Hacker Drains $11.58 Million From Verus-Ethereum Bridge
A hacker drained roughly $11.58 million in belongings from the Verus-Ethereum Bridge in a single transaction on May 17, 2026 — focusing on a cross-chain infrastructure undertaking that had explicitly marketed itself as resistant to the form of good contract exploit that simply gutted it.
The exploit was flagged in actual time by blockchain safety agency Blockaid, with particulars subsequently amplified by on-chain intelligence account @coinxtreme_en on X.
According to the post, the drainer pockets — 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9 — obtained roughly 1,625 ETH value roughly $3.43 million, 103.57 tBTC value roughly $7.96 million, and 147,000 USDC in a single outbound switch. Most of the stolen belongings had been subsequently transformed to ETH by Uniswap, per the X put up.
The Marketing That Made The Ethereum Attack Worse
The assault lands with specific power given how Verus positioned its bridge. The undertaking’s homepage carried language stating the bridge was “validated by protocol guidelines, not customized code” — a direct enchantment to customers fatigued by good contract vulnerabilities which have outlined DeFi’s most damaging exploits.
The Verus structure relied on cryptographic proofs, notary witnesses, and protocol-level validation fairly than the customized contract logic that attackers have repeatedly focused throughout different bridges, per the @coinxtreme_en put up. The irony, because the put up frames it, is that the “no code to use” advertising turned the bridge’s most damaging legal responsibility as soon as the exploit materialized.
A Suspicious Timeline
The sequence of occasions within the 48 hours earlier than the assault raises questions the put up describes as smelling like a focused, subtle play fairly than opportunistic scanning. Two days previous to the exploit, Verus pushed an emergency replace labeled model 1.2.14-2, described by the workforce as pressing and obligatory, citing an unspecified vulnerability.
According to the @coinxtreme_en put up, the attacker’s pockets was funded by Tornado Cash roughly 11 to 13 hours after that announcement — a timing sample per an actor who had prior data of the vulnerability and used the emergency replace window to organize the assault infrastructure earlier than execution.
The sample is just not new to DeFi. Emergency patches that reveal the existence of a vulnerability with out totally closing it have traditionally supplied subtle actors with a slim window to behave earlier than the broader neighborhood understands the publicity.
Cross-chain bridges stay probably the most structurally weak layer of decentralized finance, accountable for a disproportionate share of whole DeFi losses since 2021. The Verus incident reinforces a precept the nascent sector has paid for repeatedly in nine-figure losses: protocol-level design assumptions, nonetheless elegant in idea, aren’t any substitute for formal verification, unbiased audits, and the operational self-discipline to pause techniques when a reputable menace is recognized. Another bridge fell. The hole between “unhackable by design” and “unhacked in observe” stays as huge as ever.
As of this writing, the Ethereum worth reveals indicators of additional draw back after a delicate weekend. The cryptocurrency is down round 10% over the previous week, and round 3% over the previous 24 hours.
Cover picture from ChatGPT, ETHUSD chat from Tradingview