Verus-Ethereum Bridge Hacker Returns $8.5M After Bounty Deal

The hacker behind last week's Verus-Ethereum bridge exploit has returned the bulk of the stolen funds. The attacker sent 4,052.4 ETH, worth approximately $8.5 million, back to the Verus team wallet after the protocol offered a bounty for the recovery of most of the drained assets, according to blockchain security firm PeckShield. The return represents roughly 75% of the $11.58 million originally stolen.

A 24-Hour Ultimatum That Worked

The recovery followed a direct negotiation between Verus and the exploiter. A day before the funds were returned, Verus posted an on-chain message offering the attacker 1,350 ETH, worth around $2.8 million, as a white-hat bounty. The condition was simple: return 4,052.4 ETH to the team address within 24 hours and keep the rest with no further pursuit framed as the reward.

The attacker took the deal. The structure is now a familiar pattern in DeFi incident response, where projects calculate that recovering 75% of stolen funds quickly and cleanly is a better outcome than pursuing 100% through law enforcement over months or years with no guarantee of success. The bounty effectively converts a theft into an expensive bug bounty after the fact.

These deals do not necessarily prevent law enforcement or third parties from acting. Negotiating a return with an exploiter recovers funds, but it does not grant the attacker legal immunity, and on-chain forensics firms retain the ability to trace and flag the retained ETH if it moves through exchanges later.

The Original Hack Exploited a Validation Gap

The 18 May exploit was not a private key compromise or a signature bypass. The bridge correctly verified the Verus state root, the Merkle proof and the hash commitment binding the transfer data. What it failed to check was whether the source-chain transaction actually had value attached to it.

The attacker built a Verus-side transaction that committed to an $11.58 million payout while locking zero value as collateral, then submitted the cryptographically valid proof to the Ethereum bridge contract, which paid out from its reserves. Security firm Blockaid described it as the same structural flaw behind the 2022 Wormhole and Nomad exploits, and noted that roughly ten lines of Solidity validating transaction values would have prevented the entire drain. The attacker spent around $10 in network fees to extract the payout.

Bridges Remain the Weakest Point in DeFi

The Verus recovery is a rare positive outcome in what has been the worst year on record for bridge security. PeckShield's running count puts bridge-related losses at roughly $328.6 million across eight major incidents in 2026 alone. Cross-chain bridges now account for approximately $2.9 billion of the more than $16.5 billion stolen across DeFi over the past decade, according to DefiLlama data.

April was the worst month of the year, with cumulative DeFi losses of $634 million driven by the $293 million Kelp exploit and the $285 million Drift Protocol breach. May has been far quieter, with roughly $38 million stolen so far this month, the Verus incident included. The broader takeaway has not changed since we covered the original exploit. Bridge security in 2026 remains the unsolved problem at the centre of multi-chain crypto infrastructure. The cryptographic primitives work, but the validation logic that binds source-chain value to destination payouts repeatedly does not. The Verus team got most of its users' funds back this time. The next protocol to lose a bridge may not be so fortunate.