A hacker drained roughly $11.58 million in property from the Verus-Ethereum Bridge in a single transaction on Could 17, 2026 — concentrating on a cross-chain infrastructure challenge that had explicitly marketed itself as proof against the sort of good contract exploit that simply gutted it.
The exploit was flagged in actual time by blockchain safety agency Blockaid, with particulars subsequently amplified by on-chain intelligence account @coinxtreme_en on X.
In response to the submit, the drainer pockets — 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9 — acquired roughly 1,625 ETH value roughly $3.43 million, 103.57 tBTC value roughly $7.96 million, and 147,000 USDC in a single outbound switch. Many of the stolen property had been subsequently transformed to ETH by way of Uniswap, per the X submit.
The Advertising That Made The Ethereum Assault Worse
The assault lands with explicit drive given how Verus positioned its bridge. The challenge’s homepage carried language stating the bridge was “validated by protocol rules, not custom code” — a direct enchantment to customers fatigued by good contract vulnerabilities which have outlined DeFi’s most damaging exploits.
The Verus structure relied on cryptographic proofs, notary witnesses, and protocol-level validation reasonably than the customized contract logic that attackers have repeatedly focused throughout different bridges, per the @coinxtreme_en submit. The irony, because the submit frames it, is that the “no code to exploit” advertising turned the bridge’s most damaging legal responsibility as soon as the exploit materialized.
A Suspicious Timeline
The sequence of occasions within the 48 hours earlier than the assault raises questions the submit describes as smelling like a focused, refined play reasonably than opportunistic scanning. Two days previous to the exploit, Verus pushed an emergency replace labeled model 1.2.14-2, described by the group as pressing and necessary, citing an unspecified vulnerability.
In response to the @coinxtreme_en submit, the attacker’s pockets was funded by way of Twister Money roughly 11 to 13 hours after that announcement — a timing sample per an actor who had prior information of the vulnerability and used the emergency replace window to arrange the assault infrastructure earlier than execution.
The sample is just not new to DeFi. Emergency patches that reveal the existence of a vulnerability with out totally closing it have traditionally supplied refined actors with a slim window to behave earlier than the broader neighborhood understands the publicity.
Cross-chain bridges stay essentially the most structurally susceptible layer of decentralized finance, answerable for a disproportionate share of complete DeFi losses since 2021. The Verus incident reinforces a precept the nascent sector has paid for repeatedly in nine-figure losses: protocol-level design assumptions, nevertheless elegant in idea, aren’t any substitute for formal verification, impartial audits, and the operational self-discipline to pause techniques when a reputable risk is recognized. One other bridge fell. The hole between “unhackable by design” and “unhacked in practice” stays as huge as ever.
As of this writing, the Ethereum value exhibits indicators of additional draw back after a tender weekend. The cryptocurrency is down round 10% over the previous week, and round 3% over the previous 24 hours.
ETH's value data small losses, as seen on the every day chart. Supply: ETHUSD on Tradingview
Cowl picture from ChatGPT, ETHUSD chat from Tradingview
Editorial Course of for bitcoinist is centered on delivering totally researched, correct, and unbiased content material. We uphold strict sourcing requirements, and every web page undergoes diligent assessment by our group of prime know-how consultants and seasoned editors. This course of ensures the integrity, relevance, and worth of our content material for our readers.
