Attackers exploited a zero-day vulnerability in the Litecoin network's MWEB privacy layer, triggering a 13-block chain reorganization.
Author: Sahil Thakur
26th April 2026 – Litecoin suffered its first major security incident on Friday. Attackers exploited a zero-day vulnerability in the network’s MWEB privacy layer, triggering a 13-block chain reorganization.
High Signal Summary For A Quick Glance
Andy
@andyyy
Litecoin incident post-mortem is out. > 0day bug that wasn’t properly patched across all mining pools > caused a block re org > doesn’t seem like user funds affected > all mining pools are properly updated now > chain is back to normal > hardly anyone really seemed to notice https://t.co/8Lmvo5wWVu
Litecoin update: • A zero-day bug caused a DoS attack that disrupted major mining pools. • Non-updated mining nodes allowed an invalid MWEB transaction allowing them to peg out coins to third party DEX’s • A 13-block reorg reversed those invalid transactions — they will not
09:17 PM·Apr 25, 2026
Solana
@solana
@litecoin How’s your weekend going little buddy? https://t.co/j4DzarJwnx
10h ago @litecoin experienced a coordinated attack on the chain that resulted in 13 blocks reorg that took more than 3h to generate. During this time attackers were performing double spend attacks on multiple cross-chain swapping protocols. We are investigating the situation.
06:57 PM·Apr 25, 2026
Alex Shevchenko 🇺🇦
@AlexAuroraDev
10h ago @litecoin experienced a coordinated attack on the chain that resulted in 13 blocks reorg that took more than 3h to generate. During this time attackers were performing double spend attacks on multiple cross-chain swapping protocols. We are investigating the situation.
05:10 PM·Apr 25, 2026
Steady attention without excessive speculation.
The exploit combined three attack vectors. First, a consensus bug in MWEB’s peg-out validation. Then, a denial-of-service campaign against updated mining pools. Finally, double-spend attacks on cross-chain protocols.
The Litecoin Foundation confirmed the bug is now fully patched. The network is operating normally as of April 26.
Financial losses appear contained. NEAR Intents reported $600,000 in exposure and pledged to cover affected users. THORChain saw roughly $500 in losses. No permanent LTC funds disappeared because the reorg erased all fraudulent transactions.
MWEB activated via soft fork in May 2022. It represented Litecoin’s biggest-ever upgrade. The feature lets users move LTC between the transparent main chain and a private extension block.
The vulnerability sat in how outdated mining nodes validated MWEB peg-out transactions. Nodes running older software incorrectly accepted a malformed transaction. Proper consensus rules should have rejected it. Instead, the attacker pulled LTC from the MWEB side-chain without valid coin conservation checks.
At the same time, major mining pools took hits from a coordinated DoS attack. This disrupted updated nodes and temporarily cut the honest chain’s effective hashrate. The combination gave the invalid chain a window to build blocks.
The attack created a competing fork spanning blocks 3,095,930 through 3,095,943. These 13 invalid blocks took more than three hours to produce. Under normal conditions, 13 Litecoin blocks take about 32 minutes.
During this window, the attacker used the fraudulent MWEB peg-outs for double-spend attacks. The targets included cross-chain DEXes and swap protocols. The attacker swapped illegitimate LTC for ETH and other assets on THORChain.
Once the DoS pressure eased, updated miners regained dominance. The honest chain overtook the invalid fork. Litecoin’s proof-of-work consensus then reorganized the chain, discarding all 13 invalid blocks.
Alex Shevchenko, CEO of Aurora Labs, was among the first to identify the anomaly publicly. He described it as a “coordinated attack.” He also pointed to the attacker’s EVM-side wallet: 0xfF18652A84aAd4f99F464f6B58cE7Ad929F6Fc10.
According to Shevchenko, the attacker funded that wallet from Binance about 38 hours before the exploit. The funding timeline suggests advance discovery of the vulnerability. The attacker staged capital and pre-selected cross-chain targets.
Shevchenko also noted that the DoS specifically targeted updated hashrate. This allowed non-updated nodes to temporarily dominate the network.
The 13-block reorg erased all invalid transactions from Litecoin’s main chain. As a result, no permanent LTC funds went missing on-chain. The damage fell entirely on cross-chain protocols that accepted fraudulent peg-outs during the fork window.
NEAR Intents confirmed approximately $600,000 in exposure. The team said it would cover any user losses from its own funds. THORChain reported roughly $500, though this figure may reflect incomplete data.
For context, DeFi protocols have already lost over $750 million to exploits through mid-April 2026, according to industry trackers. The Litecoin MWEB exploit represents a small fraction of that total.
This incident did not qualify as a classic 51% attack. No single entity controlled a majority of Litecoin’s hashrate for any sustained period. Instead, the attacker exploited a software vulnerability alongside a DoS disruption.
The distinction matters. A 51% attack implies raw hashrate superiority. This exploit leveraged fragmented node upgrades and a consensus bug. The real attack surface here was software complexity, not computing power.
Litecoin’s network hashrate stood at approximately 2.32 PH/s after resolution, according to CoinWarz data. LTC traded near $56.26 at the time, dropping roughly 1% on the day.
David Burkett, a Grin developer, built MWEB over more than two years. Quarkslab completed a formal security audit before activation. The feature went live on May 19, 2022, at block height 2,257,920.
The privacy layer operated without a major security incident for nearly four years. An earlier wallet bug related to stealth addresses surfaced after launch. However, user funds stayed safe and that issue had no connection to consensus validation.
When MWEB first activated, Binance temporarily halted LTC deposits and withdrawals. Regulatory concerns about the privacy feature drove that decision. The exchange later resumed service. That hesitancy may have contributed to uneven node adoption across the mining ecosystem.
The patch is already deployed and live. The Litecoin Foundation has urged all miners and node operators to upgrade immediately.
Cross-chain protocols that accept LTC are expected to audit recent transactions. Some may increase confirmation requirements or temporarily pause LTC deposits until reviews finish.
The incident has also renewed discussions about proof-of-work finality risks. Coordinating software upgrades across decentralized mining networks remains a persistent challenge. The attack only worked because many nodes ran outdated software.
Still, many in the Litecoin community view the outcome as a demonstration of resilience. The honest chain won. The reorg erased every fraudulent transaction. The consensus mechanism performed exactly as designed.
This is not financial advice. Always do your own research before making investment decisions.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
Litecoin MWEB Exploit Triggers 13-Block Reorg After Zero-Day Bug
AWS Marketplace Adds Chainlink Data Standard for Developers
MegaETH Sets MEGA Token Launch for April 30
Aave Launches DeFi United to Close $160M rsETH Gap
Litecoin MWEB Exploit Triggers 13-Block Reorg After Zero-Day Bug
AWS Marketplace Adds Chainlink Data Standard for Developers
MegaETH Sets MEGA Token Launch for April 30
Aave Launches DeFi United to Close $160M rsETH Gap
Litecoin
$56.27
