Gravity Bridge drained of $5.4 million
Gravity Bridge, a bridge between the Cosmos and Ethereum blockchains, suffered $5.4 million in losses likely due compromised private keys. The developers of the protocol urged validators to halt while the theft was investigated, and the bridge was indeed halted shortly after. Two weeks after the hack, the Gravity Bridge interface remained unavailable.
Verus bridge hacked for $11.6 million
An attacker stole $11.6 million in various crypto assets from the Verus–Ethereum bridge, which allows users to use tokens from the Verus network on the Ethereum chain and vice versa. The attacker then swapped the tokens for ETH, limiting the ability for issuers of more centralized tokens to freeze the stolen assets.
Verus halted the entire Verus network after the exploit was detected in hopes of limiting further damage.
The exploiter later accepted a bounty offer by Verus, returning 4,052 ETH (~$8.5 million) while keeping the remaining ~25% as a "bounty".
TAC bridge exploited for $2.8 million
The TAC bridge, which bridges assets from the Ethereum blockchain to the Telegram-linked TON chain, was exploited for $2.8 million. The project paused the bridge and announced they were investigating.
The project has announced they intend to "restor[e] bridge liquidity through a legally structured sale of Foundation's TAC token treasury reserves."
Kelp DAO bridge hacked for $292 million
An attacker stole 116,500 rsETH (restaked ether) from a blockchain bridge run by Kelp DAO. Based on prices at the time of the theft, the stolen tokens would be worth around $292 million — however, the attacker is likely to face challenges selling a quantity of tokens that amounts to 18% of rsETH's circulating supply.
When tokens are bridged from one chain to another, the tokens on the original chain are locked in the bridge smart contract while the token is used on the other chain, preventing its owner from double-spending the asset. With 116,500 locked rsETH now stolen, those using the token on other blockchains are now holding possibly unbacked tokens.
The rush for holders to offload their dubiously backed tokens is likely to worsen contagion throughout defi protocols, where those platforms could be left holding the bag. Some platforms, including Aave, Lido Finance, and Ethena, have paused markets involving rsETH to try to protect themselves.
This hack has set the new record for the largest defi hack in 2026, following the $285 million Drift exploit on April 1.
IoTeX bridge exploited for $2 million after private key compromise
IoTeX, a platform to connect IoT devices to blockchain networks, lost around $2 million after a private key compromise enabled an attacker to drain funds from the project's token safe. Initial loss estimates were as high as $8.8 million, although IoTeX CEO Raullen Chai stated that the actual loss was closer to $2 million.
Blockchain security researcher Specter has suggested there may be links between this attack and a $50 million theft from the Infini "stablecoin neobank" a year ago.
CrossCurve users exploited for around $3 million
Hackers exploited a bug in smart contracts deployed by the defi protocol CrossCurve to steal an estimated $3 million across multiple blockchains. The thief was able to spoof cross-chain messages, causing the CrossCurve bridge to release assets not belonging to them.
CrossCurve took a conciliatory tone in on-chain messages sent to the thief, writing, "These tokens were wrongfully taken from users due to a smart contract exploit. We do not believe this was intentional on your part, and there is no indication of malicious intent." (Who among us hasn't accidentally stolen millions of dollars?) However, they warned, they planned to escalate to working with law enforcement and blockchain security firms to investigate and prosecute the theft if the funds were not returned within 72 hours.
Seedify launchpad project suffers bridge exploit
An attacker exploited bridges for SFUND, the token issued by the Seedify launchpad and incubator. It appears the exploiter has profited around $1.7 million from the theft. Seedify issued a statement announcing the theft, and said the bridge contracts that were exploited had been deployed for three years. The SFUND token crashed in price by around 80% before recovering somewhat.
Seedify has been a launchpad for blockchain games, NFT projects, and other web3 products. The team recently has embraced "vibe coding" — a practice in which people rely heavily on AI to generate code.
Shibarium bridge hit with $2.4 million flash loan attack
A bridge for Shibarium, the layer-2 network for the Shiba Inu project, was exploited for approximately $2.4 million in funds. The attacker bought 4.6 million BONE tokens (the governance token for Shibarium) using a flash loan, then used compromised validator signing keys to take control of the majority of validator power. Then, they used that control to drain around 225 ETH and 92.6 billion SHIB, together priced at around $2.4 million at the time of the theft.
The project has paused staking on the network, freezing the BONE tokens borrowed by the attacker, which may limit the attacker's profits.
Wemix Foundation bridge hacked for $6.2 million
The Wemix Foundation, which runs the blockchain gaming platform WEMIX, suffered a $6.2 million hack of their blockchain bridge. Although the hack occurred on February 28, the company did not disclose the theft until four days after the incident, leading some to accuse Wemix of attempting to cover up the hack. Wemix has denied those allegations, claiming that the delay was in hopes of preventing market panic, and to ensure they had time to patch any security vulnerabilities before publicly disclosing a breach.
NoOnes hacked for almost $8 million
After crypto sleuth zachxbt noticed an apparent theft from the NoOnes peer-to-peer crypto trading platform on January 1, CEO Ray Youssef was forced to acknowledge the theft. He claimed that the project's Solana bridge had suffered a compromised, and explained that it had been taken offline for "exhaustive pen testing".
Youssef emphasized that user funds were safe, which led to questioning from others on how that could be possible when nearly $8 million had been stolen. Youssef claimed he had reimbursed the stolen assets himself.
- Telegram post by zachxbt [archive]
- Tweet by Ray Youssef [archive]