H token exploit traced to compromised developer machine amid OTC scrutiny

The team behind the H token exploit says a malware-infected developer machine led to the compromise of seven private keys, allowing an attacker to seize control of bridge infrastructure and trigger one of the largest token incidents of the month.

According to the project’s post-mortem report, the attacker drained 141 million H tokens on Ethereum and minted another 300 million H tokens on BNB Chain after taking control of administrative bridge permissions.

The report stressed that there was no vulnerability in the bridge contracts, the token contracts, or the multisig architecture itself.

“There was no bug in the bridge, the token, or the Safe,” the team wrote.

Instead, the exploit was traced to a compromised developer device where multiple production private keys had reportedly been backed up.

Attacker gained administrative bridge control

The report says the attacker first compromised an externally owned account tied to bridge administration before taking ownership of the protocol’s ProxyAdmin contracts.

That allowed the exploiter to:

• upgrade bridge implementations,
• drain liquidity on Ethereum,
• and mint large amounts of H tokens on BNB Chain.

The team said the BNB Chain side of the token supply is now considered “unrecoverable” because the attacker still controls key bridge permissions tied to the compromised infrastructure.

The incident effectively transformed a private key compromise into a full bridge administration takeover.

Report points to operational security failure

Unlike many DeFi exploits involving smart contract bugs or protocol logic flaws, the H incident appears to be primarily tied to operational security failures.

The report says a single malware-infected machine exposed seven production keys tied to bridge and administrative systems.

That compromise allowed the attacker to operate with legitimate permissions rather than bypassing protocol security mechanisms directly.

The exploit adds to growing industry concerns that decentralized infrastructure can still fail catastrophically when private key management and endpoint security remain centralized.

Exploit triggered wider scrutiny online

The incident also sparked broader discussion across Crypto Twitter. On-chain investigator ZachXBT questioned the project’s market-making and OTC activity before later clarifying that the exploit itself appeared unrelated.

In a series of posts, ZachXBT initially raised concerns about active market-making agreements and token promotion activity surrounding the project.

However, he later said further analysis suggested the “private key compromise” and “sketchy MM / OTC” activity appeared “independent of one another and not related.”

The comments reflected broader skepticism in the market as traders sought to determine whether the exploit stemmed from insider activity or a genuine infrastructure compromise.

Final Summary

• The H token exploit was traced to a malware-infected developer machine that exposed seven private keys used for bridge administration.
• ZachXBT later clarified that separate concerns about market-making and OTC activity were not directly connected to the private key compromise.