Alephium TokenBridge was drained for ~$815K in minutes after forged bridge approvals minted 13.76M unbacked wALPH and unlocked reserve assets on Ethereum.
Author: Akshat Thakur
30th May 2026 – An attacker drained roughly $815,000 from the Alephium TokenBridge on Ethereum in seven minutes this morning. On-chain security firm Blockaid detected and reported the exploit.
High Signal Summary For A Quick Glance
👊🏻 JEFE TOKEN
@JefeTOKEN
@blockaid_ Another day another exploit
🚨Blockaid detected an exploit targeting the Alephium TokenBridge on Ethereum. ~$815K drained in ~7 minutes via 3-of-4 compromised guardian keys signing forged VAAs. 13.76M wrapped ALPH minted (>100% of prior supply) + USDT/USDC/WBTC/WETH unlocked from custody. More details in
01:30 PM·May 30, 2026
Sahhar 🇵🇸
@sah73you
@blockaid_ 100% every blockchain that calls itself “the future of finance” has security issues, because most of them are built by amateurs and scammers operating out of basements. It’s only a matter of time before a decent AI model drains all of this garbage clean
🚨Blockaid detected an exploit targeting the Alephium TokenBridge on Ethereum. ~$815K drained in ~7 minutes via 3-of-4 compromised guardian keys signing forged VAAs. 13.76M wrapped ALPH minted (>100% of prior supply) + USDT/USDC/WBTC/WETH unlocked from custody. More details in
01:18 PM·May 30, 2026
Zedzies
@Zedzies
@blockaid_ Just use @chainlink
🚨Blockaid detected an exploit targeting the Alephium TokenBridge on Ethereum. ~$815K drained in ~7 minutes via 3-of-4 compromised guardian keys signing forged VAAs. 13.76M wrapped ALPH minted (>100% of prior supply) + USDT/USDC/WBTC/WETH unlocked from custody. More details in
12:37 PM·May 30, 2026
High attention and emotional sentiment detected.
The attacker reportedly compromised 3 of 4 guardian keys protecting the bridge. With those keys, they signed 6 forged VAAs (Verifiable Action Approvals) and submitted them to the bridge contract on Ethereum.
As a result, 13.76 million wrapped ALPH tokens entered circulation from the zero address. That amount exceeds 100% of the prior wrapped ALPH supply on Ethereum. The attacker also unlocked custody reserves in USDT, USDC, WBTC, and WETH.
Alephium’s TokenBridge is a private fork of Wormhole. It relies on a small guardian network that watches for cross-chain events and signs VAAs to approve transfers.
On Ethereum, anyone can submit a signed VAA to the bridge proxy contract. If 3 or more guardian signatures verify, the contract mints wrapped tokens or unlocks custody assets. The contract itself worked exactly as designed.
The failure sat upstream. Because the attacker controlled 3 of 4 keys, they forged VAAs claiming transfers that never happened on Alephium. As a consequence, the bridge contract could not distinguish these from real messages. According to CryptoTimes, “the failure sits entirely on the operational side.”
completeTransfer() calls
Alephium and external security researchers disagree on how this Alephium bridge exploit happened.
Blockaid attributed the attack to “3-of-4 compromised guardian keys signing forged VAAs.” CryptoTimes published a similar analysis, also pointing to guardian key custody as the breach point.
Alephium pushed back in a statement on X. The team wrote: “The issue appears to involve malicious event emission, not a key compromise.” They confirmed the bridge shutdown but shared no additional technical details.
This distinction matters. If guardian keys fell to an attacker, the breach is operational. If malicious event emission caused the issue, it could point to a different vulnerability. No official post-mortem exists yet.
The exploit window ran from roughly 09:10 to 09:17 UTC on May 30. The largest transaction, a completeTransfer call minting 13.757M ALPH, landed at 09:17:59 UTC.
The attacker’s wallet still holds most of the stolen assets. Tornado Cash deposits have already begun, though the full extent remains unclear.
The bridge proxy contract now holds roughly 1,000 USDT and less than 0.03 WETH. ETH inflows from a related address (0xB80a7D61) suggest the attacker prepared infrastructure in advance.
Timeline of the Alephium Bridge Exploit
Using a compromised set of 3-of-4 guardians, the attacker submits six forged VAAs and repeatedly calls completeTransfer() on the TokenBridge proxy, enabling unauthorized asset minting and withdrawals.
The attacker mints approximately 13.757 million wALPH directly to wallet 0x6681...921d. Additional bridge unlock transactions occur during the same seven-minute attack burst, with roughly 52 attacker-related transactions recorded.
The attacker starts moving proceeds through privacy infrastructure, making five separate 10 ETH deposits into Tornado Cash. Additional fund movements are observed through related wallets connected to the exploit.
Blockaid publicly discloses the exploit, identifies the attacker addresses, and releases preliminary forensic details surrounding the forged bridge messages and unauthorized minting activity.
The Alephium team confirms awareness of the incident and states that the bridge has been shut down. Initial investigation suggests the attack involved malicious event emissions rather than a direct validator key compromise.
The Alephium bridge is fully disabled to prevent further exploit activity. No additional bridge transfers can be processed while the investigation remains active.
The attacker continues to control approximately 13.757M wALPH alongside ETH and WBNB holdings. Around 50 ETH has already been routed through Tornado Cash, while the bridge remains paused pending further updates and remediation.
The Alephium bridge used only 4 guardians with a quorum of 3. By comparison, Wormhole’s mainnet deployment uses 19 guardians. Ronin had 9 validators when attackers stole $625 million in 2022.
A 3-of-4 threshold means an attacker only needs to compromise 3 keys. Community members on X reacted immediately. One user wrote: “3/4 keys? That’s not decentralization.”
Cross-chain bridges remain one of the most exploited components in crypto. Wormhole lost $325 million in 2022. Nomad lost $190 million the same year through a validation bypass. Bridges that concentrate trust in a small set become high-value targets.
ALPH traded between $0.039 and $0.041 at the time. The token’s 24-hour volume sat between $120,000 and $168,000. Its market cap stood at roughly $5.3 million, according to CoinGecko.
Because 13.76 million unbacked wALPH now exist on Ethereum, liquidity providers on Uniswap and PancakeSwap face significant risk. Alephium explicitly warned LP holders to withdraw their positions.
The minted wALPH alone carries an estimated value of $536,000 to $560,000. Whether the attacker can sell at that price depends on thin DEX liquidity. No exchanges have halted ALPH deposits or withdrawals yet.
Several key questions remain open. The exact method of compromise is still unknown. No one has confirmed whether the attacker was an insider, an external actor, or used phishing.
Alephium has not announced a compensation plan, a bounty offer, or a post-mortem timeline. The Tornado Cash activity suggests the attacker does not plan to return funds.
For now, the bridge remains shut down. ALPH holders should avoid interacting with wrapped ALPH on Ethereum and should monitor official channels for updates.
This is not financial advice. Readers should conduct their own research before making any investment decisions.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
Alephium Bridge Exploited for $815K via Forged VAAs
Circle Freezes $12.6M in Zama’s Confidential USDC Contract
Arbitrum Foundation Seeks $43.5M in New DAO Funding
Coinbase Launches First U.S.-Regulated Crypto Perps via Deribit
Alephium Bridge Exploited for $815K via Forged VAAs
Circle Freezes $12.6M in Zama’s Confidential USDC Contract
Arbitrum Foundation Seeks $43.5M in New DAO Funding
Coinbase Launches First U.S.-Regulated Crypto Perps via Deribit
Alephium
$0.04
