Gnosis Pay, a crypto payments platform built on the Gnosis chain, was hit by a hack on 1 June that allowed attackers to initiate transactions from connected Safe wallets via a compromised module, days after a separate attack targeted another wallet extension tied to the Gnosis ecosystem.
Second Gnosis Ecosystem Hack in Days Targets Gnosis Pay
1 June 2026 - 20:05 CEST
By Jona Jaupi
Gnosis is an Ethereum sidechain with more than $65mn in total value locked (TVL) and roughly $470mn in stablecoins, according to DefiLlama data. Gnosis Pay, developed by the Gnosis ecosystem, lets users spend crypto through a Visa debit card connected to self-custodial Safe Wallet accounts.
Gnosis has not disclosed the amount of funds potentially stolen in the 1 Jun attack, the number of affected users, or whether the exploit has been fully contained. In an X post, Köppelmann said the company would reimburse users for any losses linked to the incident.
Gnosis (GNO), the protocol's native token, was down about 5% at $109 as of 16:27UTC on 1 Jun, according to CoinGecko data. The token had earlier fallen to around $106 following reports of the exploit before rebounding.
Last week's attack drained around $3mn from dozens of Safe wallets across Ethereum and Base. Notably, the two incidents involved different vulnerabilities, though both targeted software modules connected to wallet infrastructure used within Gnosis.
What happened?
According to Köppelmann, the attacker in the 1 Jun hack was able to initiate transactions from Safe wallets carrying Gnosis Pay's "Delay Module," one of the security features intended to protect users from unauthorized transactions.
Gnosis Pay's Delay Module works by adding a three-minute wait before transactions are completed, giving users a chance to spot and stop suspicious activity. Meanwhile, the Roles Module sets rules around how funds can be spent, such as spending limits and which assets can be used.
Köppelmann said Gnosis was working to stop the attack and had asked bridge validators to pause activity to help prevent more funds from being moved.
He explained that most users would not be able to move their funds, but that the team believes they could contain the majority of the hack, adding that "in any case, we will ensure that all users are made whole."
Blockchain security firm PeckShield also warned Gnosis Pay users about the exploit in a post on X, urging them to review their exposure and withdraw accessible EURe and GNO tokens.
Security risks remain a challenge
The exploit comes as crypto projects continue to face security breaches, particularly in software that connects digital wallets to blockchain networks.
According to PeckShield, hackers stole about $81.7mn across 40 major crypto attacks in May. Cross-chain and bridge-related attacks accounted for more than $33mn in losses.
The latest incident also comes more than a year after exchange operator Bybit lost around $1.5bn, widely considered the largest crypto theft on record. That attack, which occurred in February 2025, was linked to North Korea's Lazarus Group and also involved a vulnerability in Gnosis Safe's web infrastructure.
