Q2 2026 Bridge Exploit Wave
Summary
The second quarter of 2026 (April–June) saw a record-breaking wave of cross-chain bridge exploits, with at least six distinct incidents draining approximately $340 million from bridge protocols alone, out of $755 million stolen across 83 crypto hacks industry-wide. The largest single events — the Drift Protocol ($285M) and KelpDAO LayerZero bridge ($292M) exploits — were attributed with medium confidence to North Korea's Lazarus Group / TraderTraitor subunit. Attack vectors ranged from social engineering of governance signers and RPC infrastructure poisoning, to smart contract proof-validation gaps and private key leakage.
Connected Entities
1 entities · 10 linked investigations- + 8 more
Timeline(18 events)
2025-09-01
Alleged start of DPRK social engineering operation targeting Drift Protocol Security Council members (approximate date; campaign reported as beginning in fall 2025)
The Hacker News2026-03-06
KelpDAO attack begins: threat actor alleged to have socially engineered a LayerZero Labs developer to harvest session keys and gain access to RPC cloud environment
LayerZero Labs Incident Report2026-03-11
On-chain staging for Drift exploit begins: 10 ETH withdrawn from Tornado Cash to fund deployment of CarbonVote (CVT) fake token
Chainalysis2026-04-01
Drift Protocol exploited for approximately $285 million on Solana; 31 rapid withdrawals executed in ~12 minutes after admin control obtained via pre-signed durable nonce transactions
Bloomberg2026-04-13
Hyperbridge (Polkadot) bridge exploited via forged Merkle Mountain Range proofs; 1 billion bridged DOT minted; initial loss estimate ~$237K, later revised to ~$2.5M
CoinDesk2026-04-16
Hyperbridge revises loss estimate upward to ~$2.5 million; reports stolen funds traced to Binance and coordination with exchange compliance and law enforcement
Yahoo Finance2026-04-18
KelpDAO LayerZero bridge exploited for ~$292 million (116,500 rsETH) via RPC infrastructure poisoning enabling false chain state to be fed to single-DVN verifier
CoinDesk2026-04-20
LayerZero publishes incident report attributing KelpDAO exploit to Lazarus Group / TraderTraitor; Kelp DAO disputes responsibility, alleging LayerZero approved the single-DVN configuration
CoinDesk2026-04-22
UPI and multiple outlets publish North Korea attribution for KelpDAO hack, citing Lazarus Group / TraderTraitor indicators
UPI2026-05-05
Kelp DAO publishes statement claiming LayerZero approved the configuration blamed for the $292 million hack
CoinDesk2026-05-13
THORChain attacker node (later identified as malicious) joins active validator set with ~635,000 RUNE bonded
THORChain official blog2026-05-15
THORChain exploit: rogue node reconstructs vault private key via GG20 key shard leakage, drains ~$10.7M from one vault; network auto-halts within 52 minutes
CryptoTimes2026-05-18
Verus-Ethereum bridge exploited for ~$11.58M via missing value-binding check (no verification that source input matched Ethereum payout); funds routed through Tornado Cash
CoinDesk2026-06-07
Syscoin bridge exploit: cross-layer parsing mismatch between Syscoin Core and NEVM relay exploited to mint 5 billion SYS tokens (~$10M); bridge paused, tokens later burned
Halborn2026-06-22
Taiko (Ethereum L2) bridge exploited for ~$1.7M after SGX signing key for proof generator Raiko was exposed publicly on GitHub; block production halted, users urged to withdraw
CoinDesk2026-06-25
Taiko announces plan to fully restore bridge backing following the $1.7M exploit
CryptoTimes2026-06-30
Q2 2026 closes with 83 crypto hack incidents and $755.3M in total losses — most hacked quarter on record by incident count; bridge exploits account for ~$351M (46.5%) of losses
CoinTelegraphDecision Log
- hash: 47JrxK5fYghVMHxBpMA6fUaq1BXCmu4YnTjZN3wQxG6A
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 6/29/2026, 11:25:48 PM
last updated: 6/29/2026, 11:26:00 PM
avoid.net — verified advice for a post-truth world