A coordinated attack exploited a zero-day bug in Litecoin's MimbleWimble Extension Block (MWEB) privacy layer on April 25, 2026, forcing a 13-block chain reorganization that erased over three hours of transaction history. The exploit targeted outdated mining nodes, allowing invalid MWEB transactions to appear legitimate and enabling unauthorized peg-outs of coins to third-party decentralized exchanges (DEXs).
The Litecoin team confirmed that non-updated nodes processed a malformed MWEB transaction, creating a window for double-spend attempts. Attackers used a denial-of-service (DoS) attack to disrupt major mining pools, reducing network hashrate and exacerbating the vulnerability. Blocks 3,095,930 to 3,095,943 took over three hours to mine—more than five times slower than Litecoin's expected 2.5-minute block time—raising initial concerns of a 51% attack.
Analysts Alex Shevchenko and Zacodil flagged the unusual reorg early. Shevchenko suggested the exploit was planned, noting the attacker funded the operation 38 hours earlier from Binance and intended to swap LTC into ETH. He described it as a coordinated attack involving both a zero-day bug in MWEB and a DoS attack on mining nodes.
NEAR Intents estimated approximately $600,000 in exposure linked to the incident, with plans to cover user losses. However, with invalid transactions removed from the main chain, the actual financial impact may be lower. The Litecoin team clarified that all legitimate transactions during the period remain intact.
XRP Ledger validator Vet criticized Litecoin's Proof-of-Work security model, arguing it is vulnerable because security depends on the asset's price. He contrasted this with XRP's consensus algorithm, which provides absolute final settlement and cannot be reorganized. Litecoin's LTC price dipped marginally to around $56, down 1% in 24 hours and 35% over the past year.
The incident is the first known exploit targeting Litecoin's privacy layer. MWEB, introduced in May 2022, allows users to move LTC into a confidential extension chain using peg-in and peg-out mechanics. A flaw in that accounting process enabled the temporary generation of coins. Crypto markets have faced over $750 million in DeFi losses through mid-April 2026, including major exploits on Kelp DAO ($292 million) and Drift Protocol ($285 million).
