Cross-Chain Bridge Exploits Surge in 2026 as Thieves Drain Over $340M
A security firm tallied roughly $340.7 million stolen from cross-chain bridges across 14 exploits in 2026, with the largest losses tracing back to compromised verification systems rather than buggy code.
Cross-chain bridges have become one of the most heavily targeted parts of the cryptocurrency ecosystem in 2026. In an alert dated June 1, blockchain-security firm PeckShield reported that roughly $340.7 million has been drained from bridge protocols across 14 separate exploits so far this year, underscoring a weakness that has dogged decentralized finance for years.
What a bridge is, and why it matters
A cross-chain "bridge" is software that lets assets move between otherwise separate blockchains — say, from Ethereum to Solana. Because each network keeps its own ledger, a bridge typically locks a token on the source chain and issues an equivalent token on the destination chain. To do that safely, it relies on a verification system that confirms the original lock or burn actually happened before releasing funds on the other side.
That verification layer is exactly where attackers have been striking. "DeFi," short for decentralized finance, refers to financial services run by smart contracts instead of banks, and an "exploit" is an attack that abuses a flaw to siphon funds. The notable shift in 2026 is that several of the biggest thefts did not involve buggy smart-contract code at all. Instead, attackers targeted the people and infrastructure operating these systems.
The two largest incidents
The single largest bridge loss of the year hit KelpDAO, a staking protocol, on April 18. According to LayerZero's own incident report, an attacker moved 116,500 rsETH — worth roughly $292 million — out of a bridge built on LayerZero's messaging system. The firm said the token was configured with a single verifier, meaning no independent second check was required. Attackers socially engineered a LayerZero developer to obtain access, then corrupted internal data nodes so the system confirmed a token burn that never happened. LayerZero, along with security researchers it cited including Mandiant and CrowdStrike, attributed the operation to a North Korea-linked group tracked as TraderTraitor, also known as UNC4899.
Weeks earlier, on April 1, the Solana-based perpetual-futures exchange Drift Protocol lost about $285 million. Both TRM Labs and Chainalysis stress that this was not a smart-contract bug either. Attackers spent months posing as a trading firm to build trust with the team, then tricked council members into pre-signing transactions that handed over administrative control. TRM Labs said its initial investigation "suggests the hack was likely perpetrated by North Korean hackers," while Chainalysis described strong but not-yet-confirmed signals pointing to DPRK-linked actors. "Social engineering" means manipulating people rather than breaking code.
What it means for DeFi users
The recurring theme is that bridges concentrate large pools of locked assets and depend on trust in keys, operators and verification nodes — components that are harder to audit than on-chain code. For everyday users, the practical lessons are to favor protocols that use multiple independent verifiers, to treat large bridge balances as higher-risk, and to remember that an audit of a smart contract says nothing about the security of the humans and servers running it.
Sources
CoinCoach publishes clear, trustworthy cryptocurrency and blockchain news, guides, token breakdowns, and reviews.