A hacker drained roughly $11.58 million in belongings from the Verus-Ethereum Bridge in a single transaction on Could 17, 2026 — focusing on a cross-chain infrastructure mission that had explicitly marketed itself as resistant to the sort of sensible contract exploit that simply gutted it.
The exploit was flagged in actual time by blockchain safety agency Blockaid, with particulars subsequently amplified by on-chain intelligence account @coinxtreme_en on X.
In response to the put up, the drainer pockets — 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9 — obtained roughly 1,625 ETH value roughly $3.43 million, 103.57 tBTC value roughly $7.96 million, and 147,000 USDC in a single outbound switch. Many of the stolen belongings had been subsequently transformed to ETH by means of Uniswap, per the X put up.
The Advertising That Made The Ethereum Assault Worse
The assault lands with explicit drive given how Verus positioned its bridge. The mission’s homepage carried language stating the bridge was “validated by protocol guidelines, not customized code” — a direct enchantment to customers fatigued by sensible contract vulnerabilities which have outlined DeFi’s most damaging exploits.
The Verus structure relied on cryptographic proofs, notary witnesses, and protocol-level validation relatively than the customized contract logic that attackers have repeatedly focused throughout different bridges, per the @coinxtreme_en put up. The irony, because the put up frames it, is that the “no code to use” advertising turned the bridge’s most damaging legal responsibility as soon as the exploit materialized.
A Suspicious Timeline
The sequence of occasions within the 48 hours earlier than the assault raises questions the put up describes as smelling like a focused, refined play relatively than opportunistic scanning. Two days previous to the exploit, Verus pushed an emergency replace labeled model 1.2.14-2, described by the crew as pressing and necessary, citing an unspecified vulnerability.
In response to the @coinxtreme_en put up, the attacker’s pockets was funded by means of Twister Money roughly 11 to 13 hours after that announcement — a timing sample in keeping with an actor who had prior data of the vulnerability and used the emergency replace window to organize the assault infrastructure earlier than execution.
The sample isn’t new to DeFi. Emergency patches that reveal the existence of a vulnerability with out absolutely closing it have traditionally offered refined actors with a slim window to behave earlier than the broader group understands the publicity.
Cross-chain bridges stay essentially the most structurally susceptible layer of decentralized finance, liable for a disproportionate share of whole DeFi losses since 2021. The Verus incident reinforces a precept the nascent sector has paid for repeatedly in nine-figure losses: protocol-level design assumptions, nevertheless elegant in principle, are not any substitute for formal verification, impartial audits, and the operational self-discipline to pause techniques when a reputable risk is recognized. One other bridge fell. The hole between “unhackable by design” and “unhacked in follow” stays as extensive as ever.
As of this writing, the Ethereum value exhibits indicators of additional draw back after a delicate weekend. The cryptocurrency is down round 10% over the previous week, and round 3% over the previous 24 hours.
ETH's value data small losses, as seen on the day by day chart. Supply: ETHUSD on Tradingview
Cowl picture from ChatGPT, ETHUSD chat from Tradingview
Editorial Course of for bitcoinist is centered on delivering totally researched, correct, and unbiased content material. We uphold strict sourcing requirements, and every web page undergoes diligent overview by our crew of high know-how consultants and seasoned editors. This course of ensures the integrity, relevance, and worth of our content material for our readers.