Investigators said the attacker drained assets including tBTC, ETH, and USDC before swapping the stolen funds into ETH. Security researchers also pointed out that the attacker’s wallet was initially funded through Tornado Cash shortly before the exploit took place.
Hackers Drain $11.5M From Verus
DeFi protocol Verus is reportedly dealing with a major exploit involving its Ethereum bridge. Blockchain security firms estimate that attackers have already drained approximately $11.58 million in digital assets.
The incident was first pointed out late Sunday by on-chain security platform Blockaid, which identified suspicious activity tied to an attacker wallet beginning with “0x5aBb” and noted that the stolen funds were being stored in another address ending in “C25F9.”
Security researchers from PeckShield later provided more details about the attack, and claimed that the Verus-Ethereum bridge lost around 103.6 tBTC, 1,625 ETH, and 147,000 USDC during the exploit. According to the firm, the attacker quickly swapped the stolen assets into approximately 5,402 ETH, valued at roughly $11.4 million at current market prices.
PeckShield also revealed that the attacker’s wallet was initially funded through Tornado Cash, the crypto mixing service often associated with anonymous transactions. The address received 1 ETH around 14 hours before the exploit occurred.
Another blockchain security company, GoPlus, suggested that the exploit may have involved a sophisticated flaw in the bridge’s transaction validation system. The firm stated that the attacker seemingly sent a low-value transaction to the bridge contract before triggering a function that enabled the batch transfer of reserve assets directly to the drainer wallet.
GoPlus added that the incident could be linked to cross-chain message validation failures, signature forgery vulnerabilities, withdrawal logic bypasses, or access control weaknesses in the bridge infrastructure. These types of vulnerabilities have become very common targets for attackers in decentralized finance, particularly for cross-chain bridges that manage large pools of locked liquidity.
Verus launched in 2018, and is a privacy-focused blockchain network that operates using a hybrid “proof-of-power” consensus mechanism that combines proof-of-work and proof-of-stake elements. Its Ethereum bridge was introduced in October of 2023, and was designed to allow users to transfer and convert assets between the Verus ecosystem and Ethereum.
