Key Takeaways
- Peckshield flagged a ~$5.4M Gravity Bridge exploit on Might 30, together with $4.3M in USDC and 274 ETH.
- The theft provides to over $328M Peckshield tracked throughout bridge hacks in Might 2026.
- The attacker nonetheless holds 2,102 ETH (~$4.23M), with onchain sleuths monitoring the laundering path.
Funds Routed Via Binance and ChangeNow
Gravity Bridge, a protocol that strikes tokens between Ethereum and the Cosmos ecosystem, misplaced about $5.4 million in a recent exploit flagged by blockchain safety agency Peckshield. The stolen property included roughly $4.3 million in USD Coin (USDC), 274 ether ( ETH) price about $553,000, $434,000 in tether ( USDT) and 14.164 PAYG tokens valued close to $64,000.
The attacker wasted little time shifting the proceeds. In response to Peckshield’s evaluation, a part of the haul has already been laundered via Changenow, a non-custodial swap service, and Binance, the world’s largest cryptocurrency change by buying and selling quantity. As of the alert, the exploiter was nonetheless holding about 2,102 ETH price roughly $4.23 million, suggesting the majority of the stolen worth remained onchain and probably traceable.
Routing funds via a centralized change akin to Binance can break the path by mixing stolen cash with reputable liquidity, but it surely additionally exposes the funds to freezes if the platform’s compliance workforce acts shortly. Swap providers like ChangeNow are sometimes used to transform property into harder-to-trace tokens earlier than they attain an change.
What Gravity Bridge Does
Gravity Bridge is a cross-chain bridge (software program that lets customers transfer tokens from one blockchain to a different), connecting Ethereum with the Cosmos community of interoperable chains. Constructed on the Cosmos SDK, it really works on a lock-and-mint mannequin. Right here, a token is locked on one chain and an equal illustration is minted on the opposite, then burned and redeemed when the consumer bridges again.
Relatively than counting on a small multi-signature pockets or a permissioned group of operators, Gravity Bridge makes use of its validator set to signal cross-chain transactions, a design meant to make it extra decentralized and tougher to compromise. That structure has not made bridges resistant to assaults as a result of, by design, they maintain massive swimming pools of locked property, turning them into a number of the most profitable targets in decentralized finance ( DeFi). A single flaw of their validation logic can unlock every part without delay.
A Brutal 12 months for Cross-Chain Bridges
The Gravity Bridge incident lands in the course of a punishing stretch for cross-chain infrastructure, given Bitcoin.com Information not too long ago reported that bridge exploits drained greater than $328 million throughout eight separate incidents via mid-Might 2026 alone.
The sample has been relentless all year long. On Might 18, attackers drained about $11.5 million from the Verus-Ethereum bridge, with the perpetrator funded via Twister Money earlier than the theft. Subsequently, in April, a suspected exploit pulled an estimated $200 million-plus out of Drift Protocol whereas a separate breach drained 116,500 rsETH from KelpDAO’s Layerzero adapter, exposing lending markets to potential dangerous debt.
Smaller hits have piled up too, together with a $2.4 million flash-loan assault on the Shibarium bridge. In all of this, the repetition factors to a structural downside moderately than a string of dangerous luck. Bridges have to reconcile the differing safety fashions of two chains, and the code that verifies deposits and withdrawals has repeatedly confirmed to be the weakest hyperlink (whether or not via lacking validation checks, compromised keys or governance flaws).
Guessing the Strikes Forward
The speedy query is how a lot of the stolen $5.4 million might be recovered. With the attacker nonetheless sitting on roughly $4.23 million in ETH, exchanges and analytics companies have a window to flag and freeze the funds, and protocols more and more use public strain and onchain messages to barter returns. The Verus hacker, for example, in the end returned $8.5 million whereas conserving a $2.8 million bounty underneath a restoration deal.
For now, Gravity Bridge customers can be looking ahead to an official incident report detailing the basis trigger and any plan to reimburse affected depositors. Till bridges resolve the validation weaknesses that maintain surfacing, the multichain economic system’s most necessary connectors are more likely to stay its most steadily robbed.
