Adshares hacker returns 86% of $628K loot as analysts expose post-hack vulnerabilities

The attacker behind the Adshares bridge exploit on May 17 has returned 256 ETH (roughly $540,700) to the project’s deployer address, covering about 86% of the estimated $628,000 loss, according to PeckShieldAlert.

However, despite the news of the partial refund being a form of relief for the project and the DeFi space, which is seeing increased attacks from bad actors, security researchers warn that platforms and users should also be wary and alert, as post-hack recovery periods also attract scammers who prey on affected users.

How did the Adshares exploit happen?

According to security researcher and founder of web3 security platform CD Security, Chris Dior, who was among the first to flag the Adshares incident on May 16, the root cause was a failure in bridge mint validation.

“The bridge-minter EOA signed 3 wrapTo() calls with non-existent native-chain txids, minting fake wADS to the attacker. Attacker dumped the wADS for ~148.5 ETH and ~$305K USDC on Ethereum,” Dior wrote on X.

DeFiLlama’s exploit database categorizes the May 16 incident as a protocol-logic failure using a “Bridge Verification Bypass” technique, with a $628,000 total loss on Ethereum. This infers that the vulnerability was from the bridge’s cross-chain proof-checking layer and not a market-trading or oracle-related flaw.

Adshares managed to get a partial refund

Exploiters returning a certain percentage of their loot and keeping a smaller percentage is not new in the DeFi space. However, it seems this white hat route is gaining more popularity as some have been executed successfully. The Adshares partial refund follows that pattern.

However, it has not been confirmed if Adshares offered formal bounty terms or whether the attacker returned funds voluntarily as of the time of writing.

Another platform that recently recovered part of its exploited funds is TAC, a cross-chain protocol bridging TON and Ethereum. After losing $2.8 million on May 12, TAC offered the attacker a 10% bounty to return the remainder. The exploiter accepted, and TAC reclassified the event as a white hat incident, dropping litigation in coordination with security partners and law enforcement.

The Verus team has also extended a white hat offer to the attacker who launched an $11.5 million exploit against the platform, as reported by Cryptopolitan.

So far, the Adshares team has not published a public statement addressing the exploit, released a postmortem, issued an official bounty notice, or shared anything about recovery.

Users should be wary of any information that is not coming from the platform’s official handles.

Recovery periods breed secondary scams

Not every exploit leads to a refund; in fact, many do not, and even when funds do come back, the attention surrounding a hack creates fertile ground for fraud.

During these windows, it is common to see an increase in fake bounty notices, phishing refund portals, and wallet-verification links targeting users who are searching for compensation updates.

The THORChain and Verus exploits are the most recent incidents that have led analysts to raise these alarms. THORChain suffered a $10 million exploit on May 15, after which bad actors started spreading misinformation that the protocol was going to launch a refund platform.

THORChain warned users on X that “multiple fake accounts and false information” were circulating about nonexistent refund programs, airdrops, and compensation claims. Adshares users face a similar risk window now that the partial return has drawn public attention.

Bridge exploits continue to mount in 2026

The Adshares breach adds to a growing number of bridge-related exploits. PeckShieldAlert reported that cumulative bridge losses in 2026 have exceeded $328.6 million through mid-May, a figure that includes the $11.5 million Verus-Ethereum bridge hack that was disclosed on May 18.

If you're reading this, you’re already ahead. Stay there with our newsletter.