Stablecoin infrastructure has become a defining battleground in global financial security. As institutional adoption has accelerated, so has the sophistication of threats targeting it, from opportunistic attackers exploiting bridges, custody systems, and payment infrastructure, to state-adjacent actors deliberately constructing parallel financial networks to circumvent Western sanctions. CertiK's Skynet 2026 Stablecoin Threat Intelligence Report examines both dimensions of that threat in detail.
The first section of the report documents emerging exploit trends across stablecoin-related infrastructure. Bridge-related incidents have totaled over $328 million in losses so far in 2026, with wallet compromise overtaking code vulnerabilities as the dominant exploit vector by value. As stablecoins integrate deeper into traditional financial systems, the attack surface is expanding beyond DeFi, with attackers increasingly targeting compliance infrastructure, KYC providers, and payment APIs in patterns that more closely resemble traditional financial crime than earlier crypto exploits.
The second section provides the most comprehensive public analysis to date of A7A5, a Russian-ruble-backed stablecoin that has become the operational backbone of Russia's crypto economy. Within one year of its January 2025 launch, A7A5 processed more than $110 billion in cumulative on-chain transactions and captured approximately 43% of the global non-USD stablecoin market. Co-owned by sanctioned oligarch Ilan Shor and Russian state-owned defense lender Promsvyazbank, and designed explicitly to replicate the architecture of Tether's USDT while placing every critical layer outside Western enforcement reach, A7A5 is now the subject of the most coordinated multi-jurisdictional sanctions response ever applied to a single cryptocurrency.
Key Findings
- Bridge and interoperability protocols remain the highest-value attack surface. Bridge-related incidents in 2026 have totaled over $328 million in losses, with the Kelp DAO wallet compromise alone accounting for $291.3 million in April 2026.
- Wallet compromise has overtaken code vulnerabilities as the dominant exploit vector. Across the largest 2026 DeFi incidents, wallet compromise was responsible for the majority of losses by value, reflecting a shift toward targeting operational and custody security rather than on-chain logic.
- A7A5 achieved rapid, large-scale adoption. Within one year of launch, A7A5 processed more than $110 billion in cumulative on-chain transactions and captured approximately 43% of the global non-USD stablecoin market.
- Sanctioned ownership exists at every layer. A7A5's issuer, collateral bank, and transaction platform are all under overlapping U.S., U.K., and EU sanctions designations, with no independent reserve attestation published.
- A7A5 became the first cryptocurrency explicitly named in an EU transaction ban, under the 19th sanctions package effective November 25, 2025, followed by broader categorical prohibitions in the EU's 20th package effective May 24, 2026.
- Enforcement has structural limits. Despite multi-jurisdictional action, A7A5 holder counts grew continuously from approximately 13,000 to 29,000 between February 2025 and May 2026, with no observable inflection at any sanctions event.
- The African expansion is the most urgent unresolved risk. A7 has established offices in Nigeria and Zimbabwe, with no African jurisdiction formally engaged by OFAC, HM Treasury, or the EU on A7A5-related exposure, creating potential secondary-sanctions risk for Western-aligned banks in those markets.
Read the full report to learn more about stablecoin exploit trends, the A7A5 case study, and best practices for compliance and risk teams.
FAQs
What are the biggest stablecoin security threats in 2026?
The report identifies two converging threats: opportunistic attacks on interconnected financial infrastructure, particularly bridges and custody systems, and the deliberate construction of sanctions-evasion networks by state-adjacent actors. Both are escalating in scale and sophistication.
How much have bridge-related exploits cost in 2026?
Bridge-related incidents have totaled over $328 million in losses so far in 2026. The Kelp DAO wallet compromise in April 2026 accounted for $291.3 million of that figure alone.
What is A7A5 and why does it matter?
A7A5 is a Russian-ruble-backed stablecoin co-owned by sanctioned oligarch Ilan Shor and Russian state-owned defense lender Promsvyazbank. It was designed to replicate the architecture of compliant stablecoins while operating entirely outside Western enforcement reach. Within one year of launch, it processed over $110 billion in transactions and captured 43% of the global non-USD stablecoin market, making it the most consequential sanctions-evasion instrument documented in the digital asset space to date.
Has international enforcement been effective against A7A5?
The response has been unprecedented in scope, with A7A5 becoming the first cryptocurrency explicitly named in an EU transaction ban. However, on-chain data shows holder counts grew continuously throughout the enforcement period, with no observable response to any sanctions event. The user base is structurally non-Western and largely insulated from Western enforcement pressure.
What is the most urgent unresolved risk identified in the report?
The geographic expansion of the A7 network into Africa. A7 has established offices in Nigeria and Zimbabwe, and Russian officials have publicly invited African nations to join the network. No African jurisdiction has been formally engaged by OFAC, HM Treasury, or the EU on A7A5-related exposure, leaving Western-aligned correspondent banks in those markets without formal guidance on their secondary-sanctions risk.