Overview
- Blockchain analysts first flagged unusual withdrawals on Saturday and traced the drain to the Gravity Bridge contract, prompting the team to take the bridge offline and tell validators and orchestrators to stop.
- PeckShield and on‑chain researcher Specter put the loss at about $5.4 million and reported a breakdown of stolen assets including roughly $4.3 million in USDC, 274 wETH, $434,000 in USDT and 14.16 PAXG.
- Investigators traced funds to a destination wallet ending in 7C62da1F9 and observed portions moved through the swap service ChangeNow and the exchange Binance as laundering attempts unfolded.
- Reports indicate the attacker likely used compromised validator signing or authorization keys rather than exploiting smart‑contract code, but Gravity Bridge has not confirmed the exact entry point and no postmortem has been released.
- The incident reinforces a 2026 pattern of bridge losses tied to operational key‑management failures and may push projects to tighten validator security and custody practices to prevent further cross‑chain thefts.