Skip to main content
Sign in
Q2 2026 Bridge Exploit Wave1 decision on this page

Audit log

Every state-changing event for Q2 2026 Bridge Exploit Wave: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

  1. #1publishby system:backfill
    2026-06-29 23:26:00Z
    Score: ?? (no score change)
    anchoranchored
    chain
    mainnet-betaslot 429,762,341
    sig
    4Jt19zv5TufM…15uHjdXRexplorer ↗
    hash
    47JrxK5fYghV…N3wQxG6Asha256 → base58
    verifying row…full verify ↗
    canonical bytes (37244 B) ▸
    {"actor":"system:backfill","investigation_id":"83dae395-6719-4cb4-b5fc-4a2b875617e0","kind":"publish","page_slug":"q2-2026-bridge-exploit-wave","published_at":"2026-06-29T23:26:00.510Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Q2 2026 Bridge Exploit Wave","sections":[{"content":"Q2 2026 (April 1 – June 30) became the most-hacked quarter on record by incident count, with 83 exploits reported industry-wide and $755.3 million in total losses, according to CoinTelegraph and Blockchain.news citing security research aggregates. Cross-chain bridges were the single largest loss category, accounting for approximately $351 million — 46.5% of quarterly losses. The two largest individual exploits of the quarter (Drift Protocol at $285M and KelpDAO LayerZero at $292M) together represented over 76% of bridge-related losses. Security researchers from Immunefi and Halborn noted that AI-assisted vulnerability discovery has shifted the exploitation landscape, with attack sophistication increasing faster than defensive tooling deployment.","heading":"Overview and Scale","severity":"critical","sources":[{"credibility":1,"name":"Q2 2026 Breaks Record with 83 Crypto Hacks, $755M Stolen — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/q2-2026-most-hacked-quarter-record-83-incidents"},{"credibility":2,"name":"Crypto Hackers Steal $755M in Q2 2026, Marking the Industry's Worst Quarter Ever — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/crypto-hackers-steal-755m-in-q2-2026-marking-the-industrys-worst-quarter-ever/"},{"credibility":2,"name":"Q2 2026 Becomes Record-Breaking Most-Hacked Quarter — Blockchain.news","type":"news_article","url":"https://blockchain.news/news/q2-2026-most-hacked-quarter"}]},{"content":"On April 1, 2026, an attacker or group gained administrative control of the Drift Protocol — a Solana-based perpetuals and spot DEX — and drained an estimated $285 million from its vaults, making it the second-largest exploit in Solana's history after the 2022 Wormhole hack. According to Drift's post-mortem and analyses from TRM Labs, Bloomberg, and The Hacker News, the attack was the culmination of a months-long social engineering operation attributed with medium confidence to the North Korean state-sponsored group UNC4736 (a subunit of Lazarus Group / TraderTraitor). Beginning in fall 2025, operatives spent months cultivating relationships with Drift Security Council members. Using Solana's 'durable nonces' feature, they induced council members to unknowingly pre-sign transactions that transferred administrative control. Once in control, the attackers whitelisted a worthless fabricated token (CarbonVote/CVT), deposited 500 million CVT as collateral, and executed 31 rapid withdrawals within approximately 12 minutes, extracting $285 million in USDC, SOL, and ETH. On-chain staging began March 11, 2026 with a single 10 ETH withdrawal from Tornado Cash used to deploy CVT. Drift's TVL fell from roughly $550 million to under $300 million in under an hour, and the DRIFT token dropped more than 40% on the day. Elliptic noted forensic indicators consistent with previously attributed DPRK operations, though formal attribution remained pending as of the incident reporting date.","heading":"Drift Protocol Exploit — April 1, 2026 (~$285M)","severity":"critical","sources":[{"credibility":1,"name":"Drift Protocol Hit by $285M Exploit — Bloomberg","type":"news_article","url":"https://www.bloomberg.com/news/articles/2026-04-01/solana-based-defi-project-drift-hit-by-285-million-exploit"},{"credibility":2,"name":"North Korean Hackers Attack Drift Protocol In $285 Million Heist — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":2,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Social Engineering Operation — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":2,"name":"Drift Protocol exploited for $286 million in suspected DPRK-linked attack — Elliptic","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"credibility":1,"name":"Drift