Fake Bridge Messages Let Hacker Drain $815,000 From Alephium
Alephium’s (ALPH) TokenBridge was drained of roughly $815,000 after an attacker exploited a flaw that allowed cast messages to cross via the protocol’s guardian community and authorize fraudulent token transfers.
The Alephium crew confirmed that blockchain safety agency Blockaid was the primary to detect the exploit. The Security Alliance’s SEAL_911 emergency response unit additionally supplied help and responsiveness all through the next investigation.
Exploit Drains $815,000 in Under 7 Minutes
The attacker moved funds from the Alephium TokenBridge on each Ethereum and BNB Chain in roughly seven minutes. On Ethereum, losses included 200,967 Tether (USDT), 17,594 USD Coin (USDC), 5.18 Wrapped Ether (WETH), and 0.335 Wrapped Bitcoin (WBTC).
An further 36,750 USDT and 24.386 Wrapped BNB have been faraway from the BNB Chain facet of the bridge. The attacker additionally minted 13.76 million unbacked wrapped ALPH and transferred them on to their pockets.
Alephium shut down the bridge and acknowledged that it’s exploring all choices to make affected customers complete.
The incident provides to a worsening image for cross-chain infrastructure in 2026. April crypto hack losses reached $606 million, and the May DeFi hack tally has continued to climb heading into June.
A CrossCurve bridge exploit and a Hyperbridge exploit, both revised to $2.5 million, additionally contributed to the yr’s complete.
Forged Messages, Not Stolen Keys
Developers constructed the Alephium TokenBridge on a fork of the Wormhole protocol, which depends on a guardian community to validate cross-chain messages. A quorum of guardians should log out on any switch, making the power to inject fraudulent messages a high-impact vulnerability.
Initial experiences attributed the breach to compromised guardian non-public keys, drawing comparisons to the Gravity Bridge key compromise that value $5.4 million earlier in 2026. Alephium’s post-incident replace contradicts that framing.
“The exploit doesn’t seem to have concerned a compromise of guardian non-public keys. Instead, it seems to have concerned an exploit that allowed cast malicious occasions/messages to be noticed and signed by guardians,” says Alephium
The distinction issues. A key compromise level to an operational failure, whereas a forged-message assault signifies a flaw in how the bridge validated incoming knowledge earlier than presenting it to guardians.
The same dynamic emerged within the Polkadot bridge exploit, the place the attacker fraudulently validated transactions and minted unbacked tokens. Alephium mentioned a full technical postmortem from its crew is forthcoming.
The publish Fake Bridge Messages Let Hacker Drain $815,000 From Alephium appeared first on BeInCrypto.