According to blockchain security firm Quantstamp, a malicious attachment provided in a phishing email indicates the involvement of North Korea-linked groups in the recent Humanity Protocol hack.

The decentralized identity company said a compromised employee’s laptop on Monday allowed attackers to steal $36 million worth of Humanity (H) tokens.

The malicious attachment was disguised as an update to the token blocking schedule from the South Korean cryptocurrency exchange Bithumb. Quantstamp said in response to the incident that it had installed malware that gave attackers full remote access to the laptop.

Phishing email that resulted in a Humanity protocol breach. source: Quantstamp

Quantstamp added that the malware was signed with a South Korean Hancom digital certificate, which was described as “characteristic of DPRK intrusions.” The malware allowed attackers to copy the credentials and private keys of Humanity Protocol director Chong Yee Wai’s MetaMask wallet.

The suspected connection to North Korea would contribute to a series of major cryptocurrency thefts attributed to that country. North Korea-linked criminals were linked to at least $578 million of the $634 million stolen in April in cryptocurrency-related incidents.

North Korean hackers linked to some of the biggest cryptocurrency hacks

According to a May report by blockchain security firm CertiK, the same actors were linked to approximately $2 billion of the $3.4 billion lost to cryptographic exploits in 2025, representing 12% of all incidents. CertiK said the numbers reflected a focus on “precision and scale.”

Over the past decade, North Korea-linked actors have stolen an estimated $6.75 billion worth of cryptocurrencies in 263 documented incidents. report he said.

Related: CZ raises alarm when ‘SEAL’ team discovers 60 fraudulent IT workers with ties to North Korea

CertiK added that North Korea has “industrialized” cryptocurrency theft into a primary state revenue mechanism, making these operations a significant portion of the regime’s external revenues.

Total cryptocurrency theft in the DPRK over the years. Source: CertiK/Skynet

North Korea rarely responds to allegations of cybercrime, but a Foreign Ministry spokesman announced this on May 3 he rejected them in a statement run by the Korean Central News Agency, the country’s state media.

The spokesman accused the United States of spreading “false” narratives about a “non-existent ‘cyber threat'” from North Korea.

Warehouse: Coinbase hack shows the law probably won’t protect you – here’s why

Cointelegraph is committed to independent and crystal clear journalism. This news article has been produced in accordance with Cointelegraph’s Editorial Policy and is intended to provide true and up-to-date information. Readers are encouraged to verify the information themselves.