crypto platform confirms $280 million stolen — The Record from Recorded Future News","type":"news_article","url":"https://therecord.media/drift-crypto-confirms-280-million-stolen-north-korea"},{"credibility":2,"name":"Drift Protocol Hack: How Privileged Access Led to a $285M Loss — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"}]},{"content":"On April 18, 2026, attackers extracted approximately $292 million (116,500 rsETH) from KelpDAO's LayerZero OFT bridge, representing the largest DeFi bridge exploit of Q2 2026. Unlike the Drift attack, this exploit targeted off-chain infrastructure rather than smart contract code. According to LayerZero's incident report and analyses by Chainalysis and OpenZeppelin, the attack began on March 6, 2026 when an attacker socially engineered a LayerZero Labs developer to harvest session keys, then pivoted into LayerZero's RPC cloud environment to poison internal RPC nodes. A coordinated DDoS attack knocked legitimate external RPC nodes offline, forcing a failover to the attacker-controlled nodes. The Kelp rsETH OFT was configured with a single verifier — the LayerZero Labs DVN — creating a single point of failure. With control of the RPC nodes the DVN relied upon, the attacker could feed fabricated chain state, inducing the Ethereum contract to release rsETH without a corresponding burn on the source chain. Of the 116,500 rsETH stolen, 89,567 rsETH were subsequently deposited on Aave as collateral to borrow approximately $190 million in WETH — against assets backed by nothing. LayerZero attributed the attack to Lazarus Group's TraderTraitor subunit. Kelp DAO and LayerZero subsequently disputed responsibility in public statements: Kelp alleged LayerZero had approved the single-DVN configuration; LayerZero stated the configuration was the protocol's own choice. OpenZeppelin noted that no smart contract bugs were found, classifying this as a pure infrastructure security failure.","heading":"KelpDAO LayerZero Bridge Exploit — April 18, 2026 (~$292M)","severity":"critical","sources":[{"credibility":1,"name":"Kelp DAO exploited for $292 million — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains"},{"credibility":2,"name":"Inside the KelpDAO Bridge Exploit — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/"},{"credibility":2,"name":"$292 Million Lost, Zero Bugs Found: Lessons From the rsETH Bridge Exploit — OpenZeppelin","type":"research","url":"https://www.openzeppelin.com/news/lessons-from-kelpdao-hack"},{"credibility":2,"name":"LayerZero Labs KelpDAO Incident Report — LayerZero","type":"official","url":"https://layerzero.network/blog/layerzero-labs-kelpdao-incident-report"},{"credibility":1,"name":"LayerZero blames Kelp's setup, attributes it to North Korea's Lazarus — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/20/layerzero-blames-kelp-s-setup-for-usd290-million-exploit-attributes-it-to-north-korea-s-lazarus"},{"credibility":2,"name":"LayerZero Pins $292M KelpDAO Bridge Hack on North Korea's Lazarus Group — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/layerzero-pins-292m-kelpdao-bridge-113544792.html"},{"credibility":2,"name":"Explained: The Kelp DAO Hack (April 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-kelp-dao-hack-april-2026"}]},{"content":"On April 13, 2026, an attacker exploited a proof validation flaw in Hyperbridge's EthereumHost contract to mint 1 billion bridged DOT tokens on Ethereum and connected EVM chains. The vulnerability resided in the VerifyProof() function of the HandlerV1 contract, specifically a missing bounds check (leaf_index < leafCount) in the Merkle Mountain Range proof verification. The attacker submitted a forged cross-chain message via dispatchIncoming, which was routed to TokenGateway.onAccept, and exploited a zero-second challenge period that permitted immediate execution. A Merkle Mountain Range proof not bound to a specific request also enabled replay-style manipulation. Initial estimates placed losses at approximately $237,000 in ETH realized from dumping the minted DOT tokens; however, Hyperbridge revised the loss figure to approximately $2.5 million on April 16 after accounting for broader realized losses across incentive pools on Ethereum, Arbitrum, Base, and BNB Chain. The exploit did not affect Polkadot's native chain or native DOT. Hyperbridge reported that a significant portion of stolen funds had been traced to Binance and that the project was coordinating