Another Ethereum bridge just got drained for $11.58 million and the attack vector is still unknown
The bridge exploit count for 2026 keeps climbing and the Verus-Ethereum Bridge is the latest name on the list.
Hackers drained approximately $11.58 million from the Verus-Ethereum Bridge on May 18 in an attack that was detected while still active by Blockaid's exploit detection system. The attacker extracted 103.6 tBTC, 1,625 $ETH , and approximately 147,000 USDC from the bridge before swapping the assets into roughly 5,402 ETH worth approximately $11.4 million at time of reporting. All stolen funds currently sit in the wallet address 0x65Cb...25F9.
The attacker's address was funded with 1 ETH through Tornado Cash approximately 14 hours before the exploit, a standard preparation pattern for obscuring transaction trails before an attack executes. The exact exploit vector remains under investigation with developers and security researchers still determining whether the vulnerability originated from validator systems, smart contract logic, or another flaw in the protocol architecture.
The timing adds weight to a conversation that was already running hot in DeFi. The Kelp DAO exploit drained $292 million weeks ago. Solv Protocol responded by migrating $700 million in tokenized Bitcoin infrastructure off LayerZero onto Chainlink CCIP specifically because of cross-chain bridge security concerns. The pattern is not random. Bridges hold large amounts of locked liquidity and their complex smart contract structures create attack surfaces that keep producing the same outcome.
Verus-Ethereum Bridge users are waiting for information from the project team on recovery efforts, potential reimbursements, and upcoming security measures.
Bridge security is still the most exploited category in DeFi. Nothing about 2026 has changed that reality.