News
30 May 2026, 15:00
Wall Street’s trillion-dollar dilemma: Why AI-powered hackers are keeping big banks off the blockchain

CertiK CEO and co-founder Ronghui Gu says April was the worst month for DeFi in four years with exploits on 27 out of 30 days.
30 May 2026, 14:04
Gravity Bridge Loses $5.4 Million in Suspected Signing Key Compromise

Between 02:30 and 03:30 UTC, an attacker gains access to a bridge contract signing key on Gravity Bridge, the cross-chain infrastructure connecting Ethereum to the Cosmos ecosystem, and walks out with approximately $5.4 million in mixed assets. No complex smart contract exploit. No flash loan. Just a stolen key and a security model that collapses the moment that key leaves the right hands. What Gets Taken and How Fast On-chain security firm PeckShield confirms the drain, with the breakdown landing as follows: $4.3 million in USDC, 274 ETH worth roughly $553,000 at current prices, $434,000 in USDT, and $64,000 in PAYG gold tokens. #PeckShieldAlert The @gravity_bridge has been drained of ~$5.4M, including $4.3M $USDC , 274 $ETH (~$553K), $434K $USDT & 14.164 $PAYG ($64K) The hacker has laundered a portion of the stolen assets through #ChangeNow & #Binance , and is still holding 2.102K $ETH (~$4.23M). pic.twitter.com/NJSNqc0G78 — PeckShieldAlert (@PeckShieldAlert) May 30, 2026 The attacker does not sit still. Portions of the funds move almost immediately through ChangeNow and Binance in what appears to be an active laundering operation. A significant chunk, however, remains in place, approximately 2,102 ETH valued at around $4.23 million stays under the attacker’s control as of the time of writing. Cyvers Alerts equally independently flags the suspicious activity , corroborating the timeline and the asset composition. The speed of the exploit and the immediate routing through mixers and exchanges suggests this is not a spontaneous attack, it carries the hallmarks of preparation. ALERT Our system has detected multiple suspicious transactions involving @gravity_bridge , resulting in an estimated loss of $5.4M. The attacker drained: $4.3M $USDC 14,164 $PAYG (~$64K) 274 $ETH (~$553K) $434K $USDT The stolen assets were swapped into native $ETH , with a… pic.twitter.com/0CamUpQpba — Cyvers Alerts (@CyversAlerts) May 30, 2026 How Gravity Bridge Actually Works and Why it Matters Gravity Bridge is not a complicated concept at its core. It locks real tokens on the Ethereum side and mints mirror versions of those tokens on Cosmos, with a set of validators required to sign off on every cross-chain move. The security of the entire system rests on one assumption: those signing keys stay private. That assumption fails here. The attacker compromises a bridge contract signing key, which is the functional equivalent of stealing a master key rather than picking a lock. Once that key is in the wrong hands, there is no smart contract to outsmart and no on-chain logic to exploit. The attacker simply presents valid, signed authorization, the same kind the bridge accepts every day, and the contract does what it is designed to do. It releases the assets. This is why the distinction between a smart contract vulnerability and a key compromise matters so much in practice. A contract bug can often be patched, upgraded, or mitigated through governance. A compromised signing key means the entire authorization model has been bypassed at the root. Recovery requires revoking and rotating keys, auditing what else may have been exposed, and rebuilding trust in a system whose most fundamental security property has just been proven breakable. A Pattern That Keeps Repeating Across Bridges Security researchers have noted that this incident follows a well-worn script. Cross-chain bridges have become the single most reliably exploited structure in the entire crypto ecosystem, and the reason is structural rather than incidental. A bridge is, at its simplest, a pile of collateral secured by cryptographic keys and software logic, with its address publicly visible on-chain. It advertises exactly what it holds and exactly how to get it. The only thing standing between an attacker and those funds is the integrity of the keys and the robustness of the signing process. When those keys are compromised, whether through infrastructure breach, phishing, insider access, or another vector, the result is always the same: authorized withdrawals that the contract cannot distinguish from legitimate ones, processed at speed before anyone has a chance to respond. Gravity Bridge has faced scrutiny over its security posture before, and this incident adds to a growing list of bridge-related exploits that have marked 2026 as a particularly brutal year for cross-chain infrastructure. Analysts tracking the trend point to April 2026 as the worst month on record for bridge exploits, nearly one incident per day, with KelpDAO losing $300 million and Drift suffering more than $200 million in losses. The Gravity Bridge drain adds to that total and reinforces a pattern that the industry has so far failed to break. Why Admin Key Reliance Keeps Creating These Moments The persistent vulnerability here is not obscure. Bridges that rely on admin keys and small signing sets are, by design, only as secure as the operational practices surrounding those keys. There is no cryptographic elegance that compensates for a leaked private key. There is no smart contract logic that catches a forged-but-valid signature. What makes this failure mode particularly damaging is that it requires no technical sophistication to exploit once the key is obtained. The attacker does not need to understand Solidity, reverse-engineer bytecode, or construct multi-step flash loan sequences. They need one thing: the key. And when a bridge’s entire authorization model collapses down to that single point, compromising it becomes the most efficient attack surface available. The industry has known this for years. The response, moving toward decentralized validator sets, threshold signature schemes, and larger, more distributed guardian networks, exists as a theoretical direction. But bridges continue to launch and operate with concentrated signing authority, and attackers continue to find those