On May 30, 2026, cross-chain bridge Gravity Bridge was drained of approximately $5.4 million in a suspected contract key compromise. Blockchain security firms PeckShieldAlert and Cyvers, along with on-chain analyst Specter, first flagged the incident, which they believe resulted from an attacker gaining access to a critical bridge contract key or signing path.
The stolen assets included $4.3 million in USDC, 274 WETH (~$553,000), $434,000 in USDT, and 14,164 PAYG tokens (worth about $64,000). Two Ethereum addresses—0x7B58…a1F9 and 0x4d3c…7A47—have been linked to the theft. The attacker immediately began laundering a portion of the funds through ChangeNow and Binance, but PeckShieldAlert reported that the bulk of the haul, roughly 2,102 ETH (~$4.23 million), remains in the exploiter’s wallet.
Gravity Bridge, which connects Ethereum and the Cosmos ecosystem, has not yet issued an official statement or postmortem. At the time of the attack, the protocol held $6.2 million in total value locked (TVL), meaning the drain effectively wiped out most of its locked assets, causing its TVL to plummet. The incident adds to a brutal month for bridge security: on May 18, the Verus-Ethereum bridge lost $11.5 million, and DefiLlama data shows bridges account for $3.2 billion of the $16.6 billion stolen across DeFi history.
