The crypto industry has witnessed at least eight major bridge-related hacks so far in 2026, with hackers stealing a combined $328.6 million from cross-chain protocols, according to blockchain security firm PeckShield.
The latest wave of exploits has intensified concerns over the security of cross-chain infrastructure, which remains one of the most vulnerable sectors within decentralized finance (DeFi). The figure was confirmed following the May 18, 2026 exploit of the Verus-Ethereum bridge, which was identified as the eighth such bridge incident of the year.
Kelp DAO suffers the largest hack of 2026
The biggest exploit of the year hit Kelp DAO after attackers drained 116,500 rsETH, worth nearly $292 million, from its LayerZero-powered bridge infrastructure on April 18, 2026.
According to investigators, the attackers forged a fake LayerZero message that tricked the bridge into releasing rsETH without any legitimate deposit occurring on another chain.
After stealing the assets, the hacker reportedly used DeFi lending platforms, primarily Aave, across Ethereum and Arbitrum, to borrow over $236 million in ETH and WETH against the fake collateral.
Security firms including Cyvers and PeckShield said the attacker was funded through Tornado Cash before the exploit, indicating a planned operation. Multiple cybersecurity firms later attributed the breach to North Korea’s Lazarus Group.
According to post-incident analysis cited by security researchers, Kelp DAO paused key contracts within roughly 46 minutes, reportedly preventing an estimated additional $200 million from being stolen.
Verus-Ethereum bridge loses $11.58 million
On May 18, 2026, hackers drained nearly $11.58 million from the Verus-Ethereum bridge after exploiting flaws in its cross-chain verification process.
Blockchain security firms Blockaid and PeckShield said attackers stole 1,625 ETH, 103.6 tBTC, and nearly 147,000 USDC by bypassing source-side balance verification checks. The attacker swapped the stolen tokens into roughly 5,402 ETH shortly after the theft.
Researchers compared the exploit to vulnerabilities seen in the 2022 Wormhole and Nomad bridge hacks. Investigators noted the exploit was caused by missing validation logic rather than compromised private keys or broken cryptography. Specifically, the bridge verified the notarized Verus state root, the Merkle proof, and the hash binding, but never checked whether the stated transfer amounts actually matched the payout.
THORChain pauses operations after $10.8 million exploit
Cross-chain liquidity protocol THORChain temporarily halted swaps and liquidity operations after suffering a $10.8 million exploit on May 15, 2026 tied to a compromised validator node.
The attack drained assets including roughly 3,443 ETH, 36.85 BTC, 96.6 BNB, and other assets from THORChain’s Asgard vaults by exploiting weaknesses in the protocol’s GG20 threshold signature system.
Blockchain investigator ZachXBT, along with PeckShield, Arkham Intelligence, Cyvers, and Chainalysis, linked the exploit to a sophisticated laundering operation prepared weeks in advance. As The Crypto Times has reported, Chainalysis traced the attacker’s preparatory activity through Monero, Hyperliquid, and Arbitrum, beginning well before the theft.
THORChain later confirmed that no user-controlled funds were directly impacted, as the losses were limited to protocol-owned liquidity.
ZetaChain reveals multiple flaws behind april attack
ZetaChain disclosed that three separate vulnerabilities led to a $333k exploit involving its GatewayEVM smart contract at the end of April.
According to the project’s post-mortem report, attackers exploited missing access controls, unrestricted cross-chain execution permissions, and unlimited token approvals tied to internal team wallets.
The attacker reportedly routed stolen USDC and USDT across Ethereum, Arbitrum, Base, and BNB Chain before converting the proceeds into roughly 139 ETH. ZetaChain said no user funds were affected because only internal wallets were targeted.
Hyperbridge and IoTeX hit
Hyperbridge paused operations after attackers exploited weaknesses in its Token Gateway verification process, causing roughly $237,000 in losses.
According to BlockSec, the attacker submitted forged proofs that allowed unauthorized minting of nearly 1 billion fake bridged DOT tokens on Ethereum before selling them on decentralized exchanges.
Meanwhile, IoTeX confirmed a $4.3 million exploit involving its ioTube bridge after a validator owner’s private key was compromised.
The attacker allegedly minted unauthorized USDC, USDT, IOTX, and WBTC before routing funds through THORChain into Bitcoin wallets. IoTeX said the exploit was isolated to bridge contracts and did not affect its Layer 1 blockchain or consensus system.
CrossCurve exploit adds to security concerns
Cross-chain protocol CrossCurve also lost nearly $3 million after attackers spoofed cross-chain messages through an Axelar-linked contract.
According to Defimon Alerts, the exploit bypassed validation checks and triggered unauthorized token releases across multiple networks.
CrossCurve paused bridge operations immediately after the incident, while CEO Boris Povar offered a 10% bounty for the return of stolen funds.
Meanwhile, Curve Finance advised users to reassess exposure to CrossCurve-related liquidity pools following the exploit.
The recent attacks come amid a broader rise in DeFi-related exploits this year. Data from DeFiLlama shows DeFi protocols have already suffered over $20 million in losses in May 2026 alone, while April breaches exceeded $606 million.
Also Read: Kenya’s DCI Cracks Down on $431K USDT Fake Gold Scheme
