Artificial intelligence has become a powerful double-edged sword for the cryptocurrency ecosystem, helping developers identify bugs while simultaneously giving hackers an automated toolkit to locate and drain millions of dollars from vulnerable protocols.
By Elena Kowalski | June 24, 2026
The Exploit Mechanics
In the fast-moving world of decentralized finance (DeFi), security has always been a game of cat and mouse. However, that game has just entered overdrive. On June 22, 2026, the cybersecurity and intelligence agencies of the Five Eyes alliance—which includes the United States, United Kingdom, Canada, Australia, and New Zealand—issued an urgent joint warning. They warned that advanced, agentic AI systems are fundamentally changing the cyber threat landscape. Hackers are now using artificial intelligence to scan thousands of smart contracts in seconds, hunting for tiny coding flaws that human security auditors might miss. According to the Five Eyes warning, the window between when a vulnerability is discovered and when it is exploited has shrunk from years to mere “months, not years.”
To understand why this is so dangerous, we need to look at the math behind how these systems interact. A smart contract is a digital agreement that automatically executes when specific rules are met. Many modern platforms use zero-knowledge proofs, which are cryptographic methods that allow one party to prove to another that a statement is true without revealing any extra information. In simple terms, it is like showing a bouncer your ID to prove you are old enough to enter a club, without letting them see your home address or full name. However, if there is a proof verification flaw in the code, the security system can be tricked. It is like the bouncer accepting a poorly drawn photocopy of a fake ID card because they do not have the tools to check if it is real.
This is exactly what happened in the recent Aztec Connect hacks. The attacker found a “boundary gap” in the protocol’s mathematical proof system. While the cryptographic proof showed that a withdrawal was valid, the contract did not properly verify that the Layer-1 settlement instructions matched what was actually written on the Layer-2 ledger. In everyday terms, it is like a bank clerk looking at a deposit receipt that shows you deposited one dollar, but writing down that you deposited one thousand dollars instead. The attacker used this gap to generate fake withdrawal receipts and pull real assets out of the contract’s vault.
Similarly, the recent exploit involving the Axelar Network and Secret Network used a different kind of code loophole. The hacker set up a fake blockchain and sent transaction packets containing forged messages through the Inter-Blockchain Communication (IBC) protocol. In this case, the smart contract failed to double-check the sender’s origin. It is like a bank teller cashing a check without looking at the name on the account or verifying that the check came from a real, legitimate bank. Because there was no check on the source, the hacker was able to print unbacked tokens out of thin air and swap them for real money.
Affected Systems
The financial damage from these AI-accelerated exploits has been swift and severe. Earlier this month, hackers targeted the deprecated Aztec Connect protocol. On June 14, 2026, an attacker exploited the legacy RollupProcessorV3 contract, draining $2.19 million in assets. Just three days later, on June 17, 2026, a second hacker used a similar technique to siphon approximately $2.15 million from a related Private Rollup Bridge contract. Because the Aztec Foundation had officially deprecated the network back in March 2023 and renounced its administration keys, there was no way to stop the bleeding. In total, users lost approximately $4.34 million from a protocol that was supposed to be completely inactive.
Only days later, on June 19, 2026, a massive exploit hit the Axelar and Secret Network bridge. The hacker exploited a vulnerability in a modified CW20-ICS20 smart contract. According to technical reports, the exploit actually began on June 10, 2026, and went completely unnoticed for 7 days. It was only discovered on June 17, 2026, when a regular user tried to move funds across the bridge and the transaction failed because the bridge’s cash reserves had been completely emptied. In total, the hacker walked away with $4.67 million in bridged assets, including wrapped versions of popular cryptocurrencies. Fortunately, Axelar confirmed that its core protocol remained secure and the damage was limited entirely to the Secret-side bridge contract.
These exploits show that hackers are getting better at using AI to scan and weaponize old code. In June 2026, OpenAI launched updates to its GPT-5.5-Cyber model, a specialized tool optimized for defensive security tasks. On the industry-standard “CyberGym” benchmark, GPT-5.5-Cyber scored an impressive 85.6%, beating Anthropic’s rival model, Mythos 5, which scored 83.8%. A benchmark score is a test that measures how well an AI model can identify and fix security flaws. While these models are designed to help developers defend their platforms, security experts warn that malicious actors are using similar, unrestricted models to find zero-day bugs in legacy smart contracts. With Bitcoin (BTC) trading at $62,419, Ethereum (ETH) at $1,661.76, and BNB at $575.52, the financial reward for using AI to find these vulnerabilities is incredibly high.
