Verify a decision

{"actor":"system:backfill","investigation_id":"7b8d8b86-b079-4597-9103-2049c740e3e3","kind":"publish","page_slug":"june-2026-cross-chain-bridge-exploit-127m","published_at":"2026-06-19T17:16:41.285Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"June 2026 Cross-Chain Bridge Exploit ($127M)","sections":[{"content":"The specific claim of a '$127 million cross-chain bridge exploit' in June 2026 originates primarily from a blog post by Nadcab Labs (nadcab.com), a blockchain development and software marketing company. That article names three affected protocols — BridgeLink, CrossFlow, and Relay Protocol — none of which appear in any Tier 1 or Tier 2 reporting outlets, including CoinDesk, Rekt News, Chainalysis, The Block, Decrypt, Bloomberg, Reuters, or official regulatory filings. Searches across these outlets for those protocol names and the claimed June 14, 2026 date yield no corroborating results. The Nadcab article is classified as a Tier 3 source: it is produced by a commercial blockchain development firm with no independent editorial standards, and its claims are uncorroborated. No regulatory actions (SEC, CFTC, DOJ) referencing these protocols or this dollar figure have been identified. Investigators should treat the '$127M' figure and the named protocols as alleged and low-confidence pending Tier 1 or Tier 2 corroboration.","heading":"Source Credibility Assessment: The $127M Figure","severity":"high","sources":[{"credibility":3,"name":"$127M Stolen in DeFi Bridge Cross-Chain Hack | Nadcab Labs","type":"other","url":"https://www.nadcab.com/blog/defi-bridge-exploit-june-cross-chain"}]},{"content":"The only large-scale cross-chain bridge exploit in June 2026 with Tier 2 corroboration is the Syscoin bridge incident. On June 7, 2026, an unknown attacker exploited a proof validation vulnerability in Syscoin's native cross-chain bridge to mint approximately 5 billion unauthorized SYS tokens. At June 7 closing prices of approximately $0.00171 per SYS (CoinGecko), the minted tokens were valued at roughly $8.56-$10 million. This represented an inflationary increase of approximately 568% above Syscoin's legitimate circulating supply of approximately 891 million SYS at the time of the attack. The exploit was discovered and publicly disclosed by the Syscoin development team on June 8, 2026. GoPlus Security independently identified and confirmed the vulnerability. The incident was covered by Rekt News, Cryptopolitan, CryptoTimes, Halborn, and multiple other established crypto outlets.","heading":"Verified Incident: Syscoin Bridge Exploit (June 7, 2026)","severity":"high","sources":[{"credibility":2,"name":"Syscoin Halts Bridge After Exploit Mints 5 Billion SYS Tokens | CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/08/syscoin-halts-bridge-after-exploit-mints-5-billion-sys-tokens/"},{"credibility":2,"name":"Syscoin bridge remains paused as 5B token mint exploit threatens project's future | Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/syscoin-bridge-paused-exploit-project/"},{"credibility":2,"name":"Syscoin - Rekt News","type":"research","url":"https://rekt.news/syscoin-rekt"},{"credibility":2,"name":"Explained: The Syscoin Bridge Hack (June 2026) | Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-syscoin-bridge-hack-june-2026"},{"credibility":2,"name":"Syscoin bridge exploit mints ~5B unauthorized SYS tokens worth $10 million | PricePredictions","type":"news_article","url":"https://pricepredictions.com/news/syscoin-bridge-exploit-5-billion-sys-tokens-minted-proof-validation-flaw-br7jyfk9"}]},{"content":"Halborn's post-mortem and the Syscoin team's June 15, 2026 technical disclosure identified the root cause as an ambiguous SPV (Simplified Payment Verification) proof parsing vulnerability. Syscoin's cross-chain bridge connects a Bitcoin-style UTXO chain to an Ethereum-compatible NEVM (Network-Enhanced Virtual Machine) layer. The bridge relies on SPV proofs to verify that a burn transaction has occurred on one side before authorizing