with the exchange's compliance team and law enforcement.","heading":"Hyperbridge (Polkadot) Exploit — April 13, 2026 (~$2.5M)","severity":"high","sources":[{"credibility":1,"name":"Attacker mints $1 billion Polkadot tokens on Ethereum, steals just $250,000 — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/13/attacker-mints-usd1-billion-polkadot-tokens-on-ethereum-ends-up-stealing-just-usd250-000"},{"credibility":2,"name":"Security Update: Token Gateway Exploited via Forged Proofs — Hyperbridge official blog","type":"official","url":"https://blog.hyperbridge.network/security-update-forged-proofs/"},{"credibility":2,"name":"Hyperbridge Confirms Bridged Polkadot Exploit Was 10x Worse Than First Reported — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/hyperbridge-confirms-bridged-polkadot-exploit-053634639.html"},{"credibility":2,"name":"Big Reveal in Hyperbridge Exploit: User Funds Were Hit — CoinGabbar","type":"news_article","url":"https://www.coingabbar.com/en/crypto-currency-news/hyperbridge-exploit-twist-users-also-lost-funds-in-25m-hack"}]},{"content":"On May 15, 2026, THORChain, a decentralized cross-chain liquidity protocol, was drained of approximately $10.7 million from a single vault. The attacker was a newly churned-in node operator who had joined the active validator set on May 13 with approximately 635,000 RUNE bonded. Over two days of routine participation, the attacker exploited a vulnerability in the GG20 Threshold Signature Scheme implementation, which caused partial key material to leak incrementally during normal signing ceremonies. By accumulating sufficient leaked shards, the attacker reconstructed the full private key of one vault (out of five active vaults). The attacker then executed unauthorized outbound transactions directly from the compromised vault, bypassing the normal approval process. THORChain's automatic solvency detection systems triggered within minutes and halted trading and signing across Ethereum, Avalanche, BNB Chain, Base, Dogecoin, and Gaia integrations within 52 minutes, preventing further losses. The network resumed operations following a v3.19.0 security upgrade released in early June 2026. The exploit raised fresh concerns about MPC wallet implementations and node operator vetting in decentralized validator networks.","heading":"THORChain Vault Exploit — May 15, 2026 (~$10.7M)","severity":"high","sources":[{"credibility":2,"name":"THORChain Exploit Report #1 — THORChain official blog","type":"official","url":"https://blog.thorchain.org/thorchain-exploit-report-1"},{"credibility":2,"name":"$10.8 Million Drained: Inside the THORChain Exploit That Froze Cross-Chain DeFi for 13 Hours — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/17/10-8-million-drained-inside-the-thorchain-exploit-that-froze-cross-chain-defi-for-13-hours/"},{"credibility":2,"name":"THORChain Drained for $10.7M — The Open Source Press","type":"news_article","url":"https://www.theopensourcepress.com/thorchain-vault-exploit-may-2026/"},{"credibility":2,"name":"THORChain Shares Exploit Report Revealing $10.7M Vault Breach by New Node — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/21/thorchain-shares-exploit-report-revealing-10-7m-vault-breach-by-new-node/"}]},{"content":"On May 18, 2026, an attacker exploited a missing value-binding check in the Verus-Ethereum bridge's smart contract to drain approximately $11.58 million in ETH, tBTC, and USDC. The root cause was an absence of validation confirming that the input amount specified on the Verus side matched the payout amount on Ethereum within the checkCCEValues function. The attacker submitted a fraudulent transfer blob specifying roughly $0.01 worth of VRSC on the source chain while claiming $11.58 million in Ethereum-side reserves. The bridge validated state roots and transaction hashes but not the underlying asset amounts during settlement verification. The attacker extracted 1,625 ETH, 103.6 tBTC, and approximately 147,659 USDC, subsequently converting them to approximately 5,402 ETH and routing them through Tornado Cash. Security researchers at Blockaid classified the root cause as a gap between source-chain proof verification and destination-chain value binding, the same vulnerability class as the 2022 Wormhole and Nomad bridge hacks. The incident contributed to cumulative 2026 bridge exploit losses crossing $328 million.","heading":"Verus-Ethereum Bridge Exploit — May 18, 2026 (~$11.6M)","severity":"high","sources":[{"credibility":1,"name":"Verus-Ethereum