The Mitigation Strategy
Once these exploits occurred, the respective development teams had to scramble to minimize the damage. However, the legacy nature of the targeted contracts made mitigation very difficult. In the case of Aztec Connect, the developers had already renounced their admin keys. This means they voluntarily gave up their power to change the code or pause the contract to protect user funds. Because blockchain transactions are permanent and immutable, the team could only watch as the approximately $4.34 million was drained, serving as a stark warning about the dangers of leaving old, high-value smart contracts running without active management.
For the Axelar and Secret Network exploit, the response was much faster. As soon as the team realized the bridge escrow had been drained, Axelar’s emergency committee voted to immediately disable all bridge connections to the Secret Network. This quick action prevented the hacker from draining other linked blockchains. The teams are currently working with major centralized exchanges and blockchain analytics firms to trace the stolen $4.67 million. Initial reports show that the hacker routed the funds through decentralized exchanges like Osmosis before moving them to the Ethereum blockchain and dispersing them across several exchanges.
To fight back against AI-driven hackers, the cybersecurity industry is deploying AI-powered defensive shields. In June 2026, OpenAI launched its Daybreak Cyber Partner Program to help security vendors integrate defensive AI models into their workflows. Additionally, OpenAI partnered with security firm Trail of Bits to create the “Patch the Planet” initiative. This project uses automated AI tools to scan open-source software code, identify bugs, and write security patches before hackers can exploit them. However, the Five Eyes warning reminds us that technology alone is not enough; developers must keep human supervisors in the loop to approve critical changes and verify AI recommendations.
Lessons Learned
The recent wave of exploits offers several vital lessons for the entire cryptocurrency community. First, legacy code is a ticking time bomb. Many projects assume that once they deprecate or shut down a protocol, they can simply walk away. But if the smart contracts still hold user funds, they remain live targets on the public blockchain. Hackers are now using AI scanners to dig through years of old deployments, searching for forgotten contracts with weak security. Developers must create clear shutdown plans that include migrating all funds out of old contracts before renouncing control.
Second, the industry must adopt a zero-trust security model. A zero-trust model is a security design where no user, network, or smart contract is trusted by default, and everything must be verified at every step. Bridges and cross-chain protocols can no longer assume that incoming transaction packets are safe just because they look like they came from a friendly blockchain. Every transaction must be validated against real escrow reserves, and strict rate limits should be put in place to prevent a hacker from draining millions of dollars in a single transaction.
Finally, as the Five Eyes alliance emphasized, security is a “core business risk and leadership responsibility.” Project founders, board members, and developers cannot simply treat security as a checklist or leave it entirely to junior IT staff. They must actively test their defenses under real-world pressure, recognizing that AI has permanently accelerated the speed at which hackers can operate.
User Action Required
As a retail investor, you might think these technical details do not affect you, but they do. If you have ever interacted with a DeFi protocol, you may have left approvals active in your wallet. An approval gives a smart contract permission to move tokens from your wallet. If that smart contract is later abandoned and hacked, the attacker could use those old approvals to drain your wallet, even if you have not used that protocol in years. Here is what you should do right now to protect your assets:
- Revoke Old Approvals: Use web-based tools like Revoke.cash or the token approval checkers on block explorers like Etherscan. Scan your wallet address and revoke permissions for any protocols you no longer use, especially old or deprecated ones.
- Withdraw from Deprecated Protocols: If you have funds sitting in older versions of DeFi pools, bridges, or yield farms, withdraw them immediately. Move your assets to modern, actively maintained protocols or secure cold storage wallets.
- Monitor Bridge Activity: If you frequently bridge assets across different blockchains, pay attention to announcements from the development teams. If a bridge is deprecated or undergoes a major upgrade, make sure you do not hold old “wrapped” assets that could lose their backing.
- Diversify Your Wallets: Never keep all your digital assets in a single wallet. Keep your long-term investments in offline hardware wallets, and only use hot wallets with small amounts of money for daily trading and interacting with DeFi protocols.
The cryptocurrency market remains highly volatile. This article is for informational purposes only and does not constitute financial advice.
five eyes warning about AI scanning contracts but tbh most of the exploits this year were plain old reentrancy and access control bugs. you dont need agentic AI to find those, just a free code review
hard disagree, the speed gap is the whole point. yeah the bug classes are the same but a bot scanning 10k contracts in seconds vs a human doing 5 per week is a different threat model entirely
The June 22 advisory is notable but they conveniently skip that the biggest DeFi hack of 2026 was a social engineering attack on a multisig signer, not some AI-driven contract exploit
this is exactly right. the advisory even mentions legacy contracts specifically because teams already deployed fixes on newer ones. the long tail of un-audited 2021-2023 contracts is the soft target