Roughly $815,000 in digital assets moves out of the Alephium TokenBridge on Ethereum and into a single wallet address in barely 7 minutes. No flash loan. No smart contract exploit. Just three compromised keys and a bridge architecture that hands full authority to whoever holds them. How the attack unfolds: According to Blockaid monitoring, the attacker gains access to three out of four guardian keys securing Alephium’s private Wormhole fork and uses them to sign six forged Verified Action Approvals, VAAs, the signed messages that authorize cross-chain transfers on Wormhole-based bridges. Blockaid detected an exploit targeting the Alephium TokenBridge on Ethereum. ~$815K drained in ~7 minutes via 3-of-4 compromised guardian keys signing forged VAAs. 13.76M wrapped ALPH minted (>100% of prior supply) + USDT/USDC/WBTC/WETH unlocked from custody. More details in… — Blockaid (@blockaid_) May 30, 2026 With those forged VAAs in hand, the attacker calls the `completeTransfer` function on the TokenBridge proxy contract. The contract does exactly what it is supposed to do: it verifies the signatures, finds them valid, and releases the assets. The result is immediate. Frozen USDT, USDC, WBTC, and WETH are unlocked from the custody contract and transferred to the attacker. Simultaneously, 13.76 million wrapped ALPH tokens are minted directly into the attacker’s wallet, out of thin air, with no collateral backing them whatsoever. That figure represents more than 100% of the prior wrapped ALPH supply on Ethereum. The entire operation completes in roughly seven minutes. As of the time of writing, the attacker’s address still holds the stolen assets, approximately $815,000 in mixed tokens plus the 13.76 million uncollateralized wrapped ALPH. The Architecture That Made it Possible To understand why this works, the structure of Alephium’s bridge matters. The project runs a private fork of the Wormhole protocol, but with a critically small guardian set of just four validators. Wormhole’s quorum formula means the minimum number of signatures required to authorize a VAA scales with the number of guardians. With four guardians, that threshold lands at exactly three. Three compromised keys equals full bridge authority. No redundancy. No override. The math leaves no room for error, and the attacker exploits that gap with precision. Blockchain security analysts identify the three signing addresses on the malicious VAAs as `0x214f15…ad29`, `0x78c7b8…7852`, and `0x9efb0c…89a1`. The only honest, unused guardian key, `0x4b2cbe…88fb`, sits on the sideline with no power to stop what is happening. One clean key out of four is not enough to prevent anything under this quorum structure. This is not a flaw in the smart contract code. The contract performs correctly throughout the entire attack. What fails is the operational security around the guardian keys themselves, the human and infrastructure layer responsible for keeping those keys private and protected. Alephium Responds and Shuts the Bridge Down The Alephium team acknowledges the incident publicly, confirming awareness of a security incident affecting the bridge. The bridge is shut down immediately, and the team confirms that no new bridge transactions can currently be initiated, meaning the exploit pathway is closed, at least for now. We are aware of a security incident affecting the Alephium bridge. The bridge has been shut down, and no new bridge transactions can currently be initiated. As a result, the exploit can no longer be executed through the bridge. Based on our investigation so far, the issue… — Alephium (@alephium) May 30, 2026 The team’s early characterization of the root cause, however, diverges from the technical analysis put forward by on-chain security researchers. Alephium states that the issue appears to involve malicious event emission rather than a key compromise, while cautioning that the full scope is still being assessed and their understanding may evolve as more information becomes available. The team is actively investigating and promises further updates as soon as confirmed details are available. That discrepancy between the initial team statement and the forensic evidence surfaced by independent researchers is worth watching. Key compromise and malicious event emission are not the same problem, and they do not carry the same implications for bridge security or recovery options. What a Guardian Key Compromise Means in Practice The distinction between a smart contract vulnerability and a key custody failure is not a technical footnote, it defines everything about the severity and the path to resolution. Smart contract bugs can often be patched with an upgrade. Key compromises are a different category of problem entirely. Once private keys are in an attacker’s hands, every prior assumption about if those keys are protected becomes unreliable. The question of how three out of four guardian keys ended up compromised simultaneously, whether through infrastructure breach, insider access, phishing, or