Echo Protocol, a Bitcoin liquidity aggregation and yield infrastructure platform, was hit by an exploit on its Monad blockchain deployment on May 19, 2026, after an attacker minted 1,000 unauthorized eBTC tokens worth approximately $76.7 million. The protocol's investigation revealed that a compromised admin key on the Monad deployment enabled the unauthorized minting activity. Approximately $816,000 of the stolen funds were ultimately laundered through Tornado Cash, a coin mixer, highlighting the cross-chain security risks facing DeFi platforms.
Blockchain security firm PeckShield flagged the incident, citing onchain researcher dcfgod. The attacker deposited 45 eBTC ($3.45 million) into Curvance, then borrowed approximately 11.29 WBTC ($867,700) against the collateral. The hacker subsequently bridged the WBTC to Ethereum, swapped it for ETH, and sent 384 ETH (~$821,700) to Tornado Cash.
## Attack Mechanics
The exploit followed a pattern common in cross-chain protocols: a single compromised credential unlocked minting privileges across an entire deployment. eBTC is Echo Protocol's wrapped Bitcoin representation on Monad, designed to bring Bitcoin liquidity into DeFi applications on that blockchain. The attacker leveraged this minting capability to create unauthorized tokens and extract value across multiple chains.
## Echo Protocol's Response
Echo Protocol confirmed the breach and stated that its investigation "indicates the issue originated from a compromised admin key affecting the Monad deployment." The team said the Monad network itself was not impacted and continues to operate normally.
Based on current findings, approximately $816,000 was impacted on Monad. Echo Protocol has "successfully regained control of our admin keys and burnt the remaining 955 eBTC that was in the attacker's possession."
The incident appears isolated to Monad, with "no evidence of compromise on Aptos," according to Echo. aBTC on Aptos and eBTC on Monad are separate, non-bridgeable assets. Current Aptos exposure is limited to approximately $71,000 across Echo lending markets and Hyperion liquidity pools, with no confirmed loss of funds on that chain.
## Remedial Actions
Echo Protocol has implemented the following measures:
- Paused cross-chain functionality for the Monad deployment
- Completed an upgrade of relevant Monad contracts "to restrict affected operations and strengthen control over sensitive functions"
- Fully paused the Aptos bridge as a precaution despite no observed impact
- Suspended Echo Aptos Lending for security
- Upgraded EVM-series bridge deployments "to further strengthen cross-chain controls and reduce operational risk"
- Performing a comprehensive review of the affected Monad deployment and related bridge infrastructure, including admin key exposure, contract permissions, cross-chain controls, and minting controls, alongside ecosystem partners and external security reviewers
## Industry Context
The Echo Protocol breach adds to mounting pressure on DeFi security. Recent exploits include attacks on THORChain and TrustedVolumes. Last month, KelpDAO suffered a $293 million infrastructure-linked attack, attributed to North Korea's Lazarus Group.
Misha Putiatin, co-founder of Symbiotic and smart contract security firm Statemind, told Decrypt that the industry should expect more incidents of this kind as protocols lean harder on off-chain components. "As DeFi protocols become increasingly dependent on off-chain infrastructure, we're likely to see a resurgence of 'Web2.5' style attacks targeting centralized key management, databases, and operational infrastructure," Putiatin said.
Calling it a "balancing act," Putiatin noted that systems with "more involved management" become increasingly vulnerable to social engineering and infrastructure attacks compared with "fully permissionless systems."
Putiatin said centralized and off-chain components of DeFi protocols have historically been "treated as secondary risk areas," but expects that to shift. "We'll likely see far more focus on operational infrastructure, key management, and internal security frameworks, similar to how smart contract audits became standard after the 2021 exploit cycle," he said.
