Gravity Bridge Hit by $5.4M Cross-Chain Security Breach

Gravity Bridge has lost about $5.4 million after a suspected compromise of a signing key, according to security firm PeckShieldAlert. The attack hit the cross-chain bridge that connects Ethereum and the Cosmos ecosystem, allowing the attacker to drain several digital assets and quickly move part of the funds.

In a post on X, PeckShieldAlert said the stolen assets included $4.3 million in $USDC, 274 $ETH worth about $553,000, $434,000 in $USDT, and roughly $64,000 in PAYG tokens. The attacker routed some of the funds through ChangeNow and Binance shortly after the theft. However, on-chain data shows the wallet still holds more than 2,100 $ETH valued at about $4.2 million.

#PeckShieldAlert The @gravity_bridge has been drained of ~$5.4M, including $4.3M $USDC, 274 $ETH (~$553K), $434K $USDT & 14.164 $PAYG ($64K)The hacker has laundered a portion of the stolen assets through #ChangeNow & #Binance, and is still holding 2.102K $ETH (~$4.23M). pic.twitter.com/NJSNqc0G78

— PeckShieldAlert (@PeckShieldAlert) May 30, 2026

The breach adds to a growing list of attacks targeting cross-chain bridges, which remain one of the most attractive targets in decentralized finance because they hold large pools of locked assets.

Analysts Point to Possible Contract Key Compromise

Early findings from blockchain investigators point to a possible compromise of a Gravity Bridge contract key. On-chain analyst Specter said the breach appears to have enabled the theft of roughly $5.4 million from the protocol.

“It appears the @gravity_bridge bridge contract key may have been compromised, resulting in the theft of $5.4M,” Specter posted on X.

It appears the @gravity_bridge bridge contract key may have been compromised, resulting in the theft of $5.4M.The attacker drained the following assets:$USDC: $4.3MWETH: 274 $ETH (~$553K)$USDT: $434K$PAYG: $64KTheft addresses:0x7B582033061b96cC3F9421e73a749ED7C62da1F9… pic.twitter.com/nX81rsZYGp

— Specter (@SpecterAnalyst) May 30, 2026

Specter also identified two wallet addresses linked to the incident and said the attacker began moving funds almost immediately after the theft. “The attacker immediately began laundering the stolen funds after the theft,” he wrote. Despite those transfers, blockchain data shows the primary address still holds more than $4 million worth of cryptocurrency.

Cyvers Alerts reported similar findings. The blockchain security firm detected a series of suspicious transactions tied to Gravity Bridge and estimated losses at about $5.4 million. According to Cyvers, the attacker converted the stolen assets into $ETH before routing part of the funds through ChangeNow, a move often used to complicate the tracking of stolen cryptocurrency.

Bridge Exploits Continue Across DeFi

An attack on Gravity Bridge takes place amid an increasing trend of cyberattacks targeting cross-chain bridges, which are among the weakest links in DeFi. As per data from PeckShield, there have been eight bridge-related security incidents that led to nearly $328.6 million worth of losses this year alone.

#PeckShieldAlert As of mid-May 2026, the crypto space has witnessed 8 major #bridge-related exploits, with hackers exfiltrating a cumulative $328.6M from cross-chain protocols. The table below outlines the details of these incidents: pic.twitter.com/0xTNxIHi4b

— PeckShieldAlert (@PeckShieldAlert) May 18, 2026

The attacks have continued across several major projects. On May 18, hackers stole roughly $11.5 million from the Verus-Ethereum bridge after funding activity linked to Tornado Cash appeared ahead of the exploit. Earlier this year, separate incidents affected Drift Protocol and KelpDAO‘s LayerZero adapter, while attackers also targeted the Shibarium bridge.