Key Takeaways
- Peckshield flagged a ~$5.4M Gravity Bridge exploit on Might 30, together with $4.3M in USDC and 274 ETH.
- The theft provides to over $328M Peckshield tracked throughout bridge hacks in Might 2026.
- The attacker nonetheless holds 2,102 ETH (~$4.23M), with onchain sleuths monitoring the laundering path.
Funds Routed By Binance and ChangeNow
Gravity Bridge, a protocol that strikes tokens between Ethereum and the Cosmos ecosystem, misplaced about $5.4 million in a contemporary exploit flagged by blockchain safety agency Peckshield. The stolen property included roughly $4.3 million in USD Coin (USDC), 274 ether ( ETH) price about $553,000, $434,000 in tether ( USDT) and 14.164 PAYG tokens valued close to $64,000.
The attacker wasted little time transferring the proceeds. In accordance with Peckshield’s evaluation, a part of the haul has already been laundered by Changenow, a non-custodial swap service, and Binance, the world’s largest cryptocurrency alternate by buying and selling quantity. As of the alert, the exploiter was nonetheless holding about 2,102 ETH price roughly $4.23 million, suggesting the majority of the stolen worth remained onchain and probably traceable.
Routing funds by a centralized alternate resembling Binance can break the path by mixing stolen cash with reputable liquidity, nevertheless it additionally exposes the funds to freezes if the platform’s compliance staff acts rapidly. Swap companies like ChangeNow are sometimes used to transform property into harder-to-trace tokens earlier than they attain an alternate.
What Gravity Bridge Does
Gravity Bridge is a cross-chain bridge (software program that lets customers transfer tokens from one blockchain to a different), connecting Ethereum with the Cosmos community of interoperable chains. Constructed on the Cosmos SDK, it really works on a lock-and-mint mannequin. Right here, a token is locked on one chain and an equal illustration is minted on the opposite, then burned and redeemed when the person bridges again.
Quite than counting on a small multi-signature pockets or a permissioned group of operators, Gravity Bridge makes use of its validator set to signal cross-chain transactions, a design meant to make it extra decentralized and more durable to compromise. That structure has not made bridges resistant to assaults as a result of, by design, they maintain giant swimming pools of locked property, turning them into a few of the most profitable targets in decentralized finance ( DeFi). A single flaw of their validation logic can unlock every part without delay.
A Brutal 12 months for Cross-Chain Bridges
The Gravity Bridge incident lands in the course of a punishing stretch for cross-chain infrastructure, given Bitcoin.com Information just lately reported that bridge exploits drained greater than $328 million throughout eight separate incidents by mid-Might 2026 alone.
The sample has been relentless all year long. On Might 18, attackers drained about $11.5 million from the Verus-Ethereum bridge, with the perpetrator funded by Twister Money earlier than the theft. Subsequently, in April, a suspected exploit pulled an estimated $200 million-plus out of Drift Protocol whereas a separate breach drained 116,500 rsETH from KelpDAO’s Layerzero adapter, exposing lending markets to potential dangerous debt.
Smaller hits have piled up too, together with a $2.4 million flash-loan assault on the Shibarium bridge. In all of this, the repetition factors to a structural drawback reasonably than a string of dangerous luck. Bridges have to reconcile the differing safety fashions of two chains, and the code that verifies deposits and withdrawals has repeatedly confirmed to be the weakest hyperlink (whether or not by lacking validation checks, compromised keys or governance flaws).
Guessing the Strikes Forward
The rapid query is how a lot of the stolen $5.4 million could be recovered. With the attacker nonetheless sitting on roughly $4.23 million in ETH, exchanges and analytics companies have a window to flag and freeze the funds, and protocols more and more use public strain and onchain messages to barter returns. The Verus hacker, for example, finally returned $8.5 million whereas retaining a $2.8 million bounty underneath a restoration deal.
For now, Gravity Bridge customers can be anticipating an official incident report detailing the foundation trigger and any plan to reimburse affected depositors. Till bridges clear up the validation weaknesses that preserve surfacing, the multichain financial system’s most essential connectors are more likely to stay its most ceaselessly robbed.