concentrations and exploit them. The Funds That Moved and The Funds That Did Not The laundering picture here is worth watching closely. The attacker routes a portion of the stolen assets through ChangeNow and Binance quickly after the exploit, moving fast to fragment and obscure the trail. That portion is likely difficult or impossible to recover. The remaining 2,102 ETH, worth north of $4 million, sits unmoved in the attacker’s wallet, which is either a sign of caution, a staging delay ahead of further laundering, or the beginning of a negotiation. Large sums of ETH sitting in a known attacker address create an interesting dynamic. Centralized exchanges can flag the address. On-chain analysts can monitor every outbound transaction. Whether that visibility translates into any meaningful recovery depends heavily on whether the attacker makes mistakes in how they eventually move those funds. What This Incident Signals for Cross-Chain Security Gravity Bridge now faces the same post-exploit reckoning that every compromised bridge eventually reaches: a technical post-mortem explaining exactly how the signing key was obtained, a transparent accounting of what changes are being made to prevent recurrence, and a credible answer to the question of why a bridge holding millions of dollars in user assets was secured by a key architecture that a single compromise could fully defeat. The broader signal, however, extends well beyond Gravity Bridge. As long as cross-chain bridges continue to be built around concentrated signing authority and admin key models, they will continue to be the most targeted and most successfully exploited structures in crypto. The attacks are not getting more sophisticated. The targets are simply not getting harder to hit. Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services. Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news !
30 May 2026, 13:39
Alephium Bridge Hacked for $815,000 in 7 Minutes as Compromised Guardian Keys Enable Forged Token Transfers

Roughly $815,000 in digital assets moves out of the Alephium TokenBridge on Ethereum and into a single wallet address in barely 7 minutes. No flash loan. No smart contract exploit. Just three compromised keys and a bridge architecture that hands full authority to whoever holds them. How the attack unfolds: According to Blockaid monitoring, the attacker gains access to three out of four guardian keys securing Alephium’s private Wormhole fork and uses them to sign six forged Verified Action Approvals, VAAs, the signed messages that authorize cross-chain transfers on Wormhole-based bridges. Blockaid detected an exploit targeting the Alephium TokenBridge on Ethereum. ~$815K drained in ~7 minutes via 3-of-4 compromised guardian keys signing forged VAAs. 13.76M wrapped ALPH minted (>100% of prior supply) + USDT/USDC/WBTC/WETH unlocked from custody. More details in… — Blockaid (@blockaid_) May 30, 2026 With those forged VAAs in hand, the attacker calls the `completeTransfer` function on the TokenBridge proxy contract. The contract does exactly what it is supposed to do: it verifies the signatures, finds them valid, and releases the assets. The result is immediate. Frozen USDT, USDC, WBTC, and WETH are unlocked from the custody contract and transferred to the attacker. Simultaneously, 13.76 million wrapped ALPH tokens are minted directly into the attacker’s wallet, out of thin air, with no collateral backing them whatsoever. That figure represents more than 100% of the prior wrapped ALPH supply on Ethereum. The entire operation completes in roughly seven minutes. As of the time of writing, the attacker’s address still holds the stolen assets, approximately $815,000 in mixed tokens plus the 13.76 million uncollateralized wrapped ALPH. The Architecture That Made it Possible To understand why this works, the structure of Alephium’s bridge matters. The project runs a private fork of the Wormhole protocol, but with a critically small guardian set of just four validators. Wormhole’s quorum formula means the minimum number of signatures required to authorize a VAA scales with the number of guardians. With four guardians, that threshold lands at exactly three. Three compromised keys equals full bridge authority. No redundancy. No override. The math leaves no room for error, and the attacker exploits that gap with precision. Blockchain security analysts identify the three signing addresses on the malicious VAAs as `0x214f15…ad29`, `0x78c7b8…7852`, and `0x9efb0c…89a1`. The only honest, unused guardian key, `0x4b2cbe…88fb`, sits on the sideline with no power to stop what is happening. One clean key out of four is not enough to prevent anything under this quorum structure. This is not a flaw in the smart contract code. The contract performs correctly throughout the entire attack. What fails is the operational security around the guardian keys themselves, the human and infrastructure layer responsible for keeping those keys private and protected. Alephium Responds and Shuts the Bridge Down The Alephium team acknowledges the incident publicly, confirming awareness of a security incident affecting the bridge. The bridge is shut down immediately, and the team confirms that no new bridge transactions can currently be initiated, meaning the exploit pathway is closed, at least for now. We are aware of a security incident affecting the Alephium bridge. The bridge has been shut down, and no new bridge transactions can currently be initiated. As a result, the exploit can no longer be executed through the bridge. Based on our investigation so far, the issue… — Alephium (@alephium) May 30, 2026 The team’s early characterization of the root cause, however, diverges from the technical analysis put forward by on-chain security researchers. Alephium states that the issue appears to involve malicious event emission rather than a key compromise, while cautioning that the full scope is still being assessed and their understanding may evolve as more information becomes available. The team is actively investigating and promises further updates as soon as confirmed details are available. That discrepancy between the initial team statement and the forensic evidence surfaced by