Litecoin Network Hit by Zero-Day Attack in Coordinated Operation

• A zero-day MWEB bug lets attackers double-spend LTC across multiple DEX protocols now.
• NEAR Intents confirmed $600,000 exposure and said users will be fully covered for loss.
• The 13-block reorg took over three hours and reversed all invalid transactions on the chain.

Litecoin suffered an attack this weekend. A zero-day vulnerability was exploited in a coordinated operation that knocked major mining pools offline, triggered a 13-block reorganization of the chain, and enabled double-spend attacks across multiple cross-chain swapping protocols.

The attack targeted a bug in Litecoin’s MWEB privacy transaction layer. Non-upgraded mining nodes accepted an invalid MWEB transaction, allowing attackers to peg coins to third-party decentralized exchanges. The 13-block reorg, which took more than three hours to generate, ultimately reversed those invalid transactions. They will not appear in the main chain.

Key facts from Litecoin’s official update:

• A zero-day bug caused a denial-of-service attack that disrupted major mining pools
• Invalid MWEB transactions allowed coins to be pegged out to third-party DEXs
• A 13-block reorg reversed all invalid transactions from the main chain
• All valid transactions during the period remain fully unaffected
• The bug is now patched, and the network is operating normally

The Damage

The most concrete financial impact landed on NEAR Intents, a cross-chain protocol caught in the double-spend window. The platform confirmed exposure of around $600,000, adding that users will not bear those losses as the protocol will cover them directly.

Investigators are recommending that all trading venues handling LTC audit their transactions and holdings from the affected period, noting that a significant number of double-spend transactions have been identified across the chain.

Inside Job? The Evidence Is Uncomfortable

Aurora developer Alex Shevchenko published a detailed breakdown that raises questions the official zero-day framing does not fully answer.

Shevchenko’s concerns in summary:

• Attacker’s wallet was funded 38 hours before the exploit via Binance
• The DoS attack and the MWEB bug were two separate but coordinated mechanisms
• Automatic recovery proves upgraded nodes existed, meaning the bug was known
• RPC providers like QuickNode were apparently not informed, despite miners being updated
• Someone may have known precisely which miners had and had not upgraded

“Any chance the attacker knew who upgraded and who didn’t?” Shevchenko wrote publicly.

Litecoin’s core team has not addressed the inside job question directly. The patch is live, the network is running normally, and the invalid transactions have been erased from the chain.

Related: Litecoin’s 2027 Halving Is Coming: What History Says About LTC Price Moves