🔐 Anatomy of the Taiko Hack: How a GitHub Key Leak Drained $1.7M from an Ethereum L2

June 22, 2026 | Blockchain Forensic Analysis

Introduction

Just past midnight on June 21, 2026, approximately $1.7 million vanished from the bridge of Taiko, an Ethereum Layer 2 blockchain. The attacker didn't need a sophisticated exploit. A single signing key left exposed on GitHub was more than enough.

Security firm Blockaid was the first to detect anomalous activity. The Taiko team quickly posted on X (formerly Twitter), urging all bridge users to withdraw their funds immediately. South Korean exchanges — Upbit, Bithumb, Coinone, and Korbit — suspended TAIKO deposits and withdrawals within hours.

So where exactly did the money go? We traced the attacker's footsteps on-chain.

The Attack: Forging a Proof to Open the Vault

Taiko relies on a system called Raiko — an SGX (Secure Enclave)-based proof generator — to verify the validity of transactions bridging between chains. The signing key for this system had been left publicly accessible on GitHub.

The attacker obtained this key and executed the following sequence:

① Crafted fraudulent "MessageSent" events without any real bridge deposits
② Submitted forged withdrawal proofs to the Ethereum mainnet bridge contract
③ The bridge contract accepted the proofs as legitimate and released ERC-20 Vault assets
④ Assets worth millions were drained — without a single dollar ever being deposited

In plain terms: the attacker checked out funds they never checked in.

Four Attacker Wallets — Published by Taiko Itself

The Taiko team disclosed four attacker wallet addresses directly on X, requesting cooperation from centralized exchanges.

Following the Money: A Step-by-Step Breakdown

Step 1 — Immediate Post-Exploit: Token Dispersion

The primary wallet (0x7506...b76a) extracted the following assets directly from the Taiko Bridge contract

(0xd60247c6848B7Ca29eDdF63AA924E53dB6Ddd8EC):

Step 2 — ETH Siphoned Into a Holding Wallet

The attacker split 500 ETH into exactly five transfers of 100 ETH each, routing them to a separate holding wallet

(0xa98035081fb739ebe9c8f80904668fb11438a846). This is a textbook structuring pattern — breaking up large transfers to evade detection thresholds.

🔴 As of the time of analysis, this wallet still holds 778 ETH — approximately $1.34 million — with no outbound movement recorded.

For investigators, this is a window of opportunity. The funds remain accessible for freezing via legal process or exchange cooperation before they move further.

Step 3 — Stablecoins Routed Through Uniswap

The stablecoins and ERC-20 tokens (USDC, USDT, crvUSD, CRV, WBTC) were consolidated at the swap hub wallet (0x9108...acd4), then swapped via Uniswap V3 and fully dispersed. That wallet's current balance is zero.

Step 4 — TAIKO Tokens Cashed Out via MEXC

The fastest-liquidated asset was the TAIKO token itself. On-chain data corroborated by Lookonchain shows the attacker transferred 1.99 million TAIKO (≈ $189,000) directly to MEXC within hours of the exploit.

Notably, MEXC is listed on South Korea's KoFIU (Korea Financial Intelligence Unit) high-risk / unregistered exchange blocklist — suggesting the attacker deliberately chose a venue where regulatory freeze requests face higher friction and slower response times.

Full Fund Flow Map

[Taiko Bridge Contract: 0xd602...d8ec]
        │  Forged proof withdrawal
        ▼
[Attacker Wallet #1: 0x7506...b76a]
   ├─ 500 ETH × 5 splits ────────► [ETH Holding Wallet: 0xa980...a846]
   │                                    🔴 778 ETH (~$1.34M) STILL SITTING HERE
   │
   ├─ USDC / USDT / crvUSD / CRV / WBTC
   │         └──────────────────────► [Swap Hub: 0x9108...acd4]
   │                                       └─► Uniswap V3 swaps → drained
   │
   └─ 1,990,000 TKO ────────────────► MEXC (cash-out in progress)

[Attacker Wallet #2: 0x5fbc...4990]
   └─ 1,990,000 TKO ────────────────► MEXC

[MEXC-linked address: 0x3cc9...cf18]
   └─ 1,500 ETH ────────────────────► MEXC internal transfer confirmed

Three Lessons This Hack Leaves Behind

① Operational Security Is Code Quality

This attack didn't exploit a bug in Taiko's bridge logic. The contracts themselves functioned as designed. What failed was operational security (OPSEC). A signing key was left in a public GitHub repository. No amount of cryptographic sophistication matters if the key walks out the front door.

② Bridges Remain DeFi's Weakest Link

Ronin ($620M, 2022). Wormhole ($320M, 2022). Nomad ($190M, 2022). Now Taiko. Cross-chain bridges require complex verification logic by their very nature — and complexity is attack surface. Until the industry develops more robust, trustless bridge architectures, this pattern will repeat.

③ Attackers Know the Regulatory Map

The choice of MEXC was likely not accidental. Unregistered exchanges operating outside major regulatory frameworks respond more slowly — or not at all — to freeze requests. Sophisticated attackers now factor the regulatory geography of their cash-out venues into their operational planning. This is a level of tradecraft that investigators must account for.

Where Things Stand Now

On-chain evidence shows 778 ETH (approximately $1.34 million) has not moved from the holding wallet as of this writing. That is a meaningful recovery opportunity if law enforcement and the Taiko team act swiftly.

Taiko has stated it is actively coordinating with its Security Council and ecosystem partners. South Korean exchanges have designated TAIKO as a cautionary trading asset and will reassess the status in the fourth week of July.

Closing Thought

This hack was not technically sophisticated. But it was effective — and expensive. What the attacker left behind on-chain, however, is a remarkably clear trail. The immutability of the blockchain cuts both ways: every transaction is permanent, public, and traceable.

$1.7 million moved in the dark — but the ledger kept the lights on.

This analysis is based on publicly available on-chain data. All addresses and transaction hashes are independently verifiable on the Ethereum mainnet.

Analysis date: June 22, 2026