Alephium’s (ALPH) TokenBridge was drained of roughly $815,000 after an attacker exploited a flaw that allowed cast messages to cross by the protocol’s guardian community and authorize fraudulent token transfers.
The Alephium staff confirmed that blockchain safety agency Blockaid was the primary to detect the exploit. The Safety Alliance’s SEAL_911 emergency response unit additionally supplied help and responsiveness all through the following investigation.
Exploit Drains $815,000 in Below 7 Minutes
The attacker moved funds from the Alephium TokenBridge on each Ethereum and BNB Chain in roughly seven minutes. On Ethereum, losses included 200,967 Tether (USDT), 17,594 USD Coin (USDC), 5.18 Wrapped Ether (WETH), and 0.335 Wrapped Bitcoin (WBTC).
A further 36,750 USDT and 24.386 Wrapped BNB have been faraway from the BNB Chain aspect of the bridge. The attacker additionally minted 13.76 million unbacked wrapped ALPH and transferred them on to their pockets.
Alephium shut down the bridge and acknowledged that it’s exploring all choices to make affected customers complete.
The incident provides to a worsening image for cross-chain infrastructure in 2026. April crypto hack losses reached $606 million, and the Could DeFi hack tally has continued to climb heading into June.
A CrossCurve bridge exploit and a Hyperbridge exploit, each revised to $2.5 million, additionally contributed to the yr’s whole.
Cast Messages, Not Stolen Keys
Builders constructed the Alephium TokenBridge on a fork of the Wormhole protocol, which depends on a guardian community to validate cross-chain messages. A quorum of guardians should log out on any switch, making the power to inject fraudulent messages a high-impact vulnerability.
Preliminary reviews attributed the breach to compromised guardian non-public keys, drawing comparisons to the Gravity Bridge key compromise that value $5.4 million earlier in 2026. Alephium’s post-incident replace contradicts that framing.
“The exploit doesn’t seem to have concerned a compromise of guardian non-public keys. As a substitute, it seems to have concerned an exploit that allowed cast malicious occasions/messages to be noticed and signed by guardians,” says Alephium
The excellence issues. A key compromise level to an operational failure, whereas a forged-message assault signifies a flaw in how the bridge validated incoming knowledge earlier than presenting it to guardians.
An analogous dynamic emerged within the Polkadot bridge exploit, the place the attacker fraudulently validated transactions and minted unbacked tokens. Alephium stated a full technical postmortem from its staff is forthcoming.
The put up Pretend Bridge Messages Let Hacker Drain $815,000 From Alephium appeared first on BeInCrypto.