Attacker Drains $2.4M From LayerZero Wallets

2–3 minutes

Last Updated:

July 15, 2026

Hooded hacker with LayerZero laptop in a dark cyberattack scene.

Attacker Drains $2.4M From LayerZero Wallets

Hooded hacker with LayerZero laptop in a dark cyberattack scene.

Attacker Drains $2.4M From LayerZero Wallets

An attacker exploited LayerZero Executor wallets across eight blockchains, draining roughly $2.4 million before converting the stolen funds into ETH and USDC. PeckShieldAlert identified the activity, tracing the exploit across Ethereum, BNB Chain, Base, Arbitrum, Avalanche, Optimism, and Plasma. LayerZero has not yet confirmed the incident.

What Happened

The exploit hit Executor wallets across several networks at once, and the attacker moved fast to convert the proceeds before anyone could freeze them.

image1 19

Source – PeckShieldAlert

How the Attack Unfolded

PeckShield’s tracking shows the attacker bridged the stolen assets to Ethereum and swapped most of them into 956 ETH and roughly $322,000 in USDC. Consolidating funds into ETH and a stablecoin on a single chain is a common move for attackers seeking to make stolen assets easier to launder or cash out, since it reduces the number of wallets and chains a stolen-funds tracker has to monitor.

What Executor Wallets Actually Do

Executor wallets are part of LayerZero’s architecture and are responsible for delivering cross-chain messages. They pick up a message on one chain and drop it off on another, making them a working piece of infrastructure rather than a passive holding wallet. That operational role is exactly why they’re a target: compromise the wallet that executes messages, and an attacker can potentially manipulate what gets delivered, not just steal what’s sitting in a balance.

A Familiar Pattern for LayerZero

This is not LayerZero’s first brush with a major security incident this year. In April 2026, KelpDAO suffered a breach linked to LayerZero infrastructure in which attackers forged a cross-chain message by compromising a single-signer DVN role, draining about 116,500 rsETH, worth close to $292 million at the time. A DVN, or Decentralized Verifier Network, is the component that checks whether a cross-chain message is legitimate before it gets executed. 

That attack was attributed to North Korea’s Lazarus Group, and it exposed a wider problem: security researchers found that nearly half of all LayerZero applications were still running what’s called a “1-of-1” DVN setup, where a single compromised verifier is enough to forge a valid message.

What This Means for DeFi Builders and Users

LayerZero’s design gives applications control over their own security parameters rather than enforcing one standard configuration across the board. That flexibility is useful for teams with different risk tolerances, but it also means the weakest-configured app on the network becomes the easiest target. 

Anyone using or building on protocols connected to LayerZero should check whether the underlying messaging layer relies on a single verifier or a distributed setup, and you can check our guide on multi-party computation wallets before trusting it with meaningful funds. 

What to Watch Next

The open question is whether LayerZero issues an official confirmation of this exploit and whether it uses the moment to push applications still running single-signer DVN configurations toward multi-signer verification, something the ecosystem has been calling for since the KelpDAO breach.

What this means for you: Before trusting an app with your funds, check its documentation or audit reports for how many verifiers approve its cross-chain transfers, because a single-verifier setup means one compromised party is all it takes to drain the funds behind it.

Join our growing community

David Constantino

Author

David is a crypto enthusiast, airdrop farmer, and blog writer with a focus on discovering and analyzing new token launches and blockchain projects. He explores the latest trends, shares actionable insights, and guides readers through opportunities in the fast-paced world of digital assets.