independent researchers is worth watching. Key compromise and malicious event emission are not the same problem, and they do not carry the same implications for bridge security or recovery options. What a Guardian Key Compromise Means in Practice The distinction between a smart contract vulnerability and a key custody failure is not a technical footnote, it defines everything about the severity and the path to resolution. Smart contract bugs can often be patched with an upgrade. Key compromises are a different category of problem entirely. Once private keys are in an attacker’s hands, every prior assumption about if those keys are protected becomes unreliable. The question of how three out of four guardian keys ended up compromised simultaneously, whether through infrastructure breach, insider access, phishing, or another vector, is the central question the investigation now needs to answer. An undersized guardian set amplifies every operational mistake. Four guardians offer almost no tolerance for key compromise, and running that architecture on a live bridge holding user assets represents a significant risk management gap that the project will need to address before any rebuilt bridge goes live. Token Holds But The Damage is Done Despite the severity of the incident, ALPH continues to trade under relatively normal conditions. The token is down approximately 1.3% over the past 24 hours, a measured response from the market given the circumstances, though one that partly reflects the contained nature of the exploit. The attack targets the bridge specifically, not the underlying Alephium chain, which continues to operate without disruption. The more lasting damage sits in the 13.76 million wrapped ALPH now circulating without collateral backing. Those tokens represent a liability that cannot simply be wished away. Any future bridge restart will need to account for that uncollateralized supply and the questions it raises about redemption, burn mechanisms, and user trust in wrapped assets on the Ethereum side. What Comes Next for Alephium The bridge is down and the attacker has not moved the funds. Whether that pause is strategic or simply the beginning of a longer laundering process remains to be seen. What the Alephium team needs to do now is straightforward, even if it is not easy: publish a full technical post-mortem, clarify the discrepancy between its early event-emission characterization and the key compromise evidence, and lay out a concrete plan for how the bridge gets rebuilt, with a guardian set large enough to actually provide security. A four-guardian bridge with a three-of-four signing threshold is not a bridge design that belongs in production. Whatever comes next for Alephium’s cross-chain infrastructure needs to start from that acknowledgment. Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services. Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news !
30 May 2026, 12:25
Over 1,400 Liquidity Providers Hit in $7.3 Million DxSale Exploit

More than 1,400 liquidity pools tied to old DxSale contracts on BNB Chain were drained in a $7.3 million exploit flagged by blockchain security firms on May 29. The attack adds to a growing list of DeFi breaches this month, as security experts warn that aging smart contracts and weak access controls are leaving protocols exposed. What Happened According to on-chain security account PeckShieldAlert, a user named “Tahax” first identified the exploit. Per their report, attackers targeted at least 1,400 old DxSale liquidity pool contracts on BNB Chain, draining about $7.3 million worth of crypto from them, which they then routed through AnySwap in an attempt to obscure their trail. PeckShield added that an address identified as “0xC457…FA69” had transferred 2,958 BNB from the hack, worth $1.87 million, into two main wallets, which then moved the funds through several deposit addresses on Binance. DxSale is a launchpad platform that lets crypto projects create tokens and liquidity pools without building their own infrastructure. It was pretty big about five years ago, with many of the projects launching tokens on BNB Chain locking their LPs with the protocol. According to Tahax, the locker was still holding LPs from projects that had not been touched for years, with founders and holders believing it was safe. However, nearly nine months ago, the DxSale deployer transferred ownership of the locker to a new wallet with no public announcement or migration notice. The on-chain degen claims that the locker contract was unverified and it probably contained a backdoor, which the attacker took advantage of. Two days ago, 0xC457…FA69, a brand new wallet funded from Bybit and possibly routed through AnySwap, reportedly took ownership of the locker and, within hours started draining the LPs. DxSale itself was yet to make a statement regarding the exploit. DeFi Security Concerns Keep Growing The DxSale hack hasn’t happened in isolation, with the crypto sector losing at least $650 million in April from similar incidents. May has also had its fair share of attacks, including one last week, where a person stole more than $11 million from the Verus bridge after exploiting a flaw in how it verified payment amounts. According to security researchers, the attacker submitted a tiny transaction that passed verification checks while still unlocking large withdrawals from the bridge’s reserves. Earlier in the month, liquidity provider TrustedVolumes was also hit for about $5.9 million after a hacker abused weaknesses in its custom settlement system, with analysts pointing out that the exploit worked because the protocol checked authorization against one address while pulling funds from another. THORChain was also a victim, with on-chain sleuth ZachXBT saying it may have lost more than $10 million, which sent its RUNE token plummeting 15% within minutes. This steady stream of exploits has elicited a reaction, with OpenZeppelin co-founder Manuel Aráoz declaring “all of DeFi unsafe,” arguing that AI-assisted attackers are finding vulnerabilities faster than security teams can patch them. The post Over 1,400 Liquidity Providers Hit in $7.3 Million DxSale Exploit appeared first on CryptoPotato .
