Blockchain security firms PeckShield and Specter flagged a suspected exploit on the Hedera network on July 11, tracking the theft of approximately $5.25 million in digital assets. The attacker moved funds from Hedera's mainnet to Ethereum using LayerZero's cross-chain bridge, then laundered proceeds through the privacy mixer Tornado Cash.
How the exploit unfolded
The attacker initially funded an Ethereum wallet with 1 ETH routed through Tornado Cash, then bridged assets from Hedera to Ethereum via LayerZero. Once on Ethereum, the attacker swapped Wrapped Bitcoin for Ether, consolidating the haul into more liquid assets. At the time of detection, the attacker's wallet held about 2,360 ETH (worth roughly $4.25 million) and 15.58 WBTC (about $1 million). The wallet addresses involved have been identified as 0x9A4966152F6e10b33Cb7a37975e8619816d6a494 and 0xaf20D792A19fD42dCf697ceBa6100291D96dD93e.
Hedera itself has not confirmed the exploit, and on-chain investigators are still analyzing transaction data to determine the exact vulnerability. The timing is awkward for Hedera, which just weeks earlier celebrated the launch of the first US spot HBAR ETF by Canary Capital, which debuted with $52.6 million in assets under management.
A pattern of security breaches
This is not Hedera's first security incident. In March 2023, the network suffered an exploit affecting decentralized exchange liquidity pools through a bug in Hedera Token Service transfers. The 2026 landscape has seen several high-profile attacks, including a $6 million exploit at Summer.fi and a $20 million governance attack on BONK DAO. The suspected Hedera incident fits into this growing trend of multi-million-dollar security failures.
The use of Tornado Cash to fund the initial wallet suggests the attacker was prepared for scrutiny, which typically complicates fund recovery. The exploit appears to involve assets bridged off the Hedera network rather than a compromise of its core consensus mechanism.