What Is a Cross-Chain Bridge? And Why They Keep Getting Hacked

WTH Editorial May 18, 2026 3 min read

Someone tells you they’re moving their crypto from one blockchain to another, and it sounds as simple as transferring money between two bank accounts. Here’s the uncomfortable truth: blockchains can’t actually talk to each other. Bitcoin has no idea Ethereum exists. So when you “move value” between them, nothing really crosses over — instead, something has to hold real money on both sides. And that pile of money has become the single most attacked target in all of crypto.

Why the problem exists at all

Every blockchain is its own sealed world. Bitcoin’s network only knows about Bitcoin; Ethereum’s only knows about Ethereum; there’s no built-in messenger between them. So if you want to use your Bitcoin inside an Ethereum app, you can’t just send it there — it has nowhere to land. The tool built to solve this is a bridge, and the most common design works like a coat check. You hand your real Bitcoin to the bridge, it locks that Bitcoin in a vault, and in exchange it hands you a claim ticket on the other chain: a brand-new token that stands in for your Bitcoin. You use that token on Ethereum, and whenever you want the real thing back, you return the ticket, the bridge destroys it, and it unlocks your original Bitcoin.

The vault is the problem

For the system to work, it has to hold the real, original assets for everyone using the bridge — billions of dollars in genuine crypto, sitting in one place, guarded by code. To a hacker, that isn’t a vault. It’s a prize. And they’ve claimed it, repeatedly. The Ronin bridge, in 2022 — more than six hundred million dollars gone. Wormhole, the same year — roughly three hundred twenty million. Add up everything stolen from cross-chain bridges since 2021 and the total runs past two point eight billion dollars. No other category in crypto has bled like this.

“Just don’t use a vault” doesn’t escape it

The obvious fix is to build a bridge without a locked vault, and projects have tried. THORChain is one of the better-known attempts — it issues no wrapped claim tickets, doing genuine swaps from pools it controls, and by its own description isn’t a bridge in the classic sense. And yet, in May 2026, an attacker drained roughly eleven million dollars from one of those pools. The mechanism was different — a flaw in how the pool’s keys were managed let the attacker reconstruct the private key and authorize transfers nobody approved — but notice what didn’t change. THORChain still had to hold real value, pooled together, in one place. Different design, same honeypot. The network halted trading within minutes and locked down while it sorted the damage.

The structural lesson

That’s the thing worth carrying out of this: the vulnerability isn’t a bug in any one protocol. It’s structural. The moment you connect two blockchains, somebody, somewhere, has to custody real value on both ends. You can change who holds it, how it’s guarded, and what a failure looks like — what you can’t do is make the pile disappear. And as long as the pile exists, it’s a target.

So when someone says they’re moving crypto between chains, remember it isn’t a transfer at all. There’s no tunnel between Bitcoin and Ethereum — there’s a stockpile of real money sitting in the middle and a set of rules deciding when to let it move. Bridges aren’t risky because the engineers are careless. They’re risky because the job itself — holding everyone’s value in one place, in the open — is the hardest security problem in the industry. Before you bridge anything, that’s the question to actually sit with: not just where you’re sending it, but who’s holding it while it’s in motion.

Not investment advice. WTH Crypto is editorial commentary, not financial guidance.