Verus-Ethereum Bridge Exploit Drains $11.6 Million and Halts Network
An exploit against the Verus-Ethereum bridge drained about $11.58 million in crypto assets, according to reports from Blockaid, PeckShield, and GoPlus. PeckShield said the attacker stole 103.6 tBTC, 1,625 ETH, and 147,000 USDC, then swapped the proceeds into roughly 5,402 ETH; the attacker wallet was reportedly seeded with 1 ETH from Tornado Cash. Security researchers also identified attacker and destination wallets as the theft unfolded.
Verus said its network was halted, with most block-producing nodes taking themselves offline after the attack’s effects appeared, while developers investigated the root cause and recovery options. GoPlus said the exploit may stem from cross-chain message validation or signature forgery, a withdrawal logic bypass, or an access control flaw in the bridge, which was launched to move assets between the privacy-focused Verus blockchain and Ethereum.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Security firms publish attacker wallet and exploit assessments
Blockaid, PeckShield, and GoPlus disclosed technical details including attacker and destination wallets, stolen assets, and preliminary theories such as cross-chain message validation or signature forgery issues, withdrawal logic bypass, or an access control flaw.
Verus network halts as nodes go offline during incident response
Verus said its network halted after most block-generating nodes took themselves offline upon encountering effects of the attack. Developers began investigating the root cause and next steps.
Verus-Ethereum bridge exploit begins, draining about $11.6 million
An exploit against the Verus-Ethereum bridge resulted in losses of roughly $11.58 million. Security firms reported the attacker stole 103.6 tBTC, 1,625 ETH, and 147,000 USDC and swapped the assets into 5,402 ETH.
Verus launches its Ethereum bridge
Verus introduced its Ethereum bridge to enable asset transfers and conversions between the Verus blockchain and Ethereum.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Ongoing exploit drains $11.6 million from Verus-Ethereum bridge: Blockaid | The Block
theblock.co
Open sourceInside the $3.6mln Venus Protocol exploit on BNB Chain | MEXC News
mexc.com
Open sourceBNB Chain-Based Venus Protocol Drained of $27M on Suspected Contract Compromise
coindesk.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Cross-chain bridge failures at CrossCurve and KelpDAO expose verifier trust risks
CrossCurve disclosed a roughly **$3 million** cross-chain bridge exploit after attackers abused a validation weakness, prompting the protocol to pursue legal action while investigators worked to trace the stolen funds. Reporting on the incident said the attack targeted the bridge’s transaction verification logic rather than a simple wallet compromise, underscoring how weaknesses in cross-chain message validation can let adversaries authorize fraudulent transfers and drain locked assets. A larger breach hit **KelpDAO**, where attackers stole about **$290 million** in `rsETH` by exploiting its LayerZero-based bridge path with effectively **`1-of-1` DVN verification**, allowing a forged packet to be accepted on Ethereum without a legitimate source-chain transaction. The theft was widely attributed to North Korea-linked **Lazarus/TraderTraitor**, and recovery efforts later included burning more than **117,000 rsETH** held by the exploiter on Arbitrum, restoring backing through an Aave-controlled recovery wallet, increasing bridge requirements to four independent attestors and 64 block confirmations, and beginning a migration to **Chainlink CCIP** after investigators characterized the incident as an operational and verification failure rather than a confirmed public smart-contract bug.
May 25, 2026
THORChain exploit and Alephium bridge hack expose forged cross-chain message flaws
THORChain was exploited across Bitcoin, Ethereum, BNB Chain, and Base, with losses rising from an initial estimate of **$7.4 million** to more than **$10.7 million** after an Asgard vault was drained. The protocol paused trading after the attack, and community investigators published suspected theft addresses on Bitcoin and EVM-compatible networks. Separately, Alephium disclosed that its private Wormhole-fork TokenBridge was exploited on Ethereum and BNB Chain for about **$815,000** after an off-chain backend flaw let forged guardian messages pass through its four-guardian system, enabling the minting of **13.76 million** unbacked wrapped `ALPH` on Ethereum. New reporting tied the THORChain incident to a privately disclosed but allegedly unremediated proposer-forgery flaw in the Bifrost attestation system. Security firm **V12** said it warned THORChain about a critical fund-draining bug, but the protocol silently patched code, did not pay a bounty, and retired its bug bounty program; researchers said a May 6 fix intended to block proposer forgery failed automated testing and was never deployed before the exploit. In Alephium’s case, the project and Blockaid revised earlier claims of guardian key theft and said the root cause was forged malicious events or messages observed and signed because of a backend vulnerability; Alephium shut down the bridge, halted new transactions, and urged holders to pull liquidity from Uniswap and PancakeSwap while the attacker still controls the unbacked tokens.
Jun 1, 2026
Kelp DAO bridge exploit tied to Lazarus triggers DeFi losses, legal fight, and migration
Attackers linked with North Korea’s **Lazarus Group** exploited Kelp DAO’s LayerZero-powered `rsETH` bridge by compromising off-chain verification infrastructure and abusing a **1-of-1 DVN** setup, fraudulently releasing about **116,500 rsETH** worth roughly **$292 million**. The stolen tokens were posted as collateral on **Aave** to borrow real assets, creating an estimated **$124 million to $230 million** in bad debt, driving severe liquidity stress, and contributing to a broader DeFi selloff. Kelp DAO and LayerZero publicly disputed responsibility after LayerZero first blamed Kelp’s configuration, then later acknowledged its own mistake in allowing its DVN to operate as the sole verifier for a high-value route; a later forensic report said the intrusion began with social engineering of a LayerZero developer and was attributed with high confidence to DPRK-linked **TraderTraitor/UNC4899**. Arbitrum’s Security Council froze about **30,766 ETH**—roughly **$71 million**—linked to the exploit, but the recovery effort became entangled in U.S. litigation after terrorism-judgment creditors sought to seize the assets as alleged North Korean property. A federal judge later allowed an Arbitrum DAO vote to move the frozen ETH to **Aave LLC** while preserving the restraining notice, leaving ownership unresolved as DeFi United worked to recapitalize `rsETH`, Kelp burned attacker-held tokens on Arbitrum, and most of the remaining **$220 million** in unfrozen funds were reportedly laundered through **THORChain**, **Wasabi**, **Tornado Cash**, and **Umbra**. In the aftermath, Kelp migrated `rsETH` bridging to **Chainlink CCIP**, and the incident accelerated broader protocol moves away from minimal LayerZero verifier configurations.
Jun 9, 2026