Key Takeaways
- Peckshield tracked 8 bridge exploits through mid-May 2026, with $328.6M drained cumulatively from cross-chain protocols.
- KelpDAO’s $300M Layerzero breach and Drift’s $200M+ attack made April 2026 the worst-hacked month on record, per Defillama.
- Total 2026 hack losses surpassed $750M through mid-April; May’s Verus bridge drain adds $11.5M more.
Crypto’s Worst Year for Cross-Chain Hacks
Blockchain security and data analytics firm Peckshield released a mid-May tally of eight bridge-related exploits that collectively drained $328.6 million from cross-chain protocols so far this year. The figure adds to what has become the worst period on record for decentralized finance ( DeFi) while simultaneously exposing a systemic vulnerability that the industry has yet to resolve fully.
Cross-chain bridges work by locking tokens on one blockchain and minting equivalent assets on another, creating high-value attack surfaces where exploiters need only compromise the bridge’s verification mechanism to gain access to pooled liquidity. The structural risk became undeniable in April 2026, as crypto’s most-hacked month on record, with 30 separate incidents, a pace of nearly one attack per day.
Two of the largest attacks came in rapid succession that month. KelpDAO’s Layerzero V2 rsETH route was exploited for approximately $300 million on April 18, with an attacker extracting 116,500 rsETH from Ethereum’s OFT adapter without burning tokens on the source chain. A review by Chainalysis found that Layerzero had set a low 1-1 RPC quorum default, meaning a single poisoned node could authorize fraudulent cross-chain messages. KelpDAO subsequently migrated to Chainlink’s Cross-Chain Token standard, publicly blaming Layerzero for the infrastructure failure.
Days later, Drift Protocol suffered a $200 million-plus exploit on its Solana-based infrastructure. A CertiK analyst noted that the incidents reflected a high-stakes shift in cross-chain cybercrime strategy, with attackers growing more sophisticated in how they identify and exploit bridge verification weaknesses.
Death by a Thousand Cuts
Smaller incidents have poured in the months before and even since, with IoTeX’s bridge being hit for approximately $2 million in February through a private key exploit. Subsequently, TAC Protocol lost $2.8 million in early May in what was later classified as a white hat incident after the hacker claimed a 10% bounty.
Transit Finance, a cross-chain aggregation protocol, was drained of $1.88 million on May 13 and most recently, the Verus-Ethereum bridge lost approximately $11.5 million, with the attacker’s wallet traced to a Tornado Cash seed.
Peckshield data had already shown total hack losses reaching $112.5 million in the first two months of 2026 alone before April’s surge pushed cumulative losses beyond $750 million through mid-April. With May’s incidents adding to that figure, 2026 is on course to eclipse previous records for DeFi losses.
Be the first to comment