A hacker drained roughly $11.58 million in belongings from the Verus-Ethereum Bridge in a single transaction on Could 17, 2026 — concentrating on a cross-chain infrastructure challenge that had explicitly marketed itself as proof against the type of sensible contract exploit that simply gutted it.
The exploit was flagged in actual time by blockchain safety agency Blockaid, with particulars subsequently amplified by on-chain intelligence account @coinxtreme_en on X.
In accordance with the submit, the drainer pockets — 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9 — acquired roughly 1,625 ETH value roughly $3.43 million, 103.57 tBTC value roughly $7.96 million, and 147,000 USDC in a single outbound switch. A lot of the stolen belongings have been subsequently transformed to ETH by means of Uniswap, per the X submit.
The Advertising and marketing That Made The Ethereum Assault Worse
The assault lands with explicit pressure given how Verus positioned its bridge. The challenge’s homepage carried language stating the bridge was “validated by protocol guidelines, not customized code” — a direct attraction to customers fatigued by sensible contract vulnerabilities which have outlined DeFi’s most damaging exploits.
The Verus structure relied on cryptographic proofs, notary witnesses, and protocol-level validation quite than the customized contract logic that attackers have repeatedly focused throughout different bridges, per the @coinxtreme_en submit. The irony, because the submit frames it, is that the “no code to use” advertising turned the bridge’s most damaging legal responsibility as soon as the exploit materialized.
A Suspicious Timeline
The sequence of occasions within the 48 hours earlier than the assault raises questions the submit describes as smelling like a focused, subtle play quite than opportunistic scanning. Two days previous to the exploit, Verus pushed an emergency replace labeled model 1.2.14-2, described by the crew as pressing and necessary, citing an unspecified vulnerability.
In accordance with the @coinxtreme_en submit, the attacker’s pockets was funded by means of Twister Money roughly 11 to 13 hours after that announcement — a timing sample in keeping with an actor who had prior data of the vulnerability and used the emergency replace window to arrange the assault infrastructure earlier than execution.
The sample shouldn’t be new to DeFi. Emergency patches that reveal the existence of a vulnerability with out totally closing it have traditionally supplied subtle actors with a slender window to behave earlier than the broader group understands the publicity.
Cross-chain bridges stay essentially the most structurally weak layer of decentralized finance, accountable for a disproportionate share of complete DeFi losses since 2021. The Verus incident reinforces a precept the nascent sector has paid for repeatedly in nine-figure losses: protocol-level design assumptions, nevertheless elegant in idea, aren’t any substitute for formal verification, unbiased audits, and the operational self-discipline to pause methods when a reputable menace is recognized. One other bridge fell. The hole between “unhackable by design” and “unhacked in apply” stays as large as ever.
As of this writing, the Ethereum worth reveals indicators of additional draw back after a tender weekend. The cryptocurrency is down round 10% over the previous week, and round 3% over the previous 24 hours.
ETH's worth information small losses, as seen on the day by day chart. Supply: ETHUSD on Tradingview
Cowl picture from ChatGPT, ETHUSD chat from Tradingview
Editorial Course of for bitcoinist is centered on delivering totally researched, correct, and unbiased content material. We uphold strict sourcing requirements, and every web page undergoes diligent overview by our crew of prime know-how specialists and seasoned editors. This course of ensures the integrity, relevance, and worth of our content material for our readers.