another vector, is the central question the investigation now needs to answer. An undersized guardian set amplifies every operational mistake. Four guardians offer almost no tolerance for key compromise, and running that architecture on a live bridge holding user assets represents a significant risk management gap that the project will need to address before any rebuilt bridge goes live. Token Holds But The Damage is Done Despite the severity of the incident, ALPH continues to trade under relatively normal conditions. The token is down approximately 1.3% over the past 24 hours, a measured response from the market given the circumstances, though one that partly reflects the contained nature of the exploit. The attack targets the bridge specifically, not the underlying Alephium chain, which continues to operate without disruption. The more lasting damage sits in the 13.76 million wrapped ALPH now circulating without collateral backing. Those tokens represent a liability that cannot simply be wished away. Any future bridge restart will need to account for that uncollateralized supply and the questions it raises about redemption, burn mechanisms, and user trust in wrapped assets on the Ethereum side. What Comes Next for Alephium The bridge is down and the attacker has not moved the funds. Whether that pause is strategic or simply the beginning of a longer laundering process remains to be seen. What the Alephium team needs to do now is straightforward, even if it is not easy: publish a full technical post-mortem, clarify the discrepancy between its early event-emission characterization and the key compromise evidence, and lay out a concrete plan for how the bridge gets rebuilt, with a guardian set large enough to actually provide security. A four-guardian bridge with a three-of-four signing threshold is not a bridge design that belongs in production. Whatever comes next for Alephium’s cross-chain infrastructure needs to start from that acknowledgment. Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services. Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news !

Hyperliquid viewed the recent approval of U.S crypto perps as positive sign, not a threat.

Between 02:30 and 03:30 UTC, an attacker gains access to a bridge contract signing key on Gravity Bridge, the cross-chain infrastructure connecting Ethereum to the Cosmos ecosystem, and walks out with approximately $5.4 million in mixed assets. No complex smart contract exploit. No flash loan. Just a stolen key and a security model that collapses the moment that key leaves the right hands. What Gets Taken and How Fast On-chain security firm PeckShield confirms the drain, with the breakdown landing as follows: $4.3 million in USDC, 274 ETH worth roughly $553,000 at current prices, $434,000 in USDT, and $64,000 in PAYG gold tokens. #PeckShieldAlert The @gravity_bridge has been drained of ~$5.4M, including $4.3M $USDC , 274 $ETH (~$553K), $434K $USDT & 14.164 $PAYG ($64K) The hacker has laundered a portion of the stolen assets through #ChangeNow & #Binance , and is still holding 2.102K $ETH (~$4.23M). pic.twitter.com/NJSNqc0G78 — PeckShieldAlert (@PeckShieldAlert) May 30, 2026 The attacker does not sit still. Portions of the funds move almost immediately through ChangeNow and Binance in what appears to be an active laundering operation. A significant chunk, however, remains in place, approximately 2,102 ETH valued at around $4.23 million stays under the attacker’s control as of the time of writing. Cyvers Alerts equally independently flags the suspicious activity , corroborating the timeline and the asset composition. The speed of the exploit and the immediate routing through mixers and exchanges suggests this is not a spontaneous attack, it carries the hallmarks of preparation. ALERT Our system has detected multiple suspicious transactions involving @gravity_bridge , resulting in an estimated loss of $5.4M. The attacker drained: $4.3M $USDC 14,164 $PAYG (~$64K) 274 $ETH (~$553K) $434K $USDT The stolen assets were swapped into native $ETH , with a… pic.twitter.com/0CamUpQpba — Cyvers Alerts (@CyversAlerts) May 30, 2026 How Gravity Bridge Actually Works and Why it Matters Gravity Bridge is not a complicated concept at its core. It locks real tokens on the Ethereum side and mints mirror versions of those tokens on Cosmos, with a set of validators required to sign off on every cross-chain move. The security of the entire system rests on one assumption: those signing keys stay private. That assumption fails here. The attacker compromises a bridge contract signing key, which is the functional equivalent of stealing a master key rather than picking a lock. Once that key is in the wrong hands, there is no smart contract to outsmart and no on-chain logic to exploit. The attacker simply presents valid, signed authorization, the same kind the bridge accepts every day, and the contract does what it is designed to do. It releases the assets. This is why the distinction between a smart contract