Headline: Verus bridge exploiter returns $8.5M after deal — keeps 25% as bounty
The attacker who drained Verus’ Ethereum bridge has handed back the bulk of the haul after a negotiated settlement — but kept a sizeable bounty. On May 21 the exploiter sent 4,052.4 ETH (roughly $8.5 million at on-chain prices) to a Verus team address, according to PeckShield and Etherscan. That transfer represents about 75% of the total stolen funds; the exploiter retained 1,350 ETH (≈ $2.8–2.9 million) as the agreed bounty.
Etherscan shows the transfer came from a wallet labeled “Verus Exploiter 2” to address 0xF9AB…C1A74. Minutes after returning the larger chunk, the attacker moved the 1,350 ETH bounty to a fresh address. PeckShield flagged the return and the split, and Verus’ public post on X said community members and developers negotiated the terms — including the bounty size, the exploiter’s obligations, and how the assets would be returned.
How the theft unfolded and what was taken
- The exploit occurred on May 18 and initially drained more than $11.5 million from the Verus Ethereum bridge.
- PeckShield reported the stolen mix included 103.6 tBTC, 1,625 ETH, and nearly 147,000 USDC. The attacker later swapped assets into about 5,402 ETH (around $11.4M at the time of the swaps).
What went wrong
Security firm Blockaid attributed the breach to missing source-amount validation in the bridge logic — a gap in checks that allowed the forged cross-chain transfer message to be accepted. Blockaid noted this was not an ECDSA bypass, not a notary-key compromise, and not a parser or hash-binding bug.
Community reaction and broader context
Some onlookers framed the deal as a pragmatic win: those in favor of negotiated returns argued that recovering 75% of assets is a reasonable outcome compared with losing everything to mixers. Others warned the incident underscores deeper systemic risks with bridges. Critics pointed to centralized custody and validation weaknesses, and suggested alternatives like atomic swaps to avoid similar failure modes.
The Verus case differs from many recent bridge hacks because most of the drained ETH came back to a team address after the bounty deal. Many past attacks move funds through mixers or keep them under attacker control. Nonetheless, this episode arrives amid a spate of cross-chain security failures — recent incidents include the Butter Network exploit that sent MAPO token price tumbling and the Echo Protocol/Monad incident where an attacker minted roughly $76.7M in unauthorized eBTC and moved funds through Tornado Cash.
Why it matters
Bridges remain a major attack surface for DeFi because they hold assets across chains. Weak validation lets attackers trigger unauthorized transfers, mint or move reserves, and extract funds before teams can act. The Verus return highlights both the potential effectiveness of negotiated recoveries and the urgent need for stronger bridge validation and custody models across the ecosystem.
The story is still developing; on-chain data and security firm analyses remain the best sources for ongoing updates.
Read more AI-generated news on: undefined/news
