Key Takeaways
- A critical vulnerability in Litecoin’s network led to a 13-block chain reorganization on Saturday
- The MimbleWimble Extension Block (MWEB) privacy feature was exploited to introduce fraudulent transactions
- Mining operations with current software versions experienced denial-of-service attacks that temporarily reduced their hash rate
- Evidence points to a coordinated operation, with funding traced to a Binance-linked wallet, raising questions about the zero-day classification
- While the vulnerability has been resolved and legitimate transactions remain intact, trading platforms reported significant losses, including approximately $600,000 on NEAR Intents
The Litecoin network experienced a significant security breach on Saturday when malicious actors exploited a vulnerability within its MimbleWimble Extension Block privacy feature, marking the first successful attack on this system since its 2022 deployment.
The security flaw enabled outdated mining nodes to approve fraudulent transactions, allowing bad actors to extract coins from the privacy layer and transfer them to decentralized exchanges and cross-chain bridging services.
Simultaneously, mining operations running current software versions faced denial-of-service attacks that temporarily disabled their computing power, effectively handing network control to the vulnerable older nodes.
When the denial-of-service attacks ceased, the upgraded nodes reclaimed network authority and initiated a 13-block chain reorganization. This rollback eliminated the fraudulent transactions, effectively erasing more than three hours of compromised blockchain history.
The Litecoin Foundation verified that all legitimate transactions conducted during the affected timeframe remain recorded on the primary chain. The organization confirmed the vulnerability has been completely resolved through patching.
The compromised chain segment spanned from block 3,095,930 through 3,095,943, lasting over three hours. Throughout this period, attackers executed double-spend operations targeting various cross-chain swap services that had processed the subsequently invalidated withdrawals.
Aurora Labs CEO Alex Shevchenko characterized the incident as a “coordinated attack.” He highlighted that funding for the attacker originated from a Binance-associated address earlier in the week, indicating advanced planning.
Zero-Day Classification Disputed by Developers
Shevchenko questioned whether the exploit truly qualified as a zero-day vulnerability. He observed that since the network automatically executed the reorganization after the denial-of-service attacks ended, a portion of the hash rate must have already been operating updated software.
“This bug was known, and it’s not a zero-day,” Shevchenko stated on X.
Blockchain developer Vadim echoed these concerns, noting that the precision and targeting suggested a calculated operation rather than an opportunistic attack.
Financial Impact Across Multiple Platforms
Shevchenko calculated that NEAR Intents sustained losses of approximately $600,000 from the incident. He recommended that all platforms processing Litecoin transactions conduct comprehensive audits of their records and asset holdings.
The Litecoin Foundation has not disclosed which mining pools were targeted or revealed the total amount of Litecoin generated through the invalid transactions.
Litecoin was trading around $56.00 at approximately 4:30 p.m. ET on Saturday, showing a modest 1% decline for the day, with markets displaying minimal reaction to the security breach. The cryptocurrency has declined nearly 25% year-to-date.
This incident forms part of an escalating trend of cryptocurrency security breaches in 2026. DeFi protocols have experienced losses exceeding $750 million through mid-April, including the $292 million Kelp DAO bridge exploit on April 19 and a $285 million compromise of Solana-based perpetuals platform Drift on April 1.
Cross-chain infrastructure has emerged as the primary vulnerability in the majority of these incidents, including Saturday’s Litecoin security breach.