a mint on the other. The attacker crafted a UTXO transaction containing two asset records that both referenced the same output: one record identified the output as a custom test token the attacker had created, and the other identified it as native SYS. Syscoin Core and the NEVM relay module parsed the ambiguous payload differently — Syscoin Core treated it as a custom token transaction while the relay treated it as a native SYS burn — causing the storage smart contract to authorize a mint of 5 billion SYS on the NEVM side without a genuine corresponding burn. The attacker had previously tested the technique with a smaller transaction before executing the main exploit. According to the Syscoin team, this was not a cryptographic flaw in SPV proof design but a logic and parsing implementation error in the relay code. The fix implemented by the team requires each burn proof to link to exactly one asset record, eliminating the ambiguity that enabled the attack.","heading":"Technical Mechanism: SPV Proof Parsing Flaw","severity":"high","sources":[{"credibility":2,"name":"Explained: The Syscoin Bridge Hack (June 2026) | Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-syscoin-bridge-hack-june-2026"},{"credibility":2,"name":"Syscoin eliminates consequences of bridge attack | CoinSpot","type":"news_article","url":"https://coinspot.io/en/cryptocurrencies/syscoin-recovers-after-hack-and-burns-5-billion-stolen-tokens/"},{"credibility":2,"name":"Syscoin recovers and burns 5 billion hack tokens | Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/syscoin-recovers-and-burns-5-billion-hack-tokens/"}]},{"content":"The Rekt News analysis published on-chain addresses associated with the Syscoin exploit. The initial minting recipient address was sys1qgaelv690g7wwp2xchfdh0enf5uewzq5sm9wvcw. The mint transaction hash was a5b422abbbd89c8e316d1990f696e030d610cb527001ff97524f5317e87fa184. The attacker split the approximately 5 billion SYS across two wallets: sys1q2k482wnachkgky4lw60973p4vcf7xlh9kzpv33 (approximately 4 billion SYS) and sys1qx6jjkq89sdaxftfgre3m0nv7vjfd4jeakg5t38 (approximately 1 billion SYS), via transaction 31e12b0dcd9aeffa12e596e0b16d75ce161667104c7e511bfafe67195117113c. The Syscoin team's designated recovery address was sys1qdytsq5am9a7y6hweenl925g3yxtlrvl9fls0yg. Funds were returned via transactions ce9671d1e5d1fa4d7090828f92712c830aef7ecb87e31f59c4fab7baf7a8fc9d and e079e10ceae81d30ce64e5469acde64a8c7f4705771e4d6eceabecbcb100debd. All returned tokens were permanently destroyed via an OP_RETURN burn transaction viewable on Syscoin's block explorer.","heading":"On-Chain Evidence and Fund Movement","severity":"medium","sources":[{"credibility":2,"name":"Syscoin - Rekt News","type":"on_chain","url":"https://rekt.news/syscoin-rekt"},{"credibility":2,"name":"Syscoin recovers and burns 5 billion hack tokens | Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/syscoin-recovers-and-burns-5-billion-hack-tokens/"}]},{"content":"The Syscoin exploit had an unusually complete recovery. After tracing the stolen tokens across UTXO addresses, the Syscoin development team contacted the attacker directly via an on-chain message, providing a recovery address and warning that exchange escalation and legal action would follow. On June 9, 2026, the team opened a private bounty discussion with the attacker; the specific bounty terms were not disclosed publicly. The attacker voluntarily returned all 5 billion SYS tokens to the Syscoin team's recovery address. The team then permanently destroyed the returned tokens via an OP_RETURN burn transaction, restoring the on-chain SYS supply to pre-attack levels. Native SYS deposits at exchanges resumed on June 10, 2026. As of the June 15 postmortem, the bridge remained paused pending completion of a full security audit and validation of the patch. No formal identification of the attacker was published. No law enforcement or regulatory bodies were identified as involved in the recovery.","heading":"Recovery Outcome","severity":"low","sources":[{"credibility":2,"name":"Syscoin