Crypto Bridge Suffers $11 Million Hack After Garden Breach

Garden Finance, a cross-chain bridge protocol, lost approximately $11.4 million after an attacker compromised one of its independent solver operators and drained crypto assets across multiple blockchains. The breach, which Garden said did not affect protocol contracts or user funds, was followed by an on-chain bounty offer and a laundering trail that led into Tornado Cash.

How the Garden bridge hack drained about $11.4 million

Garden’s January 28, 2026 incident report said an attacker gained unauthorized access to the infrastructure of one of its independent solver operators. The attacker drained approximately $11.4 million in crypto assets across multiple chains, including Ethereum, Solana, and BNB Chain.

Estimated Loss

$11.4M

Garden said the exploit drained roughly $11.4 million while leaving protocol contracts and user funds unaffected.

Garden co-founder Jaz Gulati confirmed the exploit on October 31, 2025, telling Cybernews the platform had been compromised for $11 million and that the protocol itself was unaffected.

Exploit timeline: October 30 to the January incident report

The exploit itself occurred on or around October 30, 2025. Within hours, Garden sent an on-chain bounty message to the attacker’s address. The protocol published its full incident report nearly three months later, on January 28, 2026, after engaging forensic partners.

The gap between the breach and the detailed public report drew attention, particularly given that the attacker had already begun moving stolen funds through a mixer by early November.

Why Garden says protocol contracts and user funds were not compromised

Garden’s bridge design relies on independent solver operators, third-party agents that facilitate cross-chain swaps by matching and settling orders. These solvers manage their own infrastructure separately from the core protocol contracts that hold user liquidity.

According to Garden’s incident report, the vulnerability was isolated entirely to the solver environment. The attacker gained access to a solver’s private infrastructure rather than exploiting the protocol’s smart contracts.

What “no user funds were at risk” means for retail users

Garden said no user funds were at risk because the solver’s own capital, not pooled user deposits, was what the attacker drained. The protocol contracts that govern swap logic and hold user-facing liquidity were not breached.

For retail users, this distinction matters: funds deposited into or routed through Garden’s bridge contracts were reportedly never exposed. The loss fell on the solver operator’s balance sheet, not on individual wallets interacting with the protocol.

That said, the incident highlights how bridge security extends beyond smart contract audits. Even when core contracts remain intact, compromised off-chain infrastructure can result in multi-million-dollar losses, a pattern that has surfaced in other institutional crypto infrastructure discussions.

What the bounty message and Tornado Cash trail show after the breach

Garden moved quickly to contact the attacker on-chain. An Etherscan transaction timestamped October 30, 2025 at 01:12:11 PM UTC shows Garden’s whitehat bounty message offering 10% of the stolen assets in exchange for returning the rest to a designated recovery address.

The bounty offer went unanswered. By November 7, 2025, Protos reported that more than $6 million in ether and BNB linked to the exploiter had already been deposited into Tornado Cash, the sanctioned crypto mixer. The attacker still controlled additional balances at that time.

Investigation and recovery steps

Garden’s incident report said the protocol engaged EY and zeroShadow, a blockchain forensics firm, to investigate the breach. Garden also reported the incident to local law enforcement.

According to unconfirmed forensic analysis by zeroShadow, the attack was linked with high confidence to the North Korea-affiliated threat actor known as DangerousPassword. This attribution remains a forensic assessment rather than a publicly conclusive law-enforcement determination.

Separately, blockchain investigator ZachXBT alleged that the compromised solver may have been linked to a Garden team member rather than being a fully independent operator. This claim was not addressed in the official incident report and remains unverified.

Why the hack matters for DeFi trust and market sentiment

The Garden breach adds to a growing list of cross-chain bridge exploits that have eroded confidence in DeFi infrastructure. Even when a protocol can truthfully claim that user funds were safe, the operational failure raises questions about solver vetting, infrastructure security, and transparency timelines.

The broader market backdrop underscores the sensitivity. Bitcoin was trading near $76,994 with a 24-hour decline of roughly 1.6% at the time of this story’s market snapshot, while the Fear & Greed Index sat at 28, firmly in “Fear” territory.

Bitcoin Spot Price

$76,994

The BTC market backdrop adds current asset context to a bridge-security story centered on bitcoin-linked liquidity.

For investors tracking how institutions are positioning around crypto, incidents like the Garden hack weigh on sentiment even when direct user losses are avoided. The pattern echoes concerns raised in discussions about major blockchain investment strategies and the operational risks that come with scaling DeFi infrastructure.

Mixer scrutiny and compliance risk

The attacker’s decision to route stolen funds through Tornado Cash ties the Garden incident to an ongoing regulatory debate. Tornado Cash remains under U.S. sanctions, and every high-profile exploit that funnels proceeds through the mixer renews pressure on regulators and DeFi protocols alike.

Garden said it reported the incident to law enforcement. Whether any of the laundered funds can be traced, frozen, or recovered through collaboration with exchanges and forensic firms remains an open question as the investigation continues.

The case also revived criticism of Garden’s broader exposure to illicit bridge flows, a topic that predates this specific exploit and that security researchers had flagged before the October breach. For readers following how long-term holders are navigating the current environment, bridge security remains a material concern.

FAQ: Garden Finance hack, user exposure, and what comes next

Were user funds affected by the Garden hack?
Garden said no user funds were at risk. The breach was isolated to an independent solver operator’s infrastructure, not the protocol’s smart contracts or user-facing liquidity pools.

What exactly was hacked?
The attacker compromised the infrastructure of one of Garden’s independent solver operators, third-party agents that facilitate cross-chain swaps. The core protocol contracts were not exploited.

Did the attacker move funds through Tornado Cash?
Yes. By November 7, 2025, more than $6 million in ether and BNB linked to the exploiter had been deposited into Tornado Cash, according to Protos. Additional balances remained under the attacker’s control at that time.

What should readers watch for next?
Garden engaged EY and zeroShadow for forensic investigation and reported the incident to law enforcement. Any updates on fund recovery, attacker identification, or changes to Garden’s solver security model would be the next developments to monitor.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making any investment decisions.