself.
“There were no bugs in the bridge, token, or vault,” the team wrote.
Instead, the exploit was traced to a compromised developer’s device on which multiple production private keys were allegedly saved.
The attacker took control of the administrative bridge
The report states that the attacker first compromised an external account linked to bridge administration before taking possession of the protocol’s ProxyAdmin contracts.
This allowed the exploiter to:
- upgrade bridge implementations,
- drain liquidity on Ethereum,
- and mint large amounts of H tokens on BNB Chain.
The team said the BNB chain side of the token offering is now considered “unrecoverable” as the attacker still controls key bridge permissions related to the compromised infrastructure.
The incident effectively turned a private key compromise into a complete takeover of the bridge’s administration.
Report highlights operational security failure
Unlike many DeFi exploits involving smart contract bugs or protocol logic flaws, Incident H appears to be primarily related to operational security failures.
The report states that a single malware-infected machine exposed seven production keys related to the bridge and administration systems.
This compromise allowed the attacker to operate with legitimate permissions rather than directly bypassing the protocol’s security mechanisms.
This feat adds to growing industry concerns that decentralized infrastructure can still fail catastrophically when private key management and endpoint security remain centralized.
Exploit sparked wider online surveillance
The incident also sparked a wider discussion on Crypto Twitter. On-chain investigator ZachXBT questioned the project’s market-making and over-the-counter activities before later clarifying that the exploit itself appeared unrelated.
In a series of posts, ZachXBT initially raised concerns about active market-making agreements and token promotion activities surrounding the project.
However, he later said that further analysis suggested that the “private key compromise” and “fragmentary MM/OTC” activity appeared “independent of each other and unrelated.”
These comments reflected broader skepticism in the market as traders sought to determine whether the exploit came from internal activity or a true infrastructure compromise.
Final summary
- The H token exploit was traced to a malware-infected development machine that exposed seven private keys used for bridge administration.
- ZachXBT then clarified that the separate concerns regarding market making and over-the-counter activities were not directly related to the private key compromise.

