The Verus-Ethereum bridge, a protocol designed for cross-chain asset transfers, suffered an exploit on May 18 resulting in the loss of approximately $11.58 million in user funds.
"The attacker’s address was initially funded with 1 ETH via Tornado Cash ~14 hours ago," blockchain security firm PeckShield said in a post on X. The firm identified that the exploiter made off with 103.6 tBTC, 1,625 ETH, and 147,000 USDC.
On-chain data shows the attacker consolidated the stolen assets by swapping them for 5,402.4 Ether, worth around $11.4 million at the time of the transactions. The entire sum was transferred to a new wallet, 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9, where it currently remains. Security firm Blockaid first flagged the suspicious activity from the attacker's externally owned account, 0x5aBb91B9c01A5Ed3aE762d32B236595B459D5777.
This attack pushes the total for DeFi exploits in May 2026 to over $30 million and underscores the systemic risk associated with cross-chain bridges, which have become frequent, high-value targets for hackers. The incident follows a $10 million exploit on THORChain just days earlier and comes after a record-breaking April that saw over $600 million lost, with the majority stemming from bridge-related vulnerabilities like the $292 million KelpDAO hack.
The Verus exploit is the latest in a string of attacks targeting the infrastructure that connects blockchain networks rather than the smart contracts on a single chain. According to security analysts at GoPlus, the Verus attack may have stemmed from a flaw in the bridge's transaction validation system, potentially involving signature forgery or a bypass in the withdrawal logic.
These bridge protocols, which lock large pools of assets to facilitate swaps between chains, represent a centralized point of failure. The historical pattern of bridge exploits, including major attacks on LayerZero's messaging system, consistently produces the largest individual losses in the digital asset space. The continued success of these attacks raises questions about the security audits and architectural designs of current interoperability solutions, potentially slowing the adoption of seamless multi-chain applications until more robust security standards are established. The Verus protocol, which launched its Ethereum bridge in October 2023, now faces a significant challenge in regaining user trust and securing its platform.
This article is for informational purposes only and does not constitute investment advice.
