Hyperbridge Bridge Exploited: Attacker Mints 1B DOT Tokens, Profits $237K

Hyperbridge exploit: forged message grants admin access

On April 13, an unknown attacker exploited a vulnerability in the Hyperbridge cross-chain bridge smart contract. By slipping through a forged message, the hacker changed the administrator of the Polkadot token contract on Ethereum and proceeded to mint 1 billion DOT in ERC-20 format. The exploit was flagged by blockchain security firm CertiK.

"We have seen an exploit on the @hyperbridge gateway contract. The attacker slipped through a forged message to change the admin of Polkadot token contract on Ethereum and profited ~$237K from minting and selling 1B tokens." — CertiK Alert (@CertiKAlert), original post

Immediately after minting, the attacker dumped the entire supply in a single transaction, netting 108.2 ETH — approximately $237,000. The Polkadot mainnet was not affected; only the ERC-20 wrapped version of DOT operating on Ethereum was compromised.

Following news of the exploit, DOT's price declined 4%, dropping to $1.19. The Hyperbridge team had not issued any public statement at the time of writing.

Why this matters

Cross-chain bridges remain one of the most vulnerable components of DeFi infrastructure, repeatedly targeted in high-profile attacks over the past several years. The Hyperbridge incident demonstrates that even relatively modest exploits ($237,000) can trigger notable price movements in major assets — DOT fell 4% on the news.

The attack vector — admin privilege escalation through a forged message — points to insufficient input validation in the bridge's smart contract. This raises concerns about similar mechanisms in other cross-chain protocols and underscores the need for rigorous security audits.

G. Love frontman loses $420K to fake Ledger app

In a separate incident, musician Garrett Dutton — known as G. Love — revealed on April 11 that he lost 5.9 BTC (approximately $420,000) after downloading a counterfeit Ledger application from Apple's App Store.

"I had a really tough day today I lost my retirement fund in a hack/Scam when I switched my @Ledger over to my new computer and by accident downloaded a malicious ledger app from the @Apple store. All my BTC gone in an instant." — G. Love (@glove), original post

Dutton explained that while setting up a new computer, he downloaded what he believed was the official Ledger software and entered his seed phrase. The application turned out to be fraudulent, and his funds were drained instantly.

On-chain investigator ZachXBT traced the stolen 5.92 BTC and found that the attacker had laundered the funds through KuCoin deposit addresses across nine separate transactions.

"Hi I traced out your 5.92 BTC stolen and it was all laundered via @kucoincom deposit addresses in the following transactions..." — ZachXBT (@zachxbt), original post

Neither Ledger nor Apple had responded to the incident at the time of publication. The case echoes last year's phishing campaign in which scammers sent physical letters to hardware wallet owners requesting their seed phrases.

Key takeaways for crypto holders

Both incidents highlight persistent threats in the crypto space: smart contract vulnerabilities in bridge protocols and social engineering through counterfeit applications. Users should always download wallet software exclusively from official project websites and never enter seed phrases into unverified applications, regardless of where they were downloaded from.