The decentralized finance (DeFi) sector is facing yet another serious security breach, as the Verus Ethereum bridge has become a casualty of an escalating series of cross-chain exploits.
As of the time this is being reported, the attack is still ongoing with damages already exceeding $11.58 million worth. Such incidents are a consequence of the revelation of gaps in bridge architecture which has existed even before.
Preliminary assessments from a few blockchain security firms, reported that the exploit is not only financially large but technically complicated as well and could involve basic vulnerabilities in how validation protocols or contract permission schemes are built. With the investigations getting underway, however, this Verus case is quickly blossoming into a major flagship example of how systemic risks in cross-chain infrastructure can proliferate.
Total Assets Diverted From The Bridge
According to detailed reports after Blockaid incident update and confirmation on fortifies of the exploit by PeckShield alert on the exploit, which identifies unique assets looted from the breach, the attacker drained the bridge of 103.6 tBTC, 1,625 ETH, and approximately 147k USDC.
The assets were then pooled and swapped into 5,402 ETH, roughly $11.4 million at the time.
Community alert:
Blockaid's exploit detection system has identified an on-going exploit on the @veruscoin Verus-Ethereum Bridge (https://t.co/HEwYZqFEfC).
~$11.58M drained so far.More details in
— Blockaid (@blockaid_) May 18, 2026
Community alert: 
The swap of the asset is a typical pattern after exploits take place, where they collect disparate tokens and turn them into a single high-value liquid cryptocurrency (in this case ETH) to simply transfer or wash.
Another interesting point is how the attackers funded their wallet initially: as Peckshield pointed out, it was filled with only 1 ETH through Tornado Cash around 14h before the hack. The usage of privacy-enhancing tools like this is just further evidence of the continual evolution to obscure the attribution of malicious activity.
Attack Method Suggests Weakness In Bridge Logic
Insufficient technical specifications have yet to be fully assessed but preliminary analysis suggests the exploit exploited a weakness in the bridge’s main logic.
The analysis by GoPlus Security shows that the attacker started submitting a low-value transaction to the bridge contract. This seemingly innocent action was then quickly followed by the execution of a designated function that initiated an undesired transfer of reserve assets directly into the hacker’s wallet.
The attacker drained a large amount of assets from the Ethereum side of the bridge in a single transaction (1,625 ETH + 103.57 tBTC + 147K… pic.twitter.com/F2EhhYfbCD
— GoPlus Security
(@GoPlusSecurity) GoPlus Security initially proposed some possible root causes: holes in cross-chain message validation failure; signature forgery; withdrawal logic error; access control policies and implementation mistakes.
All of these fields are critical to the security of bridges. Compromise in any can let attackers bypass protections and deplete pooled funds, which is exactly the breach we have observed.
While the criticism was expected, some were disappointed by the lack of immediate response.
The Verus developers have not released any official comment on the exploit by the time of publishing. The silence is deafening, especially considering the size and continuity of the unprecedented attack.
Prompt communication in a DeFi incident has been important as containment, coordination and user confidence hinges on this.
Without communication the threat of decaying market confidence looms especially damaging as bridge exploits are hitting headlines nationally throughout 2026.
Bridge Exploits Account for Massive Majority of Losses in 2026
The exploit of Verus is merely one in a larger trend this year that has left millions of dollars worth of various dollars damaged on cross-chain bridges.
According to data from PeckShield, in 2026 there were eight large bridge hacking incidents with a cumulative loss of $328.6 million.
The biggest incident is still the KelpDAO/LayerZero exploits with a loss of $292m. Among these incidents, the largest was the KelpDAO / LayerZero exploit, which accounted for a staggering $292 million in losses. Other notable breaches include the Verus Ethereum bridge at $11.4 million, THORChain at around $10 million, and the IoTeX bridge at $8.8 million.
#PeckShieldAlert As of mid-May 2026, the crypto space has witnessed 8 major #bridge-related exploits, with hackers exfiltrating a cumulative $328.6M from cross-chain protocols.
The table below outlines the details of these incidents: pic.twitter.com/0xTNxIHi4b— PeckShieldAlert (@PeckShieldAlert) May 18, 2026
The dominance of bridge-related losses underscores a long-term challenge for the industry: Although bridges are an important enabling technology for cross-chain interoperability, they can also create complex attack vectors that are hard to defend against completely.
Increasing Complexity In Cross-Chain Attacks From Data
One of the most interesting aspects of the Verus exploit is how small and simple the initial transaction was, especially for such a massive transfer of assets.
Low-Value Transaction to Activate Huge Transfer by Attacker, this shows that minor oversights in terms of contract design with minimum value can cause major disasters. At the same time, background measures, such as sending cash to support the attackers pockets via Tornado Money, show an operational end level that is very much in line with progressively industrialized risk stars.
What makes this stand out is the combination of simple harvesting techniques with strategic misdirection, something that is becoming common-place in modern-day DeFi exploits. Adversaries are not just finding tech weaknesses, they know what it is and fine-tuning their social engineering, looking to do as much damage with the least detection.
Industry Continues To Reckon With Security
The continuous targeting of bridge infrastructure in the DeFi space forces fundamental questions about the resilience of current security paradigms, as we witness this sector mature.
Bridges, which allow for liquidity and interoperability between blockchains, are necessarily complex; therefore achieving complete security is a difficult problem. Every hack that transpires strengthens the case for more robust validation systems, stricter contract audits, and perhaps even entirely new architectural frameworks to minimize reliance on centralized or semi-centralized elements.
The Verus Ethereum bridge exploit is a timely reminder of the dangers in DeFi when it’s confronted by new tools. The same retaliation based attacks were seen during the ill-fated launch of Project Mist, and as such it seems these types of threats won’t be going anywhere fast. Unfortunately, attackers constantly change, which means that the industry has to build systems not only against known threats but also against unanticipated vulnerabilities in the future.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!
