Hackers have drained approximately $815,000 from Alephium’s Token Bridge on Ethereum. They minted 13.76 million wrapped ALPH tokens from forged transactions, prompting the project to warn liquidity providers to pull their funds immediately.
This exploit adds to the increasing number of bridge attacks that have occurred in May. The Verus-Ethereum bridge lost around $11.5 million in an attack on May 18, while Cryptopolitan reported earlier on May 30 that Gravity Bridge lost $5.4 million, the same day Alephium’s TokenBridge suffered an exploit.
What made the attack successful?
Blockchain security firm Blockaid detected the exploit and reported that the attacker compromised three of four guardian keys protecting the bridge. Upon gaining control of a signing majority, the attacker forged Verified Action Approvals (VAAs), the cryptographic messages that authorize cross-chain transfers.
According to Blockaid, the entire operation took roughly seven minutes. The attacker used the forged VAAs to mint 13.76 million wrapped ALPH, which is reportedly more than 100% of the token’s prior wrapped supply. Additional assets, including $USDT, $USDC, WBTC, and WETH, were unlocked from the bridge’s custody contract.
On-chain analyst Specter flagged that the attack hit both the Ethereum and $BNB Chain bridge contracts. Specter stated that the attacker then moved stolen funds from $BNB Chain to Ethereum, and a portion has already been deposited into Tornado Cash, according to Specter’s analysis posted on X.
Alephium denies guardian key compromise
However, Alephium has provided further updates disputing the Blockaid’s submission, stating, “The exploit was NOT caused by a compromise of the guardian keys, contrary to some early external reports.”
According to the protocol, the exploit was “caused by an offchain vulnerability in the bridge backend that could be triggered in specific edge cases.”
Alephium gave a breakdown of the funds that were drained across Ethereum and $BNB, stating that 200,967 $USDT, 17,594 $USDC, 5.18 WETH, and 0.335 WBTC were taken from the former, while 36,750 $USDT and 24.386 WBNB were taken from $BNB.
Alephium tells LPs to withdraw
Alephium also warned anyone providing liquidity to ALPH pools on Uniswap or PancakeSwap.
In a follow-up update, the platform gave a comprehensive reason why it asked users to withdraw liquidity, stating, “Because the bridge has been shut down, the attacker cannot redeem or bridge these wrapped ALPH back through the Alephium bridge. We therefore ask users not to provide liquidity to ALPH pools on Ethereum or $BNB Chain, to withdraw any existing liquidity, and not to swap against these pools,” adding that “Additional liquidity or trading activity would increase the attacker’s ability to realize value from the unauthorized wrapped ALPH.”
ALPH is currently trading at $0.037 with a market capitalization of over $5 million, while the total value locked (TVL) across Alephium’s DeFi protocols sat at approximately $756,000, and it has over $308,000 as bridged TVL, per DefiLlama data.The Alephium team has stated that they are currently focusing on recovery and remediation efforts and promised to share more updates in the coming week.
A brutal month for bridges
The Alephium exploit adds to what has become a punishing stretch for cross-chain infrastructure.
The Gravity Bridge hack, also reported the same day, saw $5.4 million drained through what on-chain analysts suspect was a contract key compromise, according to Cryptopolitan’s reporting.
About two weeks earlier, the Verus-Ethereum bridge lost $11.5 million in a verification bypass exploit, according to DefiLlama’s hacks database. THORChain also suffered a $10 million coordinated attack across Bitcoin, Ethereum, $BNB Chain, and Base on May 15, as reported by Cryptopolitan.
Cross-chain bridges have seen increased attacks from bad actors recently, and they have collectively lost over $326 million in 2026 alone as of mid-May.
Bridge protocols account for $3.2 billion of the $16.6 billion in total value hacked across crypto history, according to DefiLlama, a disproportionate share given the relatively small number of bridge protocols compared to other DeFi categories.
The persistent vulnerability of these platforms and the growing frequency of attacks from April into May have made the pattern difficult to ignore.