Hacker Drains $11.58 Million From Verus-Ethereum Bridge

A hacker drained approximately $11.58 million in assets from the Verus-Ethereum Bridge in a single transaction on May 17, 2026 — targeting a cross-chain infrastructure project that had explicitly marketed itself as immune to the kind of smart contract exploit that just gutted it.

The exploit was flagged in real time by blockchain security firm Blockaid, with details subsequently amplified by on-chain intelligence account @coinxtreme_en on X.

According to the post, the drainer wallet — 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9 — received approximately 1,625 ETH worth roughly $3.43 million, 103.57 tBTC worth approximately $7.96 million, and 147,000 USDC in a single outbound transfer. Most of the stolen assets were subsequently converted to ETH through Uniswap, per the X post.

The attack lands with particular force given how Verus positioned its bridge. The project’s homepage carried language stating the bridge was “validated by protocol rules, not custom code” — a direct appeal to users fatigued by smart contract vulnerabilities that have defined DeFi’s most damaging exploits.

The Verus architecture relied on cryptographic proofs, notary witnesses, and protocol-level validation rather than the custom contract logic that attackers have repeatedly targeted across other bridges, per the @coinxtreme_en post. The irony, as the post frames it, is that the “no code to exploit” marketing became the bridge’s most damaging liability once the exploit materialized.

The sequence of events in the 48 hours before the attack raises questions the post describes as smelling like a targeted, sophisticated play rather than opportunistic scanning. Two days prior to the exploit, Verus pushed an emergency update labeled version 1.2.14-2, described by the team as urgent and mandatory, citing an unspecified vulnerability.

According to the @coinxtreme_en post, the attacker’s wallet was funded through Tornado Cash approximately 11 to 13 hours after that announcement — a timing pattern consistent with an actor who had prior knowledge of the vulnerability and used the emergency update window to prepare the attack infrastructure before execution.

The pattern is not new to DeFi. Emergency patches that reveal the existence of a vulnerability without fully closing it have historically provided sophisticated actors with a narrow window to act before the broader community understands the exposure.

Cross-chain bridges remain the most structurally vulnerable layer of decentralized finance, responsible for a disproportionate share of total DeFi losses since 2021. The Verus incident reinforces a principle the nascent sector has paid for repeatedly in nine-figure losses: protocol-level design assumptions, however elegant in theory, are no substitute for formal verification, independent audits, and the operational discipline to pause systems when a credible threat is identified. Another bridge fell. The gap between “unhackable by design” and “unhacked in practice” remains as wide as ever.

As of this writing, the Ethereum price shows signs of further downside after a soft weekend. The cryptocurrency is down around 10% over the past week, and around 3% over the past 24 hours.

Cover image from ChatGPT, ETHUSD chat from Tradingview