TLDR
- A coordinated attack exploited a vulnerability in Litecoin’s blockchain, resulting in a 13-block chain reorganization on Saturday
- The exploit targeted the MimbleWimble Extension Block (MWEB) privacy feature, allowing invalid transactions to be processed
- Updated mining pools faced denial-of-service attacks that temporarily reduced their network control
- Evidence including a Binance-linked funding address indicates the attack was orchestrated in advance, raising questions about the zero-day classification
- While the vulnerability has been remediated and legitimate transactions remained intact, cross-chain platforms sustained losses totaling approximately $600,000 on NEAR Intents
A sophisticated exploit targeted Litecoin over the weekend, marking the first significant security breach of its MimbleWimble Extension Block privacy feature since the system went live in 2022.
The vulnerability enabled outdated mining nodes to process fraudulent transactions, permitting bad actors to extract coins from the privacy layer and transfer them to decentralized exchanges and cross-chain bridging services.
Concurrently, mining operations utilizing current software versions faced coordinated denial-of-service attacks. These attacks temporarily diminished their computational power, allowing outdated nodes to dominate network consensus.
When the denial-of-service interference ceased, upgraded nodes reclaimed network authority and initiated a 13-block reorganization. This action effectively erased over three hours of compromised blockchain data from Litecoin’s permanent record.
The Litecoin Foundation verified that every legitimate transaction executed during the affected timeframe persists on the primary chain. The security flaw has been completely resolved, according to official statements.
The reorganized segment spanned from block 3,095,930 through 3,095,943, encompassing more than three hours. Throughout this interval, attackers executed double-spend operations against various cross-chain swap services that had processed the subsequently invalidated withdrawals.
Alex Shevchenko, CEO of Aurora Labs, characterized the incident as a “coordinated attack.” He additionally noted that an address associated with Binance provided funding to the attacker days before execution, indicating advance preparation.
Debate Emerges Over “Zero-Day” Classification
Shevchenko challenged whether the vulnerability truly qualified as a zero-day exploit. He observed that since the network autonomously executed the reorganization following the denial-of-service termination, a portion of the hash rate must have already deployed patched software.
“This bug was known, and it’s not a zero-day,” Shevchenko posted on X.
Blockchain developer Vadim concurred that the precision timing and specific targeting indicated an intentional operation rather than an opportunistic discovery.
Financial Impact Documented Across Multiple Platforms
Shevchenko calculated that NEAR Intents sustained approximately $600,000 in damages from the exploit. He recommended that all platforms processing Litecoin transactions conduct comprehensive audits of their records and balances.
The Litecoin Foundation has not publicly identified which mining pools experienced disruption or revealed the total volume of Litecoin generated through the fraudulent transactions.
Litecoin was exchanging hands near $56.00 at approximately 4:30 p.m. ET on Saturday, declining roughly 1% for the day, with minimal market volatility following the disclosure. The cryptocurrency has depreciated nearly 25% year-to-date.
This incident contributes to an escalating series of cryptocurrency security breaches in 2026. DeFi platforms have surrendered over $750 million to exploits through mid-April, including the $292 million Kelp DAO bridge compromise on April 19 and a $285 million breach of Solana-based perpetuals exchange Drift on April 1.
Cross-chain bridging infrastructure represented the primary vulnerability vector in the majority of these incidents, including Saturday’s Litecoin exploitation.
