The DeFi protocol Verus has suffered a loss of approximately $11.5 million following an attack on its cross-chain bridge with Ethereum. This was reported by cybersecurity experts from Blockaid, PeckShield, and GoPlus.
🔎 Verus-Ethereum Bridge $11.58M drain — Suspected root cause
Same class as Wormhole-2022 / Nomad-2022: source ↔ destination economic-value binding gap.
What the bridge correctly verifies:
✓ Notarized Verus state root (8/15 valid notary sigs, all cryptographically sound)
✓…— Blockaid (@blockaid_) May 18, 2026
According to PeckShield, the hacker extracted 103.6 tBTC, 1625 ETH, and 147,000 USDC, subsequently exchanging the assets for 5402 ETH. At the time of publication, the funds remain in the attacker’s wallet.
#PeckShieldAlert The @veruscoin Verus-Ethereum Bridge has been drained for 103.6 $tBTC, 1.625K $ETH, and 147K $USDC.
The exploiter swapped the stolen assets for 5,402.4 $ETH (~$11.4M), which currently sits in 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9.
The attacker’s address… https://t.co/DK0CDUAcqb pic.twitter.com/NMa8abhaTH
— PeckShieldAlert (@PeckShieldAlert) May 18, 2026
The attacker obtained funds for transaction fees through the mixer Tornado Cash 14 hours before the breach.
GoPlus experts explained that the attacker sent a low-cost transaction and triggered a contract function to withdraw reserves en masse. The incident is likely attributed to a vulnerability in the withdrawal logic or signature forgery during cross-network message verification.
🚨GoPlus Security Alert: @veruscoin Verus-Ethereum Bridge attacked, losing about $11.5 million
The attacker moved large assets (1,625 ETH + 103.57 tBTC + 147k USDC) from the Ethereum side in a single transaction via the bridge contract.
This is another typical case of bridge-related attacks in 2026, with previous losses from Kelp DAO, Hyperbridge, etc., amounting to hundreds of millions of dollars. … pic.twitter.com/SB7JmfHggl
— GoPlus中文社区 (@GoPlusZH) May 18, 2026
The developers of Verus have not commented on the situation. The bridge between the Verus and Ethereum networks was launched in October 2023. The protocol itself has been operational since 2018, focusing on user privacy.
The decentralized finance industry frequently encounters such threats. The total amount of funds locked in DeFi and lost due to hacks exceeds $7.7 billion.
Cross-chain bridge vulnerabilities account for over $3.2 billion in losses.
Back in April, Kelp was hacked, allegedly by the Lazarus Group. The incident was the largest in the DeFi sector since the beginning of the year.
In May, attackers extracted $10 million from the cross-chain protocol THORChain. The project’s developers confirmed the hack and denied the launch of a compensation program.