A Privacy Chain Got Robbed for $4.67M and Didn't Notice for Seven Days
Secret Network encrypts every balance by default. That is the entire product. So when an attacker minted $4.67 million in tokens backed by nothing, the missing money did not show up anywhere. The chain hid the theft from its own team for a full week. The privacy worked perfectly. That was the problem.

Secret Network sells one thing above all else: privacy. It is a Cosmos-based layer-1 that encrypts balances by default, so nobody can see what anyone holds. That is the pitch. That is the reason it exists. In June 2026 that exact feature let a $4.67 million theft hide in plain sight for seven days, because on a chain where nothing is visible, an empty vault looks exactly like a full one.
The bug was in a modified CW20-ICS20 token contract on the Secret side of a bridge connecting it to Axelar, the interoperability network. The contract's job was to mint Secret-wrapped versions of Axelar-bridged assets - tokens called saTokens, each one supposed to be backed 1:1 by a real asset held in escrow. saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, sawstETH. Every wrapped token was a claim on something real sitting in a vault.
The contract had one job and it skipped a step. It minted saTokens without verifying where the inbound transfer actually came from. So an attacker forged deposits over a channel they controlled, and the contract dutifully minted genuine saTokens with nothing behind them. Infinite mint. Free money that looked identical to real money. Then the attacker took those unbacked saTokens, redeemed them through Axelar's completely legitimate channels, and walked off with the real assets held in escrow.
This is where the privacy chain turned on itself.
The exploit happened on June 10. On a normal blockchain, a drained escrow account is visible. Anyone watching the on-chain balances sees the collateral vanish and raises the alarm. But Secret encrypts balances by default. The missing money did not show up on-chain because on Secret, no money shows up on-chain. The theft was cryptographically hidden by the same feature users pay for. The team did not know. Nobody knew.
It surfaced on June 17, and not because anyone caught the thief. A routine cross-chain transaction simply failed. The error was "insufficient funds." An account that was supposed to be full was empty. Investigators pulled the thread and traced the shortfall back seven days to a handful of suspicious withdrawals on June 10. The privacy chain only discovered it had been robbed when it tried to spend money that was no longer there.
The details got worse from there. Common Prefix, the research firm that analyzed it, found the flawed logic had been sitting in the code since 2023. It survived a March 2026 migration untouched. And Secret Network never requested an outside audit when the bridge was first built. A privacy protocol asked no one to check its most sensitive minting logic, then encrypted the evidence when that logic failed.
The attacker moved the stolen assets to Ethereum, swapped them into ETH through Osmosis and a DEX, split the haul across roughly 30 fresh wallets, and funneled it into exchanges including KuCoin, ChangeNow, and HitBTC. Standard laundering. Nothing exotic. They did not need to be clever, because the seven-day head start did the work.
Axelar confirmed the loss on June 19 and moved fast to contain it, disabling the Secret and Secret-SNIP connections within hours. But the company was firm on one point, repeated in every statement: neither Axelar nor the IBC protocol was compromised. The broken contract "was not developed, deployed, or maintained by Axelar." Axelar's firewalling kept the damage from spreading to other chains. All true, and all cold comfort to anyone holding saTokens on Secret, which the network warned "may be lost."
There was a recoverable piece. Secret Network said roughly $770,000 of the stolen funds still sat in the attacker's wallet on Axelar. Secret flagged it, called it recoverable, and asked the Axelar team to freeze it or coordinate a community freeze. Axelar decided not to pursue that request. The $770,000 stayed where it was.
SCRT, the native token, was never touched by the exploit and actually ticked up a few percent afterward. It also sits about 99% below its 2021 peak, which tells you how much the market was paying attention. The saToken holders absorbed the loss. The privacy held. The money did not.
The Aftermath
Axelar disabled the Secret and Secret-SNIP connections within hours of confirming the loss on June 19 and gave no timeline for restoring them, while coordinating with exchanges and law enforcement to trace the funds. The vulnerable contract was patched. Secret Network warned that holders of Axelar-bridged saXXX tokens may have lost their backing entirely. Roughly $770,000 remained recoverable in the attacker's Axelar wallet, but Axelar declined Secret's request to freeze it. The native SCRT token was never affected and actually rose slightly after disclosure, though it remains around 99% below its 2021 all-time high. The incident became a case study in how privacy-by-default can delay breach detection - the same encryption that protects users hid the shortfall until a failed transaction forced it into the open a week later.
COMMENTS