Fake Bridge Messages Let Hacker Drain $815,000 From Alephium

31 minutes ago 3

Alephium’s (ALPH) TokenBridge was drained of approximately $815,000 after an attacker exploited a flaw that allowed forged messages to pass through the protocol’s guardian network and authorize fraudulent token transfers.

The Alephium team confirmed that blockchain security firm Blockaid was the first to detect the exploit. The Security Alliance’s SEAL_911 emergency response unit also provided assistance and responsiveness throughout the subsequent investigation.

Exploit Drains $815,000 in Under 7 Minutes

The attacker moved funds from the Alephium TokenBridge on both Ethereum and BNB Chain in roughly seven minutes. On Ethereum, losses included 200,967 Tether (USDT), 17,594 USD Coin (USDC), 5.18 Wrapped Ether (WETH), and 0.335 Wrapped Bitcoin (WBTC).

An additional 36,750 USDT and 24.386 Wrapped BNB were removed from the BNB Chain side of the bridge. The attacker also minted 13.76 million unbacked wrapped ALPH and transferred them directly to their wallet.

Alephium shut down the bridge and stated that it is exploring all options to make affected users whole.

A sincere thank you to the @blockaid_ team for being the first to detect the exploit and for their support throughout the investigation.

We would also like to thank the @SEAL_911 team for their assistance and responsiveness during the incident.

The collaboration and… https://t.co/pxEldVyl5Z

— Alephium (@alephium) May 30, 2026

The incident adds to a worsening picture for cross-chain infrastructure in 2026. April crypto hack losses reached $606 million, and the May DeFi hack tally has continued to climb heading into June.

A CrossCurve bridge exploit and a Hyperbridge exploit, both revised to $2.5 million, also contributed to the year’s total.

Forged Messages, Not Stolen Keys

Developers built the Alephium TokenBridge on a fork of the Wormhole protocol, which relies on a guardian network to validate cross-chain messages. A quorum of guardians must sign off on any transfer, making the ability to inject fraudulent messages a high-impact vulnerability.

Initial reports attributed the breach to compromised guardian private keys, drawing comparisons to the Gravity Bridge key compromise that cost $5.4 million earlier in 2026. Alephium’s post-incident update contradicts that framing.

“The exploit does not appear to have involved a compromise of guardian private keys. Instead, it appears to have involved an exploit that allowed forged malicious events/messages to be observed and signed by guardians,” says Alephium

The distinction matters. A key compromise point to an operational failure, while a forged-message attack indicates a flaw in how the bridge validated incoming data before presenting it to guardians.

A similar dynamic emerged in the Polkadot bridge exploit, where the attacker fraudulently validated transactions and minted unbacked tokens. Alephium said a full technical postmortem from its team is forthcoming.

The post Fake Bridge Messages Let Hacker Drain $815,000 From Alephium appeared first on BeInCrypto.

Read Entire Article