Gravity Bridge, a cross-chain protocol that moves assets between Ethereum and the Cosmos ecosystem, was drained of roughly $5.4 million early Saturday in what security researchers believe was a compromised signing key rather than a smart contract bug.

The unusual outflows were first flagged by onchain analyst Specter and later corroborated by security firm PeckShield. Specter said it appears the bridge's signing keys may have been compromised, allowing the attacker to push out a series of unauthorized withdrawals.

The stolen funds break down to about $4.3 million in USDC, 274 wrapped ether worth roughly $553,000, $434,000 in tether and 14.16 PAXG tokens worth about $64,000, according to PeckShield's tally. The assets were routed to an address ending in 7C62da1F9, with the drained contract identified by Specter as one ending in 1F2D906.

"There was an unfortunate incident on Gravity," the team wrote on X Saturday. "Validators should halt their validators and orchestrators while this incident is being investigated." In a follow-up post, the team said the bridge is currently halted while it investigates the attack. 

The attacker began moving funds almost immediately. PeckShield said a portion of the haul has already been laundered through the instant-swap service ChangeNow and through Binance, while the theft wallet was still holding around 2,100 ETH, or about $4.23 million, at the time of its report. An Arkham snapshot shared by Specter showed a related wallet holding roughly $4.16 million in ether.

Gravity Bridge works by locking tokens on the Ethereum network and minting mirrored versions of the tokens on Cosmos, with validator signatures authorizing each transfer. If an attacker obtains enough valid signing keys, the system treats forged withdrawals as legitimate. That mechanism seems consistent with the researchers' early read that the breach sits at the authorization layer rather than in the contract logic.

If confirmed, the incident would fit the ongoing pattern of 2026's bridge attacks, in which key security issues provide the vulnerabilities rather than flaws in the underlying smart contract code. A similar root cause surfaced in the Kelp DAO and Resolv exploits earlier this year, where audited code was not the weak point.

At $5.4 million, the Gravity Bridge loss is modest next to the year's headline bridge hacks, but it adds to a recent major uptick in incidents, with April being the most-hacked month on record. Bridges have been a significant attack surface in 2026 and a primary driver of a year in which crypto hack losses have run to the billions, per TRM Labs. The category has a long track record as one of crypto's most lucrative targets, from the $190 million Nomad exploit in 2022 to the $81.5 million Orbit Bridge hack in 2024.

Gravity Bridge, built by contributors including the Althea team and secured by its native Graviton (GRAV) token, has not yet released a postmortem, leaving the exact entry point unconfirmed. The Block was unable to immediately reach Gravity Bridge or Althea for comment.