Forged messages drain $815,000 from Alephium bridge

On May 30, 2026, an attacker exploited Alephium’s TokenBridge by submitting forged cross-chain messages that bypassed the bridge’s guardian validation. The attacker moved roughly $815,000 in tokens across Ethereum and BNB Chain and minted 13.76 million unbacked wrapped ALPH in under seven minutes.

On Ethereum the attacker withdrew 200,967 USDT, 17,594 USDC, 5.18 WETH and 0.335 WBTC. From BNB Chain the attacker removed 36,750 USDT and 24.386 wrapped BNB. The 13.76 million wrapped ALPH tokens were transferred directly to the attacker’s wallet.

The TokenBridge is built on a fork of the Wormhole protocol and uses a guardian network that requires a quorum of guardians to sign cross-chain transfers. Alephium posted that the exploit “does not appear to have involved a compromise of guardian private keys. Instead, it appears to have involved an exploit that allowed forged malicious events/messages to be observed and signed by guardians.”

Alephium took the TokenBridge offline after the breach and added it is exploring options to reimburse affected users. The company credited blockchain security firm Blockaid with first detecting the exploit and acknowledged assistance from the Security Alliance emergency response unit SEAL_911.

Alephium is working with security partners to contain the issue and complete an investigation. The team said a full technical postmortem will be published after the review.

The incident follows other cross-chain attacks in 2026. Reported losses in April totaled $606 million. Earlier in the year the Gravity Bridge key compromise resulted in about $5.4 million in losses. Separate May incidents recorded revised losses of roughly $2.5 million at other bridges and included an exploit that used fraudulent validation to mint unbacked tokens on a Polkadot bridge.