32 minutes of transaction history wiped out! Litecoin suffers "13-block reorg"… The hacker's move was brutal

Author: Max, Crypto City Privacy protocol MWEB hit by severe vulnerability, 13 blocks erased and rewritten The veteran public chain Litecoin encountered a major security challenge on the evening of April 25. According to the latest information provided by the Litecoin Foundation, the network experienced a rare deep chain reorganization, resulting in 13 blocks being erased and rewritten. The root cause of this incident stems from hackers exploiting a vulnerability in the Litecoin MimbleWimble Extension Block (MWEB) privacy protocol to launch a meticulously planned attack on the network. According to blockchain data, the affected block heights ranged from 3,095,930 to 3,095,943, which translates to approximately 32 minutes of transaction history being corrected during the reorganization process. This incident marks the first large-scale technical attack on the MWEB protocol since its official launch in May 2022. In a post-incident statement, the development team noted that although a block reorganization occurred, valid transactions conducted during the affected period were not impacted and have been re-included in the main chain record. The primary purpose of this reorganization was to correct invalid transactions generated by the vulnerability and prevent illicit funds from entering the market. Currently, Litecoin has urgently released the Core v0.21.5.4 version update and has requested all nodes and mining pools to complete the upgrade as soon as possible to prevent the risk of potential secondary attacks. DoS attacks combined with double-spending, cross-chain protocols become primary victims Further analysis of the attack methodology reveals that this was a composite attack combining traffic suppression and financial arbitrage. Hackers first launched a large-scale Denial-of-Service (DoS) attack on mining pools that had already updated their software, successfully suppressing the Hashing Power of these pools and preventing them from participating in block production. During this vacuum period, nodes running older software became the temporary dominant force of the network. Since old nodes could not identify the vulnerability in the new protocol, hackers used this to send invalid MWEB transactions (Peg-out) into the network and successfully diverted these virtual assets to decentralized exchanges (DEX) and cross-chain swap protocols. Hackers exploited the fork window to deposit assets that would eventually be deemed invalid into cross-chain bridges or exchange platforms, completing the asset transfer before the block reorganization occurred. This type of technique is a classic "double-spend" attack. Alex Shevchenko, CEO of Aurora Labs, pointed out that this attack demonstrated a high degree of coordination, with victims including well-known protocols such as NEAR Intents, with preliminary estimated losses reaching 600,000. Such attacks targeting Layer 1 networks have cast serious doubt on the security of these networks as collateral for cross-chain assets. Zero-day vulnerability or a delayed update? GitHub records spark controversy Although Litecoin officially characterized this incident as a "zero-day" vulnerability—meaning a flaw unknown to developers before the attack occurred—security researchers have raised different views. Researcher bbsz from the crypto security response team SEAL911 reviewed Litecoin's code commit history on GitHub and discovered that the consensus vulnerability leading to the invalid MWEB transactions had already been privately patched between March 19 and March 26, 2026. This record indicates that the development team was aware of the risk a month before the attack occurred but failed to complete a full network upgrade in time. This time gap left an opening for hackers. Researchers pointed out that the hackers precisely identified which mining pools had not yet updated and used DoS attacks to kick the updated pools out of the competition queue, allowing vulnerable old nodes to endorse their actions. Furthermore, on-chain records show that a Binance wallet address provided funds to the attacker's wallet 38 hours before the attack, and the address was pre-configured to convert assets into Ethereum. All signs indicate that this was a targeted strike against the developers' patching window, exposing the challenges of Proof-of-Work (PoW) networks in decentralized governance and emergency update speed. AI threats intensify, PoW network update efficiency faces a test The Litecoin hack reflects a new test for the cryptocurrency industry following the widespread adoption of artificial intelligence. The Litecoin Foundation mentioned that the frequency of zero-day vulnerability discoveries has risen significantly, partly because AI systems like Claude Mythos developed by Anthropic have gradually surpassed human engineers in their ability to identify software vulnerabilities and attack surfaces. For networks like Litecoin that rely on independent mining pools for autonomous upgrades, completing full network synchronization before hackers can use AI to discover vulnerabilities and launch attacks has become the key to survival. Compared to emerging chains with higher degrees of centralization, traditional PoW networks still have room for improvement in their response speed when facing emergency security threats. Even though the network has returned to normal operation, the market remains highly vigilant regarding this incident. The price of Litecoin (LTC) fell to around 56 after the news broke,