Skip to main content
Sign in

Q2 2026 Bridge Exploit Wave

avoid.net/q2-2026-bridge-exploit-wave0/100·88% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·4Jt19z…jdXR

Summary

The second quarter of 2026 (April–June) saw a record-breaking wave of cross-chain bridge exploits, with at least six distinct incidents draining approximately $340 million from bridge protocols alone, out of $755 million stolen across 83 crypto hacks industry-wide. The largest single events — the Drift Protocol ($285M) and KelpDAO LayerZero bridge ($292M) exploits — were attributed with medium confidence to North Korea's Lazarus Group / TraderTraitor subunit. Attack vectors ranged from social engineering of governance signers and RPC infrastructure poisoning, to smart contract proof-validation gaps and private key leakage.

Have evidence about Q2 2026 Bridge Exploit Wave?

Timeline(18 events)

2025-09-01

Alleged start of DPRK social engineering operation targeting Drift Protocol Security Council members (approximate date; campaign reported as beginning in fall 2025)

The Hacker News

2026-03-06

KelpDAO attack begins: threat actor alleged to have socially engineered a LayerZero Labs developer to harvest session keys and gain access to RPC cloud environment

LayerZero Labs Incident Report

2026-03-11

On-chain staging for Drift exploit begins: 10 ETH withdrawn from Tornado Cash to fund deployment of CarbonVote (CVT) fake token

Chainalysis

2026-04-01

Drift Protocol exploited for approximately $285 million on Solana; 31 rapid withdrawals executed in ~12 minutes after admin control obtained via pre-signed durable nonce transactions

Bloomberg

2026-04-13

Hyperbridge (Polkadot) bridge exploited via forged Merkle Mountain Range proofs; 1 billion bridged DOT minted; initial loss estimate ~$237K, later revised to ~$2.5M

CoinDesk

2026-04-16

Hyperbridge revises loss estimate upward to ~$2.5 million; reports stolen funds traced to Binance and coordination with exchange compliance and law enforcement

Yahoo Finance

2026-04-18

KelpDAO LayerZero bridge exploited for ~$292 million (116,500 rsETH) via RPC infrastructure poisoning enabling false chain state to be fed to single-DVN verifier

CoinDesk

2026-04-20

LayerZero publishes incident report attributing KelpDAO exploit to Lazarus Group / TraderTraitor; Kelp DAO disputes responsibility, alleging LayerZero approved the single-DVN configuration

CoinDesk

2026-04-22

UPI and multiple outlets publish North Korea attribution for KelpDAO hack, citing Lazarus Group / TraderTraitor indicators

UPI

2026-05-05

Kelp DAO publishes statement claiming LayerZero approved the configuration blamed for the $292 million hack

CoinDesk

2026-05-13

THORChain attacker node (later identified as malicious) joins active validator set with ~635,000 RUNE bonded

THORChain official blog

2026-05-15

THORChain exploit: rogue node reconstructs vault private key via GG20 key shard leakage, drains ~$10.7M from one vault; network auto-halts within 52 minutes

CryptoTimes

2026-05-18

Verus-Ethereum bridge exploited for ~$11.58M via missing value-binding check (no verification that source input matched Ethereum payout); funds routed through Tornado Cash

CoinDesk

2026-06-07

Syscoin bridge exploit: cross-layer parsing mismatch between Syscoin Core and NEVM relay exploited to mint 5 billion SYS tokens (~$10M); bridge paused, tokens later burned

Halborn

2026-06-09

THORChain releases v3.19.0 security upgrade as part of post-exploit recovery

CryptoTimes

2026-06-22

Taiko (Ethereum L2) bridge exploited for ~$1.7M after SGX signing key for proof generator Raiko was exposed publicly on GitHub; block production halted, users urged to withdraw

CoinDesk

2026-06-25

Taiko announces plan to fully restore bridge backing following the $1.7M exploit

CryptoTimes

2026-06-30

Q2 2026 closes with 83 crypto hack incidents and $755.3M in total losses — most hacked quarter on record by incident count; bridge exploits account for ~$351M (46.5%) of losses

CoinTelegraph
Provenance & Audit Trail

Decision Log

This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

model: claude-sonnet-4-6

generated: 6/29/2026, 11:25:48 PM

last updated: 6/29/2026, 11:26:00 PM

avoid.net — verified advice for a post-truth world