Meet the Top 101 in Crypto
News
4 min read

Verus Bridge Exploited: $11.58M Drained, Attack Still Live

Published 18 May 2026
Prashant Jha
Authors
Edited by Insha Zia

Key Takeaways

  • An attacker drained $11.58 million from the Verus-Ethereum Bridge on May 18, 2026, and the stolen funds have not moved yet.
  • The exploit took advantage of a flaw that let the bridge release funds without properly verifying backing on the Verus side.
  • The incident adds to a growing wave of DeFi exploits in 2026, with more than $750 million already stolen from protocols and bridges.

Another major bridge exploit has hit the crypto industry.

On May 18, blockchain security firm Blockaid flagged an active attack on the Verus-Ethereum Bridge, resulting in roughly $11.58 million being drained from the protocol in a matter of minutes.

The incident quickly caught attention because Verus had long promoted the bridge as “trustless” and resistant to the kinds of smart-contract risks that have plagued other cross-chain systems.

But the exploit exposed a different problem entirely — not a traditional smart-contract bug, but a failure to verify that assets on one side of the bridge were actually backed before funds were released on the other.

Try Our Recommended Crypto Exchanges
Sponsored
Disclosure
Opened in 2018
Promotions
Deposit $100, Get an Extra $300 in GOLD!
Coins
Shiba Inu Bitcoin PAX Gold Ampleforth Ethereum +70
Promotions
Receive up to $100,000 worth of exclusive gifts for newcomers upon registration.
Coins
Bitcoin Ethereum Tether USD Coin Solana +76
Promotions
Experience a 1-minute swap on a non-custodial platform.
Coins
Bitcoin Ethereum Tether Build'N'Build USD Coin +217
Show More

How the Attack Happened

The exploit began in the early hours of May 18, 2026 (UTC).

Blockaid first detected suspicious activity around 00:54 GMT involving the Verus-Ethereum Bridge contract.

The attacker used the wallet address 0x5aBb91B9c01A5Ed3aE762d32B236595B459D5777 to initiate the exploit, then moved the stolen funds to another wallet.

According to PeckShield and on-chain data, the attacker funded the wallet with 1 ETH through Tornado Cash around 14 hours before the attack.

Interestingly, Verus had already released an “urgent and mandatory” emergency update just two days earlier to patch a separate vulnerability.

The timing has led many observers to believe the exploit was part of a targeted operation rather than a random attack.

Unlike many DeFi hacks, this was not a reentrancy exploit or a private key compromise.

Instead, the issue came from a validation gap between the Verus and Ethereum sides of the bridge.

The bridge successfully verified signatures, state roots, and Merkle proofs.

But it failed to confirm whether the assets being requested on Ethereum were actually backed by enough value on the Verus side.

In simple terms, the attacker created a transaction that appeared cryptographically valid while having almost no real backing.

That allowed the bridge to release:

  • 1,625 ETH.
  • 103.6 tBTC.
  • 147,000 USDC.

The attacker later swapped the stolen assets on Uniswap for roughly 5,402 ETH, worth between $11.4 million and $11.58 million at the time.

Security researchers noted that fixing the issue may have required only a small amount of additional verification code.

The Funds Haven’t Moved Yet

At the time of writing, the stolen funds remain in the attacker’s wallet, with no major movement reported yet.

Because the vulnerability window may not be fully closed, some researchers still consider the exploit “live.”

Verus has not released a full official post-mortem yet, though discussions about reimbursement and insurance coverage have already begun in parts of the community.

The exploit also serves as another reminder that “trustless” does not automatically mean risk-free.

Many bridges focus heavily on cryptographic verification while overlooking the economic logic needed to ensure that assets remain properly backed across chains.

Bridge Hacks Keep Piling Up in 2026

The Verus exploit is only the latest in what has already become a brutal year for DeFi security.

April 2026 alone reportedly became the most hacked month in crypto history, with more than $625 million lost across nearly 30 separate exploits.

Two of the biggest incidents included:

  • Drift Protocol:  The platform lost around $285 million to a social-engineering attack linked to North Korea’s Lazarus Group.
  • Kelp DAO: Exploiters drained roughly $292 million through a bridge validation exploit involving cross-chain message spoofing.

Several smaller attacks targeting bridges and DeFi protocols added even more losses across the sector.

So far, total DeFi losses in 2026 have already crossed $750 million, with bridges accounting for a large share of the damage.

The pattern is becoming increasingly clear. Attackers are moving away from obvious smart-contract bugs and focusing more on infrastructure weaknesses, messaging systems, and validation gaps between chains.

That makes bridge security one of the biggest ongoing challenges in crypto.

Even projects that market themselves as highly secure or “unhackable” are learning that strong cryptography alone is not enough if the economic logic behind the system breaks down.

Prashant Jha

Prashant Jha is a seasoned crypto journalist based in Delhi, India, with a Bachelor’s Degree in Computer Science Engineering. Passionate about the evolving world of blockchain and cryptocurrencies, he has been a dedicated voice in the industry since 2018. Prashant’s expertise lies in regulatory reporting, where he unravels complex legal and financial developments with clarity and precision. Before joining CCN in 2024, he honed his craft at Cointelegraph, establishing himself as a trusted name in crypto journalism.

His coverage spans major industry events, including the high-profile collapses of FTX, Three Arrows Capital (3AC), and LUNA, offering readers insightful analyses of their regulatory and market implications. Prashant’s technical background enables him to bridge the gap between intricate blockchain technology and its real-world applications, making his work accessible to novices and experts.

Beyond his professional pursuits, Prashant is an avid music enthusiast, often exploring diverse genres to unwind. A sports lover, he has a particular passion for cricket and frequently engages in discussions about the game. His multifaceted interests and sharp journalistic instincts make him a valuable contributor to CCN, where he continues shaping the crypto landscape's narrative.

Related

Survey Icon
Help us improve
1 of 4
Is this your first time here?
What brought you here today?
What are you most interested in?
Would you be interested in:
Thank you icon
Thank you for your feedback!
DMCA.com Protection Status