bridge loses $11 million — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/05/18/yet-another-crypto-bridge-falls-victim-to-an-usd11-million-hack"},{"credibility":2,"name":"Explained: The Verus-Ethereum Bridge Hack (May 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-verus-ethereum-bridge-hack-may-2026"},{"credibility":2,"name":"Verus suffers $11.5M hack as bridge-related exploits hit $329M in 2026 — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/verus-suffers-11-5m-hack-as-bridge-related-exploits-hit-329m-in-2026/"},{"credibility":2,"name":"Attacker Flips $11.5M in Stolen Verus Assets to ETH Following Tornado Cash Setup — Bitcoin.com News","type":"news_article","url":"https://news.bitcoin.com/verus-ethereum-bridge-hack-11-million-tornado-cash-2026/"}]},{"content":"On June 7, 2026, an attacker exploited a cross-layer interpretation mismatch in the Syscoin bridge relay to authorize the unauthorized minting of 5 billion SYS tokens on the UTXO side of the bridge, valued at approximately $10 million at the time of the incident. The root cause was a parsing error in the bridge relay's proof validation component: the attacker crafted a malformed proof that exploited differing interpretations between Syscoin Core and the NEVM relay layer, where duplicate asset commitments created ambiguity that the two components resolved differently. The relay interpreted the forged proof as valid for a burn transaction that did not exist, authorizing the corresponding mint. Syscoin immediately paused the bridge and coordinated with exchanges to freeze tainted funds. The team subsequently recovered the minted tokens and destroyed them using the OP_RETURN mechanism, restoring the on-chain SYS supply to its expected level. The incident added to the growing list of 2026 bridge exploits collectively exceeding $340 million.","heading":"Syscoin Bridge Exploit — June 7, 2026 (~$10M)","severity":"high","sources":[{"credibility":2,"name":"Explained: The Syscoin Bridge Hack (June 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-syscoin-bridge-hack-june-2026"},{"credibility":2,"name":"Syscoin bridge remains paused as 5B token mint exploit threatens project's future — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/syscoin-bridge-paused-exploit-project/"},{"credibility":2,"name":"5 Billion SYS Created in Syscoin Bridge Breach, Team Halts Operations — Live Bitcoin News","type":"news_article","url":"https://www.livebitcoinnews.com/5-billion-sys-created-in-syscoin-bridge-breach-team-halts-operations/"},{"credibility":2,"name":"Syscoin — Rekt News","type":"community_report","url":"https://rekt.news/syscoin-rekt"}]},{"content":"On June 22, 2026, an attacker exploited the Taiko Ethereum Layer-2 bridge to steal approximately $1.7 million, comprising roughly 870 ETH and nearly 2 million TAIKO tokens. The exploit stemmed from the accidental public exposure of a signing key for Raiko, Taiko's trusted execution environment (SGX-based) proof generator. The leaked SGX key allowed the attacker to forge cross-chain proofs, causing fake withdrawal requests to be accepted on Ethereum without corresponding deposits on the Taiko side. Taiko halted block production following confirmation of the exploit and urged users to withdraw from all network bridges immediately. Centralized exchanges were asked to suspend TAIKO deposits during the containment period. Taiko subsequently announced plans to fully restore bridge backing following the incident. Security researchers noted that while the dollar loss was relatively modest, the exploit demonstrated the same proof-forgery vulnerability class responsible for over $340 million in 2026 bridge losses and highlighted the risks of trusting centralized SGX signing infrastructure.","heading":"Taiko Bridge Exploit — June 22, 2026 (~$1.7M)","severity":"medium","sources":[{"credibility":1,"name":"Taiko halts its Ethereum layer-2 network after a bridge exploit, token dives — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/06/22/taiko-halts-its-ethereum-layer-2-network-after-a-bridge-exploit-token-dives-10"},{"credibility":2,"name":"$1.7M Gone: Taiko Bridge Exploited After SGX Signing Key Leak — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/22/1-7m-gone-taiko-bridge-exploited-after-sgx-signing-key-leak/"},{"credibility":2,"name":"Ethereum L2 Bridge Exploit Drains $1.7M: Leaked SGX Key Defeats Taiko Trust Model — TechTimes","type":"news_article","url":"https://www.techtimes.com/articles/318886/20260623/ethereum-l2-bridge-exploit-drains-17m-leaked-sgx-key-defeats-taiko-trust-model.htm"},{"credibility":1,"name":"Ethereum Layer 2 Taiko halts block production following exploit — The Block","type":"news_article","url":"https://www.theblock.co/post/405486/taiko-confirms-exploit"},{"credibility":2,"name":"Taiko to Fully Restore Bridge Backing After $1.7M Hack — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/25/taiko-to-fully-restore-bridge-backing-after-1-7m-hack/"}]},{"content":"Security researchers analyzing the Q2 2026 bridge exploit wave identified several recurring vulnerability classes. Off-chain infrastructure attacks accounted for the largest losses: the KelpDAO exploit ($292M) demonstrated that off-chain RPC infrastructure poisoning — rather than smart contract bugs — can fully compromise a bridge's security model when a single DVN (Decentralized Verifier Node) configuration is used. Governance and key compromise was the mechanism in both the Drift ($285M) and Taiko ($1.7M) incidents, through social engineering of governance signers and accidental public key exposure respectively. Proof validation failures — missing bounds checks, absent value-binding verification, and cross-layer parsing mismatches — were the root causes in the Hyperbridge, Verus, and Syscoin exploits. MPC threshold signature vulnerabilities were exploited in the THORChain incident through GG20 key shard leakage during routine signing ceremonies. Across the quarter, bridges using single-verifier architectures, underfunded operational security practices, and insufficient separation between on-chain and off-chain components were most vulnerable. Industry analysts from 1inch, Autheo, and Chainalysis noted a structural trend: bridge protocols are re-engineered and deployed faster than the operational risk complexity can be managed, creating persistent attack surface. Multi-message aggregation combining ZK-SNARKs with independent DVN consensus is emerging as a recommended mitigation.","heading":"Attack Vector Analysis and Common Patterns","severity":"critical","sources":[{"credibility":2,"name":"Why crypto bridges still get hacked in 2026 — 1inch Blog","type":"research","url":"https://1inch.com/blog/post/the-biggest-bridge-hacks-in-2026"},{"credibility":2,"name":"Cross-Chain Bridge Risk in 2026: How Single-Verifier Designs Fail — Autheo Blog","type":"research","url":"https://www.autheo.com/blog/cross-chain-bridge-single-verifier-failure-modes-2026"},{"credibility":2,"name":"DeFi Hacks 2026: Why Auditing The Code No Longer Helps — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/defi-hacks-bridges-operational-security/"},{"credibility":2,"name":"Every Major DeFi Hack in 2026 So Far — Phemex","type":"news_article","url":"https://phemex.com/blogs/defi-hacks-2026-bridge-exploits-explained"}]},{"content":"Two of the three largest Q2 2026 exploits — Drift Protocol ($285M) and KelpDAO ($292M) — have been attributed with medium confidence to North Korea's Lazarus Group, specifically the TraderTraitor subunit. For Drift, TRM Labs, Elliptic, and The Hacker News all noted forensic indicators consistent with DPRK operations, including a six-month social engineering campaign beginning in fall 2025, overlapping wallet infrastructure, and C2 node patterns linked to prior DPRK crypto-theft operations. For KelpDAO, LayerZero stated publicly that preliminary indicators pointed to TraderTraitor. Threat analysts identified overlapping npm delivery domains, wallet infrastructure, and C2 nodes across Q1–Q2 2026 DPRK-linked operations, suggesting a shared operational base spanning both incidents. If both attributions are correct, Lazarus Group extracted over $575 million from DeFi in 18 days through two structurally distinct attack vectors: social engineering of governance signers (Drift) and RPC infrastructure poisoning (KelpDAO). UPI.com and BeInCrypto reported the KelpDAO attribution publicly on April 22, 2026. Formal law enforcement attribution had not been announced by the end of Q2 2026, and all attribution should be considered preliminary pending official confirmation.","heading":"State-Sponsored Attribution (Lazarus Group / TraderTraitor)","severity":"critical","sources":[{"credibility":1,"name":"North Korean hackers tied to $290M crypto heist — UPI","type":"news_article","url":"https://www.upi.com/Top_News/World-News/2026/04/22/KelpDAO-LayerZero-North-Korea-crypto-hack-theft-Lazarus-Group/6151776848419/"},{"credibility":2,"name":"North