A single compromised signing key let an attacker drain roughly $5.4 million from Gravity Bridge on May 30, the cross-chain link connecting Ethereum to the Cosmos network. Security firm Peckshield flagged the unusual withdrawals, and the bridge halted operations soon after. The attacker's wallet still held around 2,102 ETH, worth about $4.23 million as of May 31, 2026, while on-chain investigators tracked the laundering trail.
The theft fits a punishing pattern. Peckshield has now tagged more than $328 million in bridge-related losses across May 2026 alone, making cross-chain infrastructure the most consistently breached part of the crypto stack this month.
A one-hour drain between 02:30 and 03:30 UTC
The withdrawals clustered in a tight window. Between roughly 02:30 and 03:30 UTC on May 30, the attacker pulled mixed assets out of the bridge contract: about $4.3 million in USDC, 274 ETH valued near $553,000, $434,000 in USDT, and roughly $64,000 in PAYG tokens. The speed and the spread of assets pointed researchers toward a compromised contract signing key rather than a logic bug in the bridge code.
That distinction matters. A smart-contract exploit usually abuses a flaw anyone can read in the deployed code. A key compromise means the attacker held valid authority to move funds, so the contract behaved exactly as written while signing transfers it should never have approved. The bridge did not get tricked. It got impersonated.
Gravity Bridge has not published a full post-mortem at the time of writing, and the precise method of the key compromise remains unconfirmed. Several security firms independently flagged the pattern as a signing-key breach, which is the strongest available read until the team releases its own analysis.
The laundering trail ran through Binance and ChangeNow
After the drain, the stolen funds started moving toward services that break the trace. Part of the haul routed through Binance, where stolen coins mix with legitimate exchange liquidity, and part went through ChangeNow, a swap service often used to convert assets into harder-to-track tokens.
Centralized exchanges sit at an awkward spot in these cases. They are the chokepoint where investigators can freeze funds and identify a casher-out, but they are also the fastest way to launder if a deposit clears before anyone files an alert. The portion of ETH still sitting in the attacker's wallet, around 2,102 ETH, suggests the cash-out is still in progress rather than complete.
Bridges remain crypto's softest target
Cross-chain bridges concentrate risk by design. To move value between two chains that cannot talk to each other natively, a bridge locks assets on one side and mints or releases equivalents on the other. That lock-up turns the bridge into a pooled honeypot, and the keys controlling it become the single most valuable thing to steal. The Ronin and Wormhole breaches of 2022 followed the same shape, and the Gravity incident shows the structural weakness has not been engineered away.
For anyone holding assets across chains, the practical takeaway is blunt. Funds parked in a bridge contract or a bridged wrapper carry the bridge's security as their own, no matter how safe the underlying chain is. Holding your own keys on a single chain removes the bridge as an attack surface entirely, though it also removes the convenience of moving liquidity around. Stablecoin holders face a related question: the USDC and USDT taken here were real claims on an issuer, and whether the affected balances get frozen at the stablecoin layer depends on how fast Circle and Tether act on the flagged addresses.
The freeze tool has teeth when issuers choose to use it. Earlier in May, Circle blacklisted addresses tied to a separate incident and locked $12.6 million in confidential USDC, showing that stolen stablecoins are not always gone the moment they move. Whether Gravity's attacker gets caught by the same mechanism depends on timing and on whether the funds touched a freezable contract before being swapped out.
Overview
Gravity Bridge lost about $5.4 million on May 30 in what security researchers describe as a signing-key compromise rather than a code exploit. The attacker drained USDC, ETH, USDT, and PAYG in a single hour, halted the bridge, and began routing funds through Binance and ChangeNow. Roughly 2,102 ETH remained in the attacker's wallet on May 31, and the incident pushed May's tracked bridge losses past $328 million. The episode is another reminder that bridges pool risk at a single point, and that the keys guarding them are worth more than the code around them.
