Key Highlights
- Attackers used fake on-chain messages to exploit Alephium Bridge, draining about $815,000 and minting 13.76M unbacked wALPH.
- The main theft happened in roughly 64 seconds, hitting both Ethereum and BSC before funds were quickly moved through multiple platforms.
- Alephium later burned about 96.4% of the fake wALPH supply, but around 500,000 tokens were not recovered.
Just a few days after losing approximately $815,000 and seeing the creation of 13.76 million unbacked wALPH, Alephium Bridge has released a full on-chain breakdown of the bridge exploit that occurred on May 30, 2026.
According to the official release, the attack started long before the main hack. The firm reported that at 02:36:23 UTC, the attacker bought 485.19 wALPH on Ethereum using Uniswap Universal Router, with only 0.01 ETH.
The attacker then approved the TokenBridge contract and moved the tokens to the Alephium chain through a normal bridge process, which burned the wrapped tokens on Ethereum and minted ALPH on Alephium.
The ALPH was then split and sent to a deployer wallet in three parts: 5 ALPH, 150 ALPH, and 130 ALPH. Hours later, at 06:30:47 UTC, the attacker funded and deployed a contract carrying a single function designed to emit fake Wormhole messages using LOG7. These fake messages were later used to fool the bridge system into thinking real validators had signed off.
A 64-second drain across Ethereum and BSC
The company reported that between 07:00 and 09:00 UTC, the bridge network faced connection problems that forced the system to switch to backup checks. At 09:16:59 UTC, the main attack began.
In less than a minute, Ethereum assets were drained. First, 200,967.31 USDT was taken at 09:16:59. Then 0.33531483 WBTC moved at 09:17:23. After that, 17,594.63 USDC at 09:17:35. Next, 5.18192421 WETH at 09:17:47. Finally, 13,757,076.37 wALPH was minted at 09:17:59 without real backing.
Just three seconds later on BSC, 36,750.106 USDT and 24.38620961 WBNB were also drained. This full attack reportedly happened in just about 64 seconds.
How the funds were moved
Right after that, the hacker started moving funds through different platforms. Stablecoins like USDT and USDC were swapped into ETH using Uniswap X routes. WBTC was also converted into ETH.
Moreover, around 400,000 wALPH was pushed into liquidity pools, while another 1,000,000 wALPH was sent to a holding wallet. On BSC, USDT was swapped into BNB on PancakeSwap, then bridged back to Ethereum using deBridge, arriving as ETH.
Some of these ETH funds were later mixed through Tornado Cash, a tool used to hide transaction history. Other ETH was grouped into wallets and kept there without movement.
Alephium burns most of the fake wALPH supply
The company said the bridge team and guardians carried out a recovery action on June 2 using a governance upgrade function (upgrade(bytes encodedVM), method ID 0x25394645).
The function burned the unbacked wALPH created during the attack. According to Alephium, a total of 13,257,077.37295 wALPH was destroyed across attacker wallets, covering about 96.4% of the fake supply. The remaining 500,000 wALPH had already entered trading pools before the bridge was paused and could not be recovered.
Another bridge attack added to 2026’s growing list
Blockchain security firm Blockaid was the first to flag the attack on May 30. The firm at the time explained that the attacker used compromised guardian signatures to approve six forged VAAs and execute completeTransfer(bytes) on the TokenBridge contract.
The incident adds to a growing list of major bridge and protocol exploits this year. The largest so far was the KelpDAO LayerZero breach, which resulted in losses of $292 million. That followed the Drift Protocol exploit, which led to losses of $285 million on April 1.
Also Read: Kelp DAO Hacker Finishes Laundering $220M, Only $1.7M Left in Main Wallet