Korean Hackers Attack Drift Protocol In $285 Million Heist — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":1,"name":"Drift crypto platform confirms $280 million stolen in hack as researchers point finger at North Korea — The Record","type":"news_article","url":"https://therecord.media/drift-crypto-confirms-280-million-stolen-north-korea"},{"credibility":2,"name":"LayerZero Pins $292M KelpDAO Bridge Hack on North Korea's Lazarus Group — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/layerzero-pins-292m-kelpdao-bridge-113544792.html"},{"credibility":2,"name":"KelpDAO, Bybit, Ronin: Lazarus Group's Crypto Hacks Behind a $7.3B Heist Empire — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/04/21/kelpdao-bybit-ronin-lazarus-groups-crypto-hacks-behind-a-7-3b-heist-empire/"}]}],"sources_used":[{"credibility":1,"name":"Q2 2026 Emerges as Most-Hacked Quarter on Record — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/q2-2026-most-hacked-quarter-record-83-incidents"},{"credibility":2,"name":"Crypto Hackers Steal $755M in Q2 2026 — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/crypto-hackers-steal-755m-in-q2-2026-marking-the-industrys-worst-quarter-ever/"},{"credibility":2,"name":"Q2 2026 Breaks Record with 83 Crypto Hacks — Blockchain.news","type":"news_article","url":"https://blockchain.news/news/q2-2026-most-hacked-quarter"},{"credibility":1,"name":"Drift Protocol Hit by $285M Exploit — Bloomberg","type":"news_article","url":"https://www.bloomberg.com/news/articles/2026-04-01/solana-based-defi-project-drift-hit-by-285-million-exploit"},{"credibility":2,"name":"North Korean Hackers Attack Drift Protocol — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korean-hackers-attack-drift-protocol-in-285-million-heist"},{"credibility":2,"name":"$285 Million Drift Hack Traced to Six-Month DPRK Operation — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"credibility":2,"name":"Drift Protocol exploited for $286 million — Elliptic","type":"research","url":"https://www.elliptic.co/blog/drift-protocol-exploited-for-286-million-in-suspected-dprk-linked-attack"},{"credibility":1,"name":"Drift crypto platform confirms $280 million stolen — The Record","type":"news_article","url":"https://therecord.media/drift-crypto-confirms-280-million-stolen-north-korea"},{"credibility":2,"name":"Drift Protocol Hack: How Privileged Access Led to a $285M Loss — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"credibility":1,"name":"Kelp DAO exploited for $292 million — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains"},{"credibility":2,"name":"Inside the KelpDAO Bridge Exploit — Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/"},{"credibility":2,"name":"$292 Million Lost, Zero Bugs Found — OpenZeppelin","type":"research","url":"https://www.openzeppelin.com/news/lessons-from-kelpdao-hack"},{"credibility":2,"name":"LayerZero Labs KelpDAO Incident Report","type":"official","url":"https://layerzero.network/blog/layerzero-labs-kelpdao-incident-report"},{"credibility":1,"name":"LayerZero blames Kelp's setup, attributes to Lazarus — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/20/layerzero-blames-kelp-s-setup-for-usd290-million-exploit-attributes-it-to-north-korea-s-lazarus"},{"credibility":1,"name":"Kelp claims LayerZero approved the setup — CoinDesk","type":"news_article","url":"https://www.coindesk.com/web3/2026/05/05/kelp-claims-that-layerzero-approved-the-setup-it-blamed-for-usd292-million-bridge-hack"},{"credibility":2,"name":"Explained: The Kelp DAO Hack (April 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-kelp-dao-hack-april-2026"},{"credibility":1,"name":"North Korean hackers tied to $290M crypto heist — UPI","type":"news_article","url":"https://www.upi.com/Top_News/World-News/2026/04/22/KelpDAO-LayerZero-North-Korea-crypto-hack-theft-Lazarus-Group/6151776848419/"},{"credibility":1,"name":"Attacker mints $1 billion Polkadot tokens on Ethereum — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/13/attacker-mints-usd1-billion-polkadot-tokens-on-ethereum-ends-up-stealing-just-usd250-000"},{"credibility":2,"name":"Security Update: Token Gateway Exploited via Forged Proofs — Hyperbridge","type":"official","url":"https://blog.hyperbridge.network/security-update-forged-proofs/"},{"credibility":2,"name":"Hyperbridge Confirms Bridged Polkadot Exploit Was 10x Worse — Yahoo