On July 15, 2026, blockchain security monitors detected substantial outflows from multiple wallets identified by on-chain analysts as associated with LayerZero Executor operations. PeckShield reported the movements at approximately 08:52 UTC, estimating 2.1 to 2.4 million dollars across Ethereum, BNB Chain, Base, Arbitrum, Avalanche, Optimism, Mantle, and Plasma.
#PeckShieldAlert Specter has reported that @LayerZero_Core Executor wallets appear to have been compromised, resulting in $2.4M worth of crypto drained across multiple chains, including #BNBChain, #Base, #Arbitrum, #Avalanche, #Optimism, #Mantle, #Plasma, and #Ethereum.
The… pic.twitter.com/ZTtAho4Nka
— PeckShieldAlert (@PeckShieldAlert) July 15, 2026
One notable wallet highlighted in explorer data is the Ethereum address 0xe93685f3…d950, labeled as “Layer Zero: Executor.” The assets were bridged and largely converted into 956 ETH, worth around 1.79 million dollars, and 322,000 USDC on Ethereum. Early coverage treated the activity as a potential compromise, but updates clarified it as normal operational rebalancing of gas tokens used for cross-chain message execution. No user funds were at risk, and LayerZero’s core protocol remained unaffected.
Cross-Chain Movements Reconstructed
Analysts tracked outflows from suspected Executor wallets on the listed networks. Transfers utilized standard bridging routes, including those provided by Stargate and Relay protocols, solely as transfer mechanisms. There is no evidence that either protocol was exploited.
A similar distinction was important during the recent Bonzo Lend oracle exploit, where stolen assets moved from Hedera to Ethereum through LayerZero even though LayerZero was not identified as the source of the vulnerability.
Funds converged on Ethereum for consolidation and swaps. No subsequent movements through mixers, unusual exchange deposits, or laundering patterns were reported.
Understanding Executors in LayerZero V2
LayerZero’s documentation defines Executors as off-chain services that handle the delivery and execution of verified omnichain messages. After Decentralized Verifier Networks, or DVNs, confirm a message, Executors call functions such as lzReceive on the destination Endpoint contract and supply the necessary gas tokens. This execution layer is permissionless. Anyone can operate an Executor. It is deliberately separated from verification.
A compromise or rebalancing of an Executor wallet does not enable message forgery or affect the Endpoint contracts. Applications can run their own Executors or forgo automated execution entirely.
The July 15 activity therefore represents operational wallet management rather than a protocol exploit, software vulnerability, or third-party breach. It is distinct from the April 2026 KelpDAO incident, which involved DVN configuration issues.
That separation also differs from incidents such as the Summer.fi LazyVault flash-loan exploit, where liquidity manipulation and vault-accounting logic directly enabled an attacker to extract approximately $6 million.
Loss Estimates and Current Fund Status
Initial estimates ranged from 2.1 million dollars to 2.4 million dollars depending on timing and asset pricing. Following the rebalancing, the consolidated holdings remained in ETH and USDC. No assets have been reported frozen, and there is no indication of theft or user exposure.
LayerZero has not issued a dedicated incident report, consistent with the activity being treated as standard operations. No key rotations, service pauses, or user-loss acknowledgments were required. Ownership of the specific wallets remains attributed by analysts to Executor operations but lacks explicit real-time public confirmation from LayerZero. Core components including the LayerZero Endpoint, messaging contracts, DVNs, Stargate, and Relay show no signs of compromise.



















