An attacker connected to the May 18 exploit of the Verus-Ethereum bridge returned 4,052.4 ETH — roughly $8.5 million — to the project's wallet on Thursday, retaining 1,350 ETH, or about $2.8 million, as a bounty under a settlement framework proposed by Verus's core contributors. Blockchain security firm PeckShield, citing onchain data, said the returned amount represents 75% of the assets drained, while the bounty has since been moved by the attacker to a new wallet address.
The transfer came hours after the Verus team publicly outlined the terms in a Thursday post on X, telling the attacker that returning 4,052.4 ETH within 24 hours would prompt the community to halt ongoing investigations, refrain from pressing charges, and not pursue extralegal action. The team said it would also issue a public acknowledgement referencing the 1,350 ETH retained as a bounty. Verus had not formally acknowledged the receipt of the funds as of press time.
Why it matters
The Verus-Ethereum bridge was compromised on May 18 at 11:55 p.m. UTC, according to a Discord announcement from the team. Blockaid estimated total losses at $11.58 million, while PeckShield reported the bridge was drained for 103.6 tBTC, 1,625 ETH, and 147,000 USDC — assets the attacker later swapped into 5,402 ETH worth about $11.4 million. The 75/25 split effectively prices the protocol's tolerance at roughly $2.8 million and its desire to close the incident quickly, while leaving the attacker with a publicly named bounty that functions as both profit and a release from liability.
Market impact
Bridge exploits remain a persistent structural risk for cross-chain liquidity, and the negotiated return rather than a hard recovery — via white-hat intervention or validator rollback — highlights how thinly capitalised, community-run protocols with no venture backing must self-fund incident response. Verus has said its post-exploit focus is hardening the bridge, conducting additional audits, and developing a community-led plan to address losses. Whether the $2.8 million bounty becomes a reference point for future attackers negotiating with under-resourced teams will be the more durable read on today's outcome.
Frequently asked questions
-
What happened in the Verus bridge exploit?
The Verus-Ethereum bridge was compromised on May 18 at 11:55 p.m. UTC. Blockaid estimated losses at $11.58 million, while PeckShield traced the drain to 103.6 tBTC, 1,625 ETH, and 147,000 USDC, later swapped into about 5,402 ETH.
-
How much did the attacker return and how much did they keep?
The attacker returned 4,052.4 ETH, roughly $8.5 million, representing 75% of the assets drained. They retained 1,350 ETH, about $2.8 million, as a bounty under the settlement framework proposed by the Verus team.
-
What did the Verus team offer the attacker in exchange?
In a Thursday post on X, Verus offered to halt ongoing investigations, refrain from pressing charges, and not pursue extralegal action if 4,052.4 ETH was returned within 24 hours. The team also pledged a public acknowledgement naming the retained 1