
Wallet compromise overtakes code exploits as top DeFi threat; A7A5 captures 43% of non-USD stablecoin market despite sanctions. African expansion creates secondary sanctions risk.
Two risks are reshaping the stablecoin security landscape in 2026, according to a threat intelligence report from Skynet shared with Finbold on June 3, 2026. The first is a surge in sophisticated attacks on cross-chain bridge and custody infrastructure. The second is the rapid expansion of A7A5, a Russian-ruble-backed stablecoin built by sanctioned actors to circumvent Western enforcement.
Cross-chain bridges remain the highest-value attack surface in the stablecoin ecosystem. Bridge-related incidents in 2026 have so far totaled over $328 million in losses. The Kelp DAO wallet compromise alone accounted for $291.3 million in April. Wallet compromise has overtaken code vulnerabilities as the dominant exploit vector across major DeFi incidents.
The report identifies five expanding attack categories: cross-chain bridge and interoperability protocols, custody and treasury infrastructure, composability risk within DeFi integrations, payment-focused and stablecoin-specific chains, and compliance and identity infrastructure.
The last category marks a shift. Attackers are increasingly targeting KYC providers, payment APIs, and sanctions screening systems in patterns that more closely resemble traditional financial crime than earlier crypto exploits.
Among the 20 largest DeFi incidents of 2026, Drift Protocol on Solana recorded $285.3 million in losses from a wallet compromise on April 1. Step Finance and Resolv each suffered wallet compromise losses exceeding $26 million.
Other major incidents included price manipulation exploits against Rhea Finance ($18.5 million) and YieldBlox ($10.6 million), alongside code vulnerability exploits at Swapnet ($13.3 million), Verus ($11.5 million), and Thorchain ($10.1 million) across multiple chains.
Wallet compromise was responsible for over 85% of the total bridge losses. Attackers have adapted to code audits and are now targeting operational security: private key management, multisig setups, and custody provider endpoints.
A7A5 launched in January 2025 by Old Vector LLC, a Kyrgyz entity acting on behalf of Russian cross-border settlement firm A7 LLC. A7 LLC is co-owned by sanctioned Moldovan-Russian oligarch Ilan Shor, convicted in connection with the theft of about $1 billion from three Moldovan banks in 2014, and Promsvyazbank, a Russian state-owned bank serving the defence-industrial complex.
Within a year of launch, A7A5 processed more than $110 billion in cumulative on-chain transactions and captured approximately 43% of the global non-USD stablecoin market.
The stablecoin emerged as a direct institutional response to Western sanctions pressure following Tether’s freeze of about $26–$28 million in USDT held by sanctioned exchange Garantex in March 2025. Its issuer, collateral bank, and transaction platform are all under overlapping US, UK, and EU sanctions designations. No independent reserve attestation has been published.
The report documents a volume spike of about 102.7 billion tokens on May 14, 2026 – exactly ten days before the EU’s 20th sanctions package crypto provisions entered into force. The report suggests that commercial actors were clearing cross-border positions ahead of the deadline.
Despite coordinated multi-jurisdictional enforcement, including the EU’s 19th sanctions package naming A7A5 as the first cryptocurrency ever placed under an explicit transaction ban, holder counts grew continuously from about 13,000 to 29,000 between February 2025 and May 2026. No observable inflection occurred at any sanctions event.
The primary A7A5 trading venue, Grinex, was hacked for about $15 million in April 2026 and suspended operations. The report flags that the ecosystem currently lacks a comparable alternative at scale. A7A5 holders face reduced liquidity and wider spreads, which could increase price dislocation during stress events.
The hack removes a key pressure point for enforcement. With Grinex down, sanctioned actors may need to use other venues, potentially exposing themselves to monitoring. The report does not indicate any collapse in A7A5 usage post-hack.
The report flags African expansion as the most urgent unresolved risk. Russia has established A7 offices in Nigeria and Zimbabwe, with Togo potentially next. PSB Deputy Chairman Dorofeev visited Madagascar in January 2026 for discussions with its new military government.
No African jurisdiction has been formally engaged by OFAC, HM Treasury, or the EU on A7A5-related exposure. This creates potential secondary sanctions risk for Western-aligned correspondent banks operating in those markets. If a bank in Nigeria processes A7A5-related transactions through a U.S. correspondent account, it could face enforcement.
Several developments could shrink A7A5's adoption:
Conversely, several developments could expand A7A5's reach:
For traders and compliance teams, the Skynet report provides a concrete framework for monitoring two separate but interacting risks. Bridge attack vectors are shifting from code to key management. A7A5 is growing despite sanctions, with its primary venue crippled by a hack. The African expansion is the next catalyst to watch.
For deeper analysis of the stablecoin regulatory landscape, see UK stablecoin rules risk market lag. For broader crypto market context, see our crypto market analysis.
Prepared with AlphaScala editorial tooling from the source reporting linked above. Indexable analysis may include a cited Alpha Score value. Publishing checks screen each story before release. Educational coverage, not personalized advice.