Update (April 17): This investigation has expanded. The original post covered one attacker cluster. Continued analysis has identified a second, independent attacker who struck the same Token Gateway contract 53 minutes earlier using a different extraction method and a more sophisticated laundering structure. The combined confirmed attacker-side extraction is now $845,000 across two investigated clusters. A third, smaller attack ($12K in MANTA/CERE) has been reported by other sources but has not yet been independently verified. The full scope of this exploit is likely broader than any single attacker cluster. We are still digging.
Both full reports are published on hubsec.net.
Following the April 13 exploit of Hyperbridge’s Token Gateway on Ethereum, I conducted an independent on-chain investigation to understand what was actually extracted and where the funds went. The initial reporting put losses at $237K. Hyperbridge later revised the figure to approximately $2.5M. Both numbers are correct, but they measure different things.
This was not a single-attacker incident. At least two independent attackers exploited the same vulnerability on the same day, using different extraction methods, different laundering strategies, and different operational tradecraft. A third smaller attack has been reported. It is possible that additional attacker addresses were involved that have not yet been identified.
Attacker 1 (block 24,868,295): Operated a three-address cluster. The primary EOA was funded through Railgun, was 37 days old, and deployed over 15 test contracts in the weeks before execution. In one atomic transaction, the attacker forged an MMR proof to bypass HandlerV1’s verification, hijacked admin privileges on the Bridged DOT (ERC-6160) token contract via TokenGateway, minted 1 billion DOT, and swapped them through Odos Router and Uniswap V4 for 108.2 ETH. Total gas cost was 0.000339 ETH.
Fund tracing across six EVM chains shows this attacker sent $272,174 to Tornado Cash across nine direct transactions from the primary EOA. A live balance check confirms the cluster now holds $49. Empty.
Attacker 2 (block 24,868,029, 53 minutes earlier): Used a 4-day-old wallet with only 2 transactions. Deployed two exploit contracts that siphoned 245.93 WETH ($573,000) directly from the Token Gateway’s Wrapped Ether holdings via the onAccept() path. No token minting was involved. The proceeds were split across 15 burner wallets in equal 16.39 ETH batches, all forwarded to Tornado Cash. Both exploit contracts self-destructed within the same transaction to erase their bytecode.
This attacker was more operationally sophisticated: younger wallet, fewer transactions, self-destructing contracts, multi-wallet laundering fan-out, and struck first.
Combined confirmed extraction:
| Attacker | Method | Extracted | Sent to Tornado Cash |
|---|---|---|---|
| Attacker 1 | Minted 1B DOT, swapped for ETH | ~$272,000 | $272,174 |
| Attacker 2 | Siphoned 245.93 WETH directly | ~$573,000 | $572,790 |
| Earlier test hack (not yet investigated) | MANTA/CERE drain via onAccept() | ~$12,000 | Unknown |
| Combined | ~$857,000 | $844,964 |
Reconciling with Hyperbridge’s $2.5M figure:
The combined attacker-side extraction from both investigations accounts for approximately $845,000. Hyperbridge’s April 15 update reported approximately $2.5M, described as “losses from incentive pools across Ethereum, Base, BNB Chain, and Arbitrum.” The remaining $1.65M could reflect additional exploitation paths not yet identified, the reported $12K MANTA/CERE attack, incentive pool replacement costs on the victim side, or a combination of all three. This is an active investigation.
Both attacker clusters are now empty. All confirmed proceeds have been sent to Tornado Cash. There is no hidden inventory in the wallets we have investigated.
Whether the two attackers are the same person is unknown. Entity resolution found no common funding source, no shared burner wallets, and no temporal correlation in wallet creation between the two clusters. The on-chain evidence is consistent with two independent actors discovering the same vulnerability, but coordination through off-chain channels cannot be ruled out.
Additional finding: Address 0x7ac0…cb19, which received 14.5M DOT across 27 bridge inbounds, was separately investigated and determined to be a legitimate exchange or market-maker wallet (909 hops, $0 net extraction, no cluster overlap with either attacker).
The full reports with complete address references, fund flow diagrams, methodology, and limitations are published on hubsec.net:
Methodology: All data was obtained through direct blockchain queries via Etherscan V2 API. The second investigation required internal transaction tracing to recover fund flows from self-destructed contracts, a technique that works because internal transaction records are stored in transaction receipts rather than contract state. No data was sourced from news articles, press releases, or third-party analysis.
This is an ongoing investigation. If anyone has information about additional attacker addresses or exploitation paths related to this incident, the data would help complete the picture.