Finance","type":"news_article","url":"https://finance.yahoo.com/markets/crypto/articles/hyperbridge-confirms-bridged-polkadot-exploit-053634639.html"},{"credibility":2,"name":"THORChain Exploit Report #1 — THORChain official blog","type":"official","url":"https://blog.thorchain.org/thorchain-exploit-report-1"},{"credibility":2,"name":"$10.8 Million Drained: Inside the THORChain Exploit — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/17/10-8-million-drained-inside-the-thorchain-exploit-that-froze-cross-chain-defi-for-13-hours/"},{"credibility":1,"name":"Verus-Ethereum bridge loses $11 million — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2026/05/18/yet-another-crypto-bridge-falls-victim-to-an-usd11-million-hack"},{"credibility":2,"name":"Explained: The Verus-Ethereum Bridge Hack (May 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-verus-ethereum-bridge-hack-may-2026"},{"credibility":2,"name":"Explained: The Syscoin Bridge Hack (June 2026) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-syscoin-bridge-hack-june-2026"},{"credibility":2,"name":"Syscoin bridge remains paused as 5B token mint exploit threatens project's future — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/syscoin-bridge-paused-exploit-project/"},{"credibility":2,"name":"Syscoin — Rekt News","type":"community_report","url":"https://rekt.news/syscoin-rekt"},{"credibility":1,"name":"Taiko halts its Ethereum layer-2 network after a bridge exploit — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/06/22/taiko-halts-its-ethereum-layer-2-network-after-a-bridge-exploit-token-dives-10"},{"credibility":1,"name":"Ethereum Layer 2 Taiko halts block production following exploit — The Block","type":"news_article","url":"https://www.theblock.co/post/405486/taiko-confirms-exploit"},{"credibility":2,"name":"$1.7M Gone: Taiko Bridge Exploited After SGX Signing Key Leak — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/22/1-7m-gone-taiko-bridge-exploited-after-sgx-signing-key-leak/"},{"credibility":2,"name":"Why crypto bridges still get hacked in 2026 — 1inch Blog","type":"research","url":"https://1inch.com/blog/post/the-biggest-bridge-hacks-in-2026"},{"credibility":2,"name":"Crypto Bridge Hacks Top $328M in 2026 as Cross-Chain Exploits Accelerate — CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/05/18/crypto-bridge-hacks-top-328m-in-2026-as-cross-chain-exploits-accelerate/"},{"credibility":2,"name":"DeFi Hacks 2026: Why Auditing The Code No Longer Helps — Crypto Economy","type":"news_article","url":"https://crypto-economy.com/defi-hacks-bridges-operational-security/"}],"summary":"The second quarter of 2026 (April–June) saw a record-breaking wave of cross-chain bridge exploits, with at least six distinct incidents draining approximately $340 million from bridge protocols alone, out of $755 million stolen across 83 crypto hacks industry-wide. The largest single events — the Drift Protocol ($285M) and KelpDAO LayerZero bridge ($292M) exploits — were attributed with medium confidence to North Korea's Lazarus Group / TraderTraitor subunit. Attack vectors ranged from social engineering of governance signers and RPC infrastructure poisoning, to smart contract proof-validation gaps and private key leakage.","timeline":[{"date":"2025-09-01","event":"Alleged start of DPRK social engineering operation targeting Drift Protocol Security Council members (approximate date; campaign reported as beginning in fall 2025)","source":"The Hacker News","source_url":"https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html"},{"date":"2026-03-06","event":"KelpDAO attack begins: threat actor alleged to have socially engineered a LayerZero Labs developer to harvest session keys and gain access to RPC cloud environment","source":"LayerZero Labs Incident Report","source_url":"https://layerzero.network/blog/layerzero-labs-kelpdao-incident-report"},{"date":"2026-03-11","event":"On-chain staging for Drift exploit begins: 10 ETH withdrawn from Tornado Cash to fund deployment of CarbonVote (CVT) fake token","source":"Chainalysis","source_url":"https://www.chainalysis.com/blog/lessons-from-the-drift-hack/"},{"date":"2026-04-01","event":"Drift Protocol exploited for approximately $285 million on Solana; 31 rapid withdrawals executed in ~12 minutes after admin control obtained via pre-signed durable nonce transactions","source":"Bloomberg","source_url":"https://www.bloomberg.com/news/articles/2026-04-01/solana-based-defi-project-drift-hit-by-285-million-exploit"},{"date":"2026-04-13","event":"Hyperbridge (Polkadot) bridge exploited via forged Merkle Mountain Range proofs; 1 billion bridged DOT minted; initial loss estimate ~$237K, later revised to ~$2.5M","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2026/04/13/attacker-mints-usd1-billion-polkadot-tokens-on-ethereum-ends-up-stealing-just-usd250-000"},{"date":"2026-04-16","event":"Hyperbridge revises loss estimate upward to ~$2.5 million; reports stolen funds traced to Binance and coordination with exchange compliance and law enforcement","source":"Yahoo Finance","source_url":"https://finance.yahoo.com/markets/crypto/articles/hyperbridge-confirms-bridged-polkadot-exploit-053634639.html"},{"date":"2026-04-18","event":"KelpDAO LayerZero bridge exploited for ~$292 million (116,500 rsETH) via RPC infrastructure poisoning enabling false chain state to be fed to single-DVN verifier","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains"},{"date":"2026-04-20","event":"LayerZero publishes incident report attributing KelpDAO exploit to Lazarus Group / TraderTraitor; Kelp DAO disputes responsibility, alleging LayerZero approved the single-DVN configuration","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2026/04/20/layerzero-blames-kelp-s-setup-for-usd290-million-exploit-attributes-it-to-north-korea-s-lazarus"},{"date":"2026-04-22","event":"UPI and multiple outlets publish North Korea attribution for KelpDAO hack, citing Lazarus Group / TraderTraitor indicators","source":"UPI","source_url":"https://www.upi.com/Top_News/World-News/2026/04/22/KelpDAO-LayerZero-North-Korea-crypto-hack-theft-Lazarus-Group/6151776848419/"},{"date":"2026-05-05","event":"Kelp DAO publishes statement claiming LayerZero approved the configuration blamed for the $292 million hack","source":"CoinDesk","source_url":"https://www.coindesk.com/web3/2026/05/05/kelp-claims-that-layerzero-approved-the-setup-it-blamed-for-usd292-million-bridge-hack"},{"date":"2026-05-13","event":"THORChain attacker node (later identified as malicious) joins active validator set with ~635,000 RUNE bonded","source":"THORChain official blog","source_url":"https://blog.thorchain.org/thorchain-exploit-report-1"},{"date":"2026-05-15","event":"THORChain exploit: rogue node reconstructs vault private key via GG20 key shard leakage, drains ~$10.7M from one vault; network auto-halts within 52 minutes","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2026/05/17/10-8-million-drained-inside-the-thorchain-exploit-that-froze-cross-chain-defi-for-13-hours/"},{"date":"2026-05-18","event":"Verus-Ethereum bridge exploited for ~$11.58M via missing value-binding check (no verification that source input matched Ethereum payout); funds routed through Tornado Cash","source":"CoinDesk","source_url":"https://www.coindesk.com/markets/2026/05/18/yet-another-crypto-bridge-falls-victim-to-an-usd11-million-hack"},{"date":"2026-06-07","event":"Syscoin bridge exploit: cross-layer parsing mismatch between Syscoin Core and NEVM relay exploited to mint 5 billion SYS tokens (~$10M); bridge paused, tokens later burned","source":"Halborn","source_url":"https://www.halborn.com/blog/post/explained-the-syscoin-bridge-hack-june-2026"},{"date":"2026-06-09","event":"THORChain releases v3.19.0 security upgrade as part of post-exploit recovery","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/09/thorchain-advances-post-exploit-recovery-with-v3-19-0-security-upgrade/"},{"date":"2026-06-22","event":"Taiko (Ethereum L2) bridge exploited for ~$1.7M after SGX signing key for proof generator Raiko was exposed publicly on GitHub; block production halted, users urged to withdraw","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2026/06/22/taiko-halts-its-ethereum-layer-2-network-after-a-bridge-exploit-token-dives-10"},{"date":"2026-06-25","event":"Taiko announces plan to fully restore bridge backing following the $1.7M exploit","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/25/taiko-to-fully-restore-bridge-backing-after-1-7m-hack/"},{"date":"2026-06-30","event":"Q2 2026 closes with 83 crypto hack incidents and $755.3M in total losses — most hacked quarter on record by incident count; bridge exploits account for ~$351M (46.5%) of losses","source":"CoinTelegraph","source_url":"https://cointelegraph.com/news/q2-2026-most-hacked-quarter-record-83-incidents"}]},"v":1}
    Verify offline (run on your own machine)
    python -m src.verify_decision 70c778c6-7872-4fdb-8b71-c2d85e867672
How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.