Gravity Bridge, a protocol that moves tokens between Ethereum and the Cosmos ecosystem, lost about $5.4 million in a fresh exploit flagged by blockchain security firm Peckshield. The stolen assets included roughly $4.3 million in USD Coin (USDC), 274 ether ( ETH) worth about $553,000, $434,000 in tether ( USDT) and 14.164 PAYG tokens valued near $64,000.

The attacker wasted little time moving the proceeds. According to Peckshield’s assessment, part of the haul has already been laundered through Changenow, a non-custodial swap service, and Binance, the world’s largest cryptocurrency exchange by trading volume. As of the alert, the exploiter was still holding about 2,102 ETH worth roughly $4.23 million, suggesting the bulk of the stolen value remained onchain and potentially traceable.

Onchain log of the hacker moving funds from Gravity Bridge to Binance and Changenow.

Routing funds through a centralized exchange such as Binance can break the trail by mixing stolen coins with legitimate liquidity, but it also exposes the funds to freezes if the platform’s compliance team acts quickly. Swap services like ChangeNow are often used to convert assets into harder-to-trace tokens before they reach an exchange.

Gravity Bridge is a cross-chain bridge (software that lets users move tokens from one blockchain to another), connecting Ethereum with the Cosmos network of interoperable chains. Built on the Cosmos SDK, it works on a lock-and-mint model. Here, a token is locked on one chain and an equivalent representation is minted on the other, then burned and redeemed when the user bridges back.

Rather than relying on a small multi-signature wallet or a permissioned group of operators, Gravity Bridge uses its validator set to sign cross-chain transactions, a design meant to make it more decentralized and harder to compromise. That architecture has not made bridges immune to attacks because, by design, they hold large pools of locked assets, turning them into some of the most lucrative targets in decentralized finance ( DeFi). A single flaw in their validation logic can unlock everything at once.

The Gravity Bridge incident lands in the middle of a punishing stretch for cross-chain infrastructure, given Bitcoin.com News recently reported that bridge exploits drained more than $328 million across eight separate incidents through mid-May 2026 alone.

The pattern has been relentless throughout the year. On May 18, attackers drained about $11.5 million from the Verus-Ethereum bridge, with the perpetrator funded through Tornado Cash before the theft. Subsequently, in April, a suspected exploit pulled an estimated $200 million-plus out of Drift Protocol while a separate breach drained 116,500 rsETH from KelpDAO’s Layerzero adapter, exposing lending markets to potential bad debt.

Smaller hits have piled up too, including a $2.4 million flash-loan attack on the Shibarium bridge. In all of this, the repetition points to a structural problem rather than a string of bad luck. Bridges need to reconcile the differing security models of two chains, and the code that verifies deposits and withdrawals has repeatedly proven to be the weakest link (whether through missing validation checks, compromised keys or governance flaws).

The immediate question is how much of the stolen $5.4 million can be recovered. With the attacker still sitting on roughly $4.23 million in ETH, exchanges and analytics firms have a window to flag and freeze the funds, and protocols increasingly use public pressure and onchain messages to negotiate returns. The Verus hacker, for instance, ultimately returned $8.5 million while keeping a $2.8 million bounty under a recovery deal.

For now, Gravity Bridge users will be watching for an official incident report detailing the root cause and any plan to reimburse affected depositors. Until bridges solve the validation weaknesses that keep surfacing, the multichain economy’s most important connectors are likely to remain its most frequently robbed.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。