vulnerability and a key compromise matters so much in practice. A contract bug can often be patched, upgraded, or mitigated through governance. A compromised signing key means the entire authorization model has been bypassed at the root. Recovery requires revoking and rotating keys, auditing what else may have been exposed, and rebuilding trust in a system whose most fundamental security property has just been proven breakable. A Pattern That Keeps Repeating Across Bridges Security researchers have noted that this incident follows a well-worn script. Cross-chain bridges have become the single most reliably exploited structure in the entire crypto ecosystem, and the reason is structural rather than incidental. A bridge is, at its simplest, a pile of collateral secured by cryptographic keys and software logic, with its address publicly visible on-chain. It advertises exactly what it holds and exactly how to get it. The only thing standing between an attacker and those funds is the integrity of the keys and the robustness of the signing process. When those keys are compromised, whether through infrastructure breach, phishing, insider access, or another vector, the result is always the same: authorized withdrawals that the contract cannot distinguish from legitimate ones, processed at speed before anyone has a chance to respond. Gravity Bridge has faced scrutiny over its security posture before, and this incident adds to a growing list of bridge-related exploits that have marked 2026 as a particularly brutal year for cross-chain infrastructure. Analysts tracking the trend point to April 2026 as the worst month on record for bridge exploits, nearly one incident per day, with KelpDAO losing $300 million and Drift suffering more than $200 million in losses. The Gravity Bridge drain adds to that total and reinforces a pattern that the industry has so far failed to break. Why Admin Key Reliance Keeps Creating These Moments The persistent vulnerability here is not obscure. Bridges that rely on admin keys and small signing sets are, by design, only as secure as the operational practices surrounding those keys. There is no cryptographic elegance that compensates for a leaked private key. There is no smart contract logic that catches a forged-but-valid signature. What makes this failure mode particularly damaging is that it requires no technical sophistication to exploit once the key is obtained. The attacker does not need to understand Solidity, reverse-engineer bytecode, or construct multi-step flash loan sequences. They need one thing: the key. And when a bridge’s entire authorization model collapses down to that single point, compromising it becomes the most efficient attack surface available. The industry has known this for years. The response, moving toward decentralized validator sets, threshold signature schemes, and larger, more distributed guardian networks, exists as a theoretical direction. But bridges continue to launch and operate with concentrated signing authority, and attackers continue to find those concentrations and exploit them. The Funds That Moved and The Funds That Did Not The laundering picture here is worth watching closely. The attacker routes a portion of the stolen assets through ChangeNow and Binance quickly after the exploit, moving fast to fragment and obscure the trail. That portion is likely difficult or impossible to recover. The remaining 2,102 ETH, worth north of $4 million, sits unmoved in the attacker’s wallet, which is either a sign of caution, a staging delay ahead of further laundering, or the beginning of a negotiation. Large sums of ETH sitting in a known attacker address create an interesting dynamic. Centralized exchanges can flag the address. On-chain analysts can monitor every outbound transaction. Whether that visibility translates into any meaningful recovery depends heavily on whether the attacker makes mistakes in how they eventually move those funds. What This Incident Signals for Cross-Chain Security Gravity Bridge now faces the same post-exploit reckoning that every compromised bridge eventually reaches: a technical post-mortem explaining exactly how the signing key was obtained, a transparent accounting of what changes are being made to prevent recurrence, and a credible answer to the question of why a bridge holding millions of dollars in user assets was secured by a key architecture that a single compromise could fully defeat. The broader signal, however, extends well beyond Gravity Bridge. As long as cross-chain bridges continue to be built around concentrated signing authority and admin key models, they will continue to be the most targeted and most successfully exploited structures in crypto. The attacks are not getting more sophisticated. The targets are simply not getting harder to hit. Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services. Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news !

Bitcoin faced growing ETF-driven selling pressure as buyers attempted to defend key support.