recovers and burns 5 billion hack tokens | Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/syscoin-recovers-and-burns-5-billion-hack-tokens/"},{"credibility":2,"name":"Syscoin Reports Bridge Vulnerability, Destroys Recovered Funds | Phemex News","type":"news_article","url":"https://phemex.com/news/article/syscoin-reports-bridge-vulnerability-destroys-recovered-funds-89590"},{"credibility":2,"name":"Syscoin eliminates consequences of bridge attack | CoinSpot","type":"news_article","url":"https://coinspot.io/en/cryptocurrencies/syscoin-recovers-after-hack-and-burns-5-billion-stolen-tokens/"}]},{"content":"Following public disclosure of the exploit on June 8, 2026, SYS token price declined approximately 20% in the immediate aftermath. As of mid-June 2026, CoinMarketCap listed SYS at approximately $0.0026, representing a decline of over 48% over the prior 30 days and over 91% over the prior year. The token's circulating supply, temporarily inflated by 568% during the attack period, was restored to approximately 891 million SYS after the burn transaction. The unauthorized minting temporarily represented approximately 85% of Syscoin's total post-exploit supply.","heading":"Market Impact","severity":"medium","sources":[{"credibility":2,"name":"SYS Drops 20% After 5B Unauthorized Tokens Minted in Syscoin Bridge Exploit | CryptoPotato","type":"news_article","url":"https://cryptopotato.com/sys-drops-20-after-5b-unauthorized-tokens-minted-in-syscoin-bridge-exploit/"},{"credibility":2,"name":"Syscoin bridge exploit mints ~5B unauthorized SYS tokens worth $10 million | PricePredictions","type":"news_article","url":"https://pricepredictions.com/news/syscoin-bridge-exploit-5-billion-sys-tokens-minted-proof-validation-flaw-br7jyfk9"}]},{"content":"No threat actor was publicly attributed in connection with the Syscoin bridge exploit. The Syscoin team, GoPlus Security, Halborn, and Rekt News all declined to name or speculate on the identity of the attacker in their published analyses. The attacker's willingness to return funds after on-chain contact and the offer of a bounty discussion may suggest an opportunistic exploit rather than a state-sponsored operation, though this is speculative. In the broader June 2026 bridge exploit landscape, the most significant state-actor attribution involved the KelpDAO/LayerZero exploit of April 2026, in which LayerZero attributed the $292 million theft 'with preliminary confidence' to North Korea's Lazarus Group and its TraderTraitor subunit. That attack targeted off-chain RPC node infrastructure rather than on-chain smart contract logic, and occurred approximately six weeks before the Syscoin incident. No connection between the Syscoin exploit and any state-sponsored threat actor has been identified in published sources.","heading":"Attribution and Threat Actor Analysis","severity":"medium","sources":[{"credibility":2,"name":"Syscoin - Rekt News","type":"research","url":"https://rekt.news/syscoin-rekt"},{"credibility":1,"name":"LayerZero blames Kelp's setup for $290 million exploit, attributes it to North Korea's Lazarus | CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/20/layerzero-blames-kelp-s-setup-for-usd290-million-exploit-attributes-it-to-north-korea-s-lazarus"},{"credibility":1,"name":"Inside the KelpDAO Bridge Exploit | Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/"}]},{"content":"The Syscoin incident occurred within a broader pattern of bridge exploits in 2026. Industry reporting indicates approximately $340 million was stolen across 14 bridge attacks in 2026 through mid-year. The single largest verified incident was the KelpDAO bridge exploit on April 18, 2026, in which approximately $292 million in rsETH was stolen via a compromised off-chain RPC node attack attributed to North Korea's Lazarus Group. TRM Labs reported that North Korea-linked actors stole 76% of all crypto hack value in 2026 through just two attacks. Separately, a Cybernews report referenced a $300 million cross-chain