30 May 2026, 12:20
Gravity Bridge drained of $5.4M in latest cross-chain exploit

An attacker has drained approximately $5.4 million from Gravity Bridge, the cross-chain bridge connecting Ethereum and the Cosmos ecosystem, in what on-chain analysts suspect was a contract key compromise. The theft, which was flagged on May 30 by blockchain security firms PeckShieldAlert and Cyvers, continues a punishing stretch for cross-chain infrastructure . Bridges have repeatedly proven to be the most lucrative targets in DeFi, and Gravity Bridge is the latest to fall. It appears the @gravity_bridge bridge contract key may have been compromised, resulting in the theft of $5.4M. The attacker drained the following assets: USDC: $4.3M WETH: 274 ETH (~$553K) USDT: $434K $PAYG : $64K Theft addresses: 0x7B582033061b96cC3F9421e73a749ED7C62da1F9… pic.twitter.com/nX81rsZYGp — Specter (@SpecterAnalyst) May 30, 2026 What did the attacker take? The attacker siphoned four assets from the bridge’s Ethereum-side contract: $4.3 million in USDC, 274 ETH (worth roughly $553,000), $434,000 in USDT, and 14,164 PAYG tokens valued at about $64,000, according to PeckShieldAlert . On-chain analyst Specter , who was also among the first to report the incident, identified the suspected attack vector as a compromise of the bridge contract key or signing path. Two Ethereum addresses, “0x7B58…a1F9” and “0x4d3c…7A47,” have been linked to the theft, according to CryptoAdventure. Laundering already underway PeckShieldAlert reported that a portion of the stolen funds had already been moved through ChangeNow and Binance. Per PeckShieldAlert, the attacker still held roughly 2,102 ETH (approximately $4.23 million), so the bulk of the haul still remains in the exploiter’s wallet as of the time of reporting. Cyvers confirmed the $5.4 million loss figure and said the stolen assets were swapped into native ETH. Gravity Bridge has not published a postmortem or public statement on the incident. Bridge exploits keep piling up The Gravity Bridge drain comes in a month already scarred by bridge attacks. On May 18, the Verus-Ethereum bridge lost $11.5 million after a verification bypass exploit, according to DefiLlama’s hacks database. Analysts have pointed to the Verus incident as part of a growing string of cross-chain infrastructure exploits. Cryptopolitan has previously reported on the persistent vulnerability of bridge protocols, which handle large pools of locked assets across chains and present concentrated targets for attackers. DefiLlama data shows that bridges account for $3.2 billion of the $16.6 billion in total value hacked across crypto history, a disproportionate share given how few bridge protocols exist relative to other DeFi categories. As of reporting time, Gravity Bridge held approximately $6.2 million in total value locked, according to DefiLlama . The $5.4 million drain represents nearly a big chunk of the bridge’s TVL, effectively sending the protocol’s stored value into a nosedive. Gravity Bridge’s TVL has dropped sharply since reports of the hack. Source: DefiLlama One community member noted the scale of remaining funds came as a surprise. “I had no idea there was even that much TVL left locked in the Gravity Bridge,” wrote Ed from AirdropGlideApp, questioning why users had not migrated to newer Cosmos bridging options. For now, users with funds on the protocol have no official guidance, as the platform is yet to confirm or share any update on the exploit. The remaining 2,102 ETH sits in a known address, giving exchanges and compliance teams a window to flag or freeze the funds before further laundering occurs. If you're reading this, you’re already ahead. Stay there with our newsletter .
29 May 2026, 15:00
THORChain Nodes Approve ADR028 After $10.7M Exploit, RUNE Restart Begins

THORChain nodes approved ADR028 on 27 May 2026, enabling a staged network restart after a $10.7 million exploit drained one of five vaults on 15 May. The recovery plan uses protocol-owned liquidity to cover losses without minting new RUNE.







































