- Hackers drained over $5.5 million from Garden Finance across multiple networks
- SEED token plunged 64% after the attack triggered heavy sell pressure
- A DPRK-linked group called “Dangerous Password” is suspected to be behind the breach
Garden Finance has become the latest victim of a cryptocurrency theft, with attackers extracting at least $5.5 million from assets spanning several blockchains.
The exploitation of cross-chain bridges not only rattled investors but also renewed concerns about the security of decentralized finance (DeFi) infrastructure.
Bridge exploit spreads across multiple networks
The Garden Finance exploit unfolded quickly, draining millions of dollars from several blockchains, including Arbitrum and Solana.
ZachXBT, a blockchain researcher, was the first to identify unauthorized withdrawals, warning that losses could ultimately exceed $10 million once all affected chain accounts are accounted for.
The attacker used a MetaMask router—a fast but costly swapping tool—to immediately convert stolen tokens, including wrapped ETH (wETH), wrapped Bitcoin (WBTC), Lombard-locked BTC, cbBTC and Garden’s native SEED token, into Ethereum (ETH).
🚨ALERT🚨Our system detected that @gardenfi has been hacked ~$6M across multiple chains.
Most of the stolen funds are in $WBTC, $USDC, $USDT and other digital assets.
However, most of the freezable assets are swapped to $ETH.
Team sent on-chain message to hacker offering 10%… pic.twitter.com/76YbG6aPK7— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) October 30, 2025
The rapid swaps hindered any freezing or recovery attempts, as the assets were immediately distributed through decentralized exchanges.
Garden Finance later confirmed the breach in an on-chain message, stating that its systems had been compromised across multiple networks.
The team offered the attacker a 10% white-hat bounty in exchange for returning funds and disclosing the vulnerability.
Despite the offer, the attacker has not responded.
ZachXBT links the hack to a DPRK-backed group
Investigations led by ZachXBT and other blockchain analysts point to a hacker group associated with North Korea, known as “Dangerous Password,” as a likely perpetrator of the exploit.
The group has been tied to several recent cross-chain incidents that targeted smaller protocols with quickly tradable, liquid assets.
Just days before the Garden breach, ZachXBT alleged that certain protocols were facilitating money laundering, claiming up to 25% of some on-chain flows linked to assets previously stolen in hacks on Bybit and Swissborg. He highlighted this issue in a post.
Another security researcher accused DPRK-linked actors of widely using the Garden bridge to move illicit funds.
These findings have cast a shadow over Garden Finance’s recent achievements.
Earlier this month, Garden Finance proudly announced that it had bridged over $2 billion in token value. However, revelations that a significant portion of on-chain activity may originate from illicit sources severely damaged its reputation.
Ironically, Garden Finance—previously criticized for allegedly facilitating laundering—fell victim to the very type of attack it was accused of enabling.
Observers compared the situation to THORChain, which was similarly accused of enabling North Korean hacking groups before itself becoming a target.
ZachXBT emphasized this irony in his investigation, noting that the Garden team reportedly earned “high six-figure” fees from transfers tied to illicit funds while failing to assist victims in earlier incidents.
He argued the exploit serves as a stark reminder of the risks faced by protocols that neglect compliance and transparency.
With estimated losses between $5.5 million and $10.8 million and the SEED token free-falling, Garden Finance faces a long recovery road ahead.
Whether the attacker takes the offered 10% or vanishes with the funds, the breach underlines the urgent need for stronger bridge security.
SEED token collapses amid panic
The fallout was immediate. The attacker dumped stolen SEED tokens into a low-liquidity pool on Uniswap, driving the price down 64% to $0.1928 and shrinking market capitalization to about $2.5 million.
Although the token later recovered slightly to roughly $0.23, it remained down 57% from the previous day’s close.
The shallow liquidity amplified the selling pressure, eroding investor confidence and prompting intensified scrutiny of the protocol’s risk controls.