Hassan Maishera
TL;DR
- The Verus-Ethereum bridge is facing an ongoing exploit that has drained $11.58 million so far.
- Peckshield flagged that the bridge has been drained for 103.6 tBTC, 1,625 ETH, and 147,000 USDC.
Another month, another DeFi hack. DeFi protocol Verus is facing an ongoing exploit targeting its Ethereum bridge, with attackers draining roughly $11.58 million in crypto assets, according to multiple blockchain security firms.
In a post published late Sunday on X, blockchain security platform Blockaid said it had identified suspicious activity involving the Verus bridge. The firm traced the attacker’s wallet to address “0x5aBb…D5777,” while the stolen funds were reportedly consolidated into another address labeled “0x65C…C25F9.”
Attacker EOA: 0x5aBb91B9c01A5Ed3aE762d32B236595B459D5777
— Blockaid (@blockaid_) May 18, 2026
Drainer wallet (still holding the funds): 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9
Exploit tx: https://t.co/OqBh2alXGc
Bridge contract: https://t.co/EN3LkDfId9
Attacker Swaps Stolen Funds into ETH
Blockchain security company PeckShield reported that the exploit drained approximately 103.6 tBTC, 1,625 ETH, and 147,000 USDC from the Verus-Ethereum bridge.
According to PeckShield, the attacker later swapped the stolen assets into roughly 5,402 ETH, valued at around $11.4 million at current market prices.
#PeckShieldAlert The @veruscoin Verus-Ethereum Bridge has been drained for 103.6 $tBTC, 1.625K $ETH, and 147K $USDC.
— PeckShieldAlert (@PeckShieldAlert) May 18, 2026
The exploiter swapped the stolen assets for 5,402.4 $ETH (~$11.4M), which currently sits in 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9.
The attacker’s address… https://t.co/DK0CDUAcqb pic.twitter.com/NMa8abhaTH
The firm also noted that the attacker’s wallet appeared to have been initially funded with 1 ETH through the crypto mixer Tornado Cash roughly 14 hours before the exploit took place.
Security Firms Suspect Bridge Validation Flaw
Another blockchain security provider, GoPlus Security, said the exploit may have been triggered through a malicious low-value transaction sent to the bridge contract.
The attacker allegedly invoked a specific function that enabled the bridge contract to batch-transfer reserve assets directly to the drainer wallet.
“It is highly likely to be cross-chain message validation/signature forgery, withdrawal logic bypass, or access control flaw,” GoPlus said.
The exploit highlights the continued security risks facing cross-chain bridge infrastructure, which has historically been a major target for attackers due to the large pools of locked liquidity and complex validation mechanisms involved in asset transfers between blockchains.
The Verus team had not publicly addressed the exploit at the time of publication. Verus is a privacy-focused blockchain network launched in 2018 that uses a hybrid “proof-of-power” consensus model combining proof-of-work and proof-of-stake mechanisms.
The Verus-Ethereum bridge launched in October 2023, allowing users to transfer and convert assets between the Verus blockchain and the Ethereum network.
This latest development comes following multiple hacks within the DeFi ecosystem in recent weeks, including Kelp DAO, Wasabi Protocol, and Drift Protocol.
