Hyperbridge, a Polkadot-based cross-chain bridge, has raised its estimated loss from the recent exploit to about $2.5 million. That is far above the initial $237K figure it shared on April 13, when the attack took place.
In a new blog post shared on Thursday, the team said deeper checks across multiple blockchains revealed the full scale of the incident.
The attack targeted the Token Gateway of Hyperbridge. It is a tool that allows users to transfer DOT tokens to other networks, such as Ethereum, Base, BNB Chain, and Arbitrum.
The team reported that the attackers discovered a vulnerability in the proof-checking procedure of the system. More specifically, the flaw was linked to a part called the Merkle Mountain Range, or MMR.
Because of this weakness, the attackers were able to create fake cross-chain messages. As a result, they minted nearly 1 billion bridged DOT tokens without approval and then sold them on decentralized exchanges.
The exploit took place in two steps. First, the attackers made a smaller test withdrawal of about 245 ETH. Then, around an hour later, they carried out the larger coordinated attack.
How the loss estimate changed
Hyperbridge’s first public estimate of $237,000 covered only the early sale of bridged DOT on Ethereum.
It did not include losses on the other connected networks. It also left out the two-step nature of the attack and funds taken from related incentive pools.
Later, the team reviewed data from all four EVM chains and closely tracked the attacker’s full on-chain activity. After that deeper review, Hyperbridge raised the total estimated loss to $2.5 million. The figure is based on the value of ETH and DOT at the time of the exploit.
The team also said the problem was limited to the Token Gateway and its bridged token contracts. Native DOT on Polkadot was not affected. DOT bridged through other providers was also not impacted.
Recovery efforts and user protection
Hyperbridge is now working with Binance’s compliance team and law enforcement agencies to track the stolen funds. The team said a large share of the stolen assets was sent to Binance.
“We are actively engaged with Binance’s compliance team and with relevant law enforcement agencies to support asset freezing and recovery. We are intentionally not disclosing operational details that would compromise active investigations,” the company noted.
At the same time, Hyperbridge said recovery in cases like this usually takes time. In most situations, it might take months and even extend to a year.
If those recovery efforts do not succeed, the project plans to use its native BRIDGE token to compensate affected users. However, the team said this would be done carefully to avoid putting pressure on the market. It also made clear that this option will only be used if other recovery efforts fail.
More details on timing and valuation will be shared one year after the exploit, on April 13, 2027. For now, the team said it wants to focus on on-chain recovery first, as that gives users the best chance of receiving stronger real value in the end.
Hyperbridge halts operations after exploit
Hyperbridge has stopped all Token Gateway operations for now. The team said engineers and outside auditors are working on a full fix. This update is meant to solve the main problem in the MMR proof verification logic, not just block the exact attack that happened.
The project said bridging will stay paused until three things are done. First, the vulnerability must be fully fixed. Second, an independent security audit must be completed and published. Third, extra safety measures must be added.
At the same time, Hyperbridge said its Intent Gateway and other products built on it are still working normally. These systems use a different proof-based design, so they were not affected by the Token Gateway issue.
The team also warned users to stay careful. It said people should ignore random messages or recovery services claiming to represent Hyperbridge. Such scams often appear after major security incidents.
Hyperbridge framed the incident as a serious setback, but said it has not changed its broader belief in proof-based cross-chain infrastructure.
It cited over 2.8 billion dollars in lost bridge exploits in the last two years and the major part of the harm came due to compromised signers, trusted groups, and multisig setups.
The team added that the event showed the need for more frequent audits and deeper adversarial testing, especially in verification logic that sits at the core of bridge security.
The wider DeFi sector also faced heavy security losses in the first quarter of 2026. Data from DefiLlama shows hackers stole $168.6 million from 34 DeFi protocols in the first quarter, even though that was far lower than the $1.58 billion lost a year earlier.