Alephium’s (ALPH) TokenBridge was drained of approximately $815,000 after an attacker exploited a vulnerability that allowed forged messages to pass through the protocol’s custodial network and allowed fraudulent token transfers.
The Alephium team confirmed that security firm Blockaid was the first to discover the exploit. The Security Alliance’s SEAL_911 Emergency Response Unit also provided assistance and response throughout the subsequent investigation.
The exploit drains $815,000 in less than 7 minutes
The attacker transferred funds from the Alephium TokenBridge onto both Ethereum and BNB Chain in approximately seven minutes. On Ethereum, losses included 200,967 Tether (USDT), $17,594 USD (USDC), 5.18 Ethereum (WETH), and 0.335 wrapped Bitcoin (WBTC).
An additional $36,750 USD and 24,386 BNB tokens were removed from the BNB chain side of the bridge. The attacker also minted 13.76 million unsupported ALPH files and transferred them directly to his wallet.
Alephium has closed the bridge and stated that it is exploring all options to make affected users healthy.
This incident adds to the deteriorating picture for cross-chain infrastructure in 2026. Cryptocurrency hack losses in April It reached $606 million DeFi balance may be compromised It continues to climb heading into June.
A Exploiting the CrossCurve bridge and Exploiting Hyperbridge as wellRevised to $2.5 million It also contributed to the year’s total.
Forged letters, not stolen keys
The developers built Alephium TokenBridge on a fork of the Wormhole protocol, which relies on a sentinel network to validate cross-chain messages. Any transfer must be signed off by a quorum of guardians, making the ability to insert fraudulent messages a critical vulnerability.
Initial reports attributed the hack to the compromise of the custodian’s private keys, leading to comparisons with… A compromise for the Gravity Bridge switch Which cost $5.4 million earlier in 2026. Alephium’s post-accident update contradicts this framework.
“The exploit does not appear to have involved compromise of the custodian’s private keys. Instead, it appears to have involved an exploit that allowed for the monitoring of forged malicious events/messages by the custodians,” he says. Alivius
The distinction is important. The main compromise point is operational failure, while a forgery message attack indicates a flaw in how the bridge validates incoming data before submitting it to the custodians.
A similar dynamic played out in the Polkadot Bridge exploit, where the attacker fraudulently validated transactions and minted unbacked tokens. Alephium said a full technical autopsy from its team is coming.
this post Fake bridge messages allowed hackers to drain $815,000 from Alpheum appeared first on BeInCrypto.