bridge hack described as the largest DeFi exploit of 2026; it is possible this reference conflates or rounds the KelpDAO figure. The $127 million figure attached to the queue's investigation target does not correspond to the Syscoin incident ($9-10M) or the KelpDAO incident ($292M), and no Tier 1 or Tier 2 source has identified a bridge exploit in June 2026 with a loss figure in the $127 million range.","heading":"Broader 2026 Bridge Exploit Context","severity":"medium","sources":[{"credibility":2,"name":"$340M Lost: 14 Crypto Hacks 2026 Targeting Bridges | CoinGabbar","type":"news_article","url":"https://www.coingabbar.com/en/crypto-currency-news/crypto-hacks-2026-14-bridge-attacks-security-concerns"},{"credibility":2,"name":"North Korea Stole 76% of All Crypto Hack Value in 2026 With Just Two Attacks | TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks"},{"credibility":1,"name":"Kelp DAO exploited for $292 million with wrapped ether stranded across 20 chains | CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains"},{"credibility":2,"name":"Top Crypto Hacks of 2026: Bridge Exploits and Sophisticated Operations Drive Over $750 Million in Losses | KuCoin","type":"news_article","url":"https://www.kucoin.com/blog/top-crypto-hacks-2026-bridge-exploits"}]}],"sources_used":[{"credibility":3,"name":"$127M Stolen in DeFi Bridge Cross-Chain Hack | Nadcab Labs","type":"other","url":"https://www.nadcab.com/blog/defi-bridge-exploit-june-cross-chain"},{"credibility":2,"name":"Syscoin Halts Bridge After Exploit Mints 5 Billion SYS Tokens | CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2026/06/08/syscoin-halts-bridge-after-exploit-mints-5-billion-sys-tokens/"},{"credibility":2,"name":"Syscoin bridge remains paused as 5B token mint exploit threatens project's future | Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/syscoin-bridge-paused-exploit-project/"},{"credibility":2,"name":"Syscoin recovers and burns 5 billion hack tokens | Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/syscoin-recovers-and-burns-5-billion-hack-tokens/"},{"credibility":2,"name":"Syscoin - Rekt News","type":"research","url":"https://rekt.news/syscoin-rekt"},{"credibility":2,"name":"Explained: The Syscoin Bridge Hack (June 2026) | Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-syscoin-bridge-hack-june-2026"},{"credibility":2,"name":"Syscoin bridge exploit mints ~5B unauthorized SYS tokens worth $10 million | PricePredictions","type":"news_article","url":"https://pricepredictions.com/news/syscoin-bridge-exploit-5-billion-sys-tokens-minted-proof-validation-flaw-br7jyfk9"},{"credibility":2,"name":"Syscoin eliminates consequences of bridge attack | CoinSpot","type":"news_article","url":"https://coinspot.io/en/cryptocurrencies/syscoin-recovers-after-hack-and-burns-5-billion-stolen-tokens/"},{"credibility":2,"name":"Syscoin Reports Bridge Vulnerability, Destroys Recovered Funds | Phemex News","type":"news_article","url":"https://phemex.com/news/article/syscoin-reports-bridge-vulnerability-destroys-recovered-funds-89590"},{"credibility":2,"name":"5 Billion SYS Created in Syscoin Bridge Breach, Team Halts Operations | Live Bitcoin News","type":"news_article","url":"https://www.livebitcoinnews.com/5-billion-sys-created-in-syscoin-bridge-breach-team-halts-operations/"},{"credibility":1,"name":"Kelp DAO exploited for $292 million with wrapped ether stranded across 20 chains | CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains"},{"credibility":1,"name":"LayerZero blames Kelp's setup for $290 million exploit, attributes it to North Korea's Lazarus | CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/20/layerzero-blames-kelp-s-setup-for-usd290-million-exploit-attributes-it-to-north-korea-s-lazarus"},{"credibility":1,"name":"Inside the KelpDAO Bridge Exploit | Chainalysis","type":"research","url":"https://www.chainalysis.com/blog/kelpdao-bridge-exploit-april-2026/"},{"credibility":2,"name":"North Korea Stole 76% of All Crypto Hack Value in 2026 With Just Two Attacks | TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks"},{"credibility":2,"name":"$340M Lost: 14 Crypto Hacks 2026 Targeting Bridges | CoinGabbar","type":"news_article","url":"https://www.coingabbar.com/en/crypto-currency-news/crypto-hacks-2026-14-bridge-attacks-security-concerns"},{"credibility":2,"name":"KelpDAO Bridge Exploit Analysis: North Korean Hackers Steal $292 Million Via Off-Chain Attack | Crowdfund Insider","type":"news_article","url":"https://www.crowdfundinsider.com/2026/04/275261-kelpdao-bridge-exploit-analysis-north-korean-hackers-steal-292-million-via-off-chain-attack/"},{"credibility":2,"name":"Top Crypto Hacks of 2026: Bridge Exploits and Sophisticated Operations | KuCoin","type":"news_article","url":"https://www.kucoin.com/blog/top-crypto-hacks-2026-bridge-exploits"}],"summary":"Research into an alleged $127 million cross-chain bridge exploit in June 2026 found no Tier 1 or Tier 2 corroboration for that specific figure. The only verifiable large bridge exploit in June 2026 was the Syscoin bridge incident (June 7, 2026), in which an attacker minted approximately 5 billion unauthorized SYS tokens valued at roughly $9-10 million via an SPV proof validation flaw; all stolen tokens were subsequently returned and burned. A separate, much larger bridge exploit — the KelpDAO/LayerZero incident attributed to North Korea's Lazarus Group — occurred in April 2026 and involved approximately $292 million, and may be the source of the inflated $127M figure circulating in lower-credibility outlets.","timeline":[{"date":"2026-04-18","event":"KelpDAO bridge exploited for approximately $292 million in rsETH via compromised off-chain RPC node infrastructure; later attributed by LayerZero with preliminary confidence to North Korea's Lazarus Group (TraderTraitor subunit). This is the largest verified bridge exploit of 2026.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2026/04/19/2026-s-biggest-crypto-exploit-kelp-dao-hit-for-usd292-million-with-wrapped-ether-stranded-across-20-chains"},{"date":"2026-04-20","event":"LayerZero publishes post-mortem attributing KelpDAO exploit to Lazarus Group/TraderTraitor; blames Kelp's 1-of-1 DVN verifier configuration.","source":"CoinDesk","source_url":"https://www.coindesk.com/tech/2026/04/20/layerzero-blames-kelp-s-setup-for-usd290-million-exploit-attributes-it-to-north-korea-s-lazarus"},{"date":"2026-06-07","event":"Syscoin bridge exploit: attacker submits malformed SPV proof, minting approximately 5 billion unauthorized SYS tokens (valued at approximately $8.56-$10 million). Bridge is suspended. Syscoin development team discovers the attack.","source":"CryptoTimes","source_url":"https://www.cryptotimes.io/2026/06/08/syscoin-halts-bridge-after-exploit-mints-5-billion-sys-tokens/"},{"date":"2026-06-08","event":"Syscoin team publicly discloses exploit and bridge suspension. GoPlus Security independently identifies and confirms the vulnerability. SYS token price drops approximately 20%.","source":"Cryptopolitan","source_url":"https://www.cryptopolitan.com/syscoin-bridge-paused-exploit-project/"},{"date":"2026-06-09","event":"Syscoin team contacts attacker via on-chain message, providing recovery address and warning of legal consequences. Bounty discussion opened through private channel; terms not disclosed.","source":"Rekt News","source_url":"https://rekt.news/syscoin-rekt"},{"date":"2026-06-10","event":"Native SYS deposits resume at exchanges after partial coordination. Attacker returns all 5 billion SYS tokens to recovery address.","source":"Cryptopolitan","source_url":"https://www.cryptopolitan.com/syscoin-recovers-and-burns-5-billion-hack-tokens/"},{"date":"2026-06-15","event":"Syscoin team publishes full technical postmortem. Recovered 5 billion SYS tokens are permanently destroyed via OP_RETURN burn transaction on Syscoin's block explorer. Bridge remains suspended pending final audit.","source":"CoinSpot","source_url":"https://coinspot.io/en/cryptocurrencies/syscoin-recovers-after-hack-and-burns-5-billion-stolen-tokens/"}]},"v":1}