An attacker exploited LayerZero Executor wallets across eight blockchains, draining roughly $2.4 million before converting the stolen funds into ETH and USDC. PeckShieldAlert identified the activity, tracing the exploit across Ethereum, BNB Chain, Base, Arbitrum, Avalanche, Optimism, and Plasma. LayerZero has not yet confirmed the incident.
What Happened
The exploit hit Executor wallets across several networks at once, and the attacker moved fast to convert the proceeds before anyone could freeze them.

Source – PeckShieldAlert
How the Attack Unfolded
PeckShield’s tracking shows the attacker bridged the stolen assets to Ethereum and swapped most of them into 956 ETH and roughly $322,000 in USDC. Consolidating funds into ETH and a stablecoin on a single chain is a common move for attackers seeking to make stolen assets easier to launder or cash out, since it reduces the number of wallets and chains a stolen-funds tracker has to monitor.
What Executor Wallets Actually Do
Executor wallets are part of LayerZero’s architecture and are responsible for delivering cross-chain messages. They pick up a message on one chain and drop it off on another, making them a working piece of infrastructure rather than a passive holding wallet. That operational role is exactly why they’re a target: compromise the wallet that executes messages, and an attacker can potentially manipulate what gets delivered, not just steal what’s sitting in a balance.
A Familiar Pattern for LayerZero
This is not LayerZero’s first brush with a major security incident this year. In April 2026, KelpDAO suffered a breach linked to LayerZero infrastructure in which attackers forged a cross-chain message by compromising a single-signer DVN role, draining about 116,500 rsETH, worth close to $292 million at the time. A DVN, or Decentralized Verifier Network, is the component that checks whether a cross-chain message is legitimate before it gets executed.
That attack was attributed to North Korea’s Lazarus Group, and it exposed a wider problem: security researchers found that nearly half of all LayerZero applications were still running what’s called a “1-of-1” DVN setup, where a single compromised verifier is enough to forge a valid message.
What This Means for DeFi Builders and Users
LayerZero’s design gives applications control over their own security parameters rather than enforcing one standard configuration across the board. That flexibility is useful for teams with different risk tolerances, but it also means the weakest-configured app on the network becomes the easiest target.
Anyone using or building on protocols connected to LayerZero should check whether the underlying messaging layer relies on a single verifier or a distributed setup, and you can check our guide on multi-party computation wallets before trusting it with meaningful funds.
What to Watch Next
The open question is whether LayerZero issues an official confirmation of this exploit and whether it uses the moment to push applications still running single-signer DVN configurations toward multi-signer verification, something the ecosystem has been calling for since the KelpDAO breach.
What this means for you: Before trusting an app with your funds, check its documentation or audit reports for how many verifiers approve its cross-chain transfers, because a single-verifier setup means one compromised party is all it takes to drain the funds behind it.

