Blockchain security firm Blockaid detected an active exploit targeting the Alephium TokenBridge on Ethereum on May 30, 2026. The attacker drained approximately $815,000 in custody assets and minted 13.76 million unbacked wrapped ALPH tokens directly to their wallet, which showed a balance of roughly $559,531.52 across two chains at the time of Blockaid’s disclosure.
The entire attack was carried out in approximately seven minutes. Theexploiter’s address logged 52 transactions on Etherscan. As of publishing, the drained funds and the 13.76M unbacked wrapped ALPH have not been moved from the initial receiving address.
What happened: Forged VAAs and a 4-guardian wormhole fork
According to Blockaid’sdetailed thread on X, the Alephium bridge is built on a private fork of Wormhole, the cross-chain messaging protocol behind some of DeFi’s largest bridges. However, unlike the main Wormhole deployment that uses 19 guardians with a quorum of 13 signatures, Alephium’s fork operated with only four guardians.
Three of those four guardian keys were compromised. Under Wormhole’s quorum formula of floor(n*2/3)+1, a set of four guardians means three stolen keys equals full bridge authority. The compromised signer addresses identified on the malicious VAAs are 0x214f15…ad29, 0x78c7b8…7852, and 0x9efb0c…89a1. The only honest, unused guardian key was 0x4b2cbe…88fb.
The attacker used the stolen keys to sign six forged Verified Action Approvals (VAAs) and called the function completeTransfer(bytes) (selector 0xc6878519) on the TokenBridge proxy contract. The bridge contract correctly verified the cryptographic signatures and processed every transaction without resistance.
What was drained
The six forged VAAs instructed the bridge to unlock USDT, USDC, WBTC, and WETH from the custody reserves held inside the bridge contract. On top of that, the attacker minted 13.76 million wrapped ALPH tokens in a single transaction, all without any corresponding ALPH locked on the Alephium chain.
The 13.76M figure exceeds 100% of the prior Ethereum-side circulating supply of wrapped ALPH. This means the wrapped ALPH token on Ethereum is now effectively compromised, and any liquidity pools pairing it with other tokens face immediate risk if the attacker begins selling.
ALPH was trading around $0.036 to $0.041 at the time of the exploit, with a total market capitalization below $6 million.
Not a smart contract bug
Blockaid was clear in its assessment. This is not a smart contract vulnerability. The TokenBridge proxy contract worked exactly as it was designed. It verified the signatures, found them valid, and executed the transfers.
The failure sits entirely on the operational side. Guardian key custody was breached, and the guardian set was too small to absorb the compromise. According toAlephium’s own documentation, the guardian network included Swiss entities like Bity and Alt (formerly Altconomy), along with community-run operators like NoTrustVerify. All guardians were said to operate within “transparently codified infrastructure” with two-factor authentication required for changes.
Despite these measures, three of four nodes were compromised. The incident mirrors earlier key-management failures across the industry, including the Harmony Bridge hack of June 2022 where two of five multisig keys were stolen, and the Multichain collapse of July 2023 where all private keys sat with a single individual.
2026’s bridge exploit problem continues
The Alephium exploit adds to a record-setting year for cross-chain bridge attacks. PeckShield data from mid-May tracked eight major bridge-related exploits totaling $328.6 million in 2026 so far.
The largest was the $292M KelpDAO LayerZero breach on April 18, followed by the $285M Drift Protocol exploit on April 1. Smaller but notable incidents hit THORChain ($10.8M), Verus Protocol ($11.58M), IoTeX ($4.3M), and others.
While the Alephium exploit is smaller in dollar terms, the mechanics carry broader implications. Multiple smaller L1 chains and application-specific blockchains have deployed private forks of established bridge protocols with reduced guardian sets. If those guardian keys share similar operational security setups, the Alephium attack could serve as a blueprint.
Also Read: Hackers Drain $7.3M From DxSale’s Old BNB Chain Liquidity Lockers
