A hacker drained approximately $11.58 million in assets from the Verus-Ethereum Bridge in a single transaction on May 17, 2026 — targeting a cross-chain infrastructure project that explicitly marketed itself as immune to the type of smart contract exploit it had just destroyed.
The exploit was reported in real-time by blockchain security firm Blockaid, with details later amplified by on-chain intelligence account @coinxtreme_en on X.
According to mailThe drain wallet – 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9 – received approximately 1,625 ETH worth approximately $3.43 million, 103.57 tBTC worth approximately $7.96 million, and 147,000 USDC in one external transfer. Most of the stolen assets were later converted into ETH through Uniswap, according to X’s post.
Marketing that made the Ethereum attack worse
The attack lands especially hard considering how Verus positions his bridge. The project’s homepage carried language stating that the bridge was “validated by protocol rules, not by custom code” — a direct appeal to users weary of the smart contract vulnerabilities that have identified the most damaging DeFi exploits.
Verus’ architecture relied on cryptographic proofs, documented witnesses, and protocol-level validation rather than custom contract logic that attackers have repeatedly targeted across other bridges, according to a post by @coinxtreme_en. The irony, as the post depicts it, is that the “no exploit code” marketing becomes the bridge’s most damaging liability once the exploit occurs.
Suspicious timeline
The sequence of events in the 48 hours leading up to the attack raises questions that the publication describes as resembling a targeted and sophisticated play rather than an opportunistic survey. Two days before the exploit occurred, Verus pushed an emergency update named version 1.2.14-2, which the team described as urgent and mandatory, citing an unspecified vulnerability.
According to @coinxtreme_en’s post, the attacker’s wallet was funded with Tornado Cash approximately 11 to 13 hours after this announcement — a timing pattern consistent with an actor who had prior knowledge of the vulnerability and used the emergency update window to prepare the infrastructure for the attack before execution.
The pattern is not new to DeFi. Emergency patches that disclose a vulnerability without completely closing it have historically provided sophisticated actors with a narrow window to act before the broader community understands the extent of exposure.
Cross-chain bridges remain the most structurally vulnerable layer in DeFi, and are responsible for a disproportionate share of total DeFi losses since 2021. The Verus incident reinforces the principle that the emerging sector has repeatedly paid for itself with nine-figure losses: protocol-level design assumptions, no matter how elegant in theory, are no substitute for formal verification, independent audits, and operational discipline to temporarily shut down systems when a credible threat is identified. Another bridge fell. The gap between “unhackable by design” and “unhackable in practice” remains as wide as ever.
As of this writing, Ethereum price is showing signs of further decline after a quiet weekend. The cryptocurrency fell by about 10% over the past week, and about 3% in the past 24 hours.
ETH's price records small losses, as seen on the daily chart. Source: ETHUSD on Tradingview
Cover image from Tradingview’s ChatGPT and ETHUSD chat
Editing process Bitcoinist focuses on providing well-researched, accurate, and unbiased content. We adhere to strict sourcing standards, and every page is carefully reviewed by our team of senior technology experts and experienced editors. This process ensures the integrity, relevance, and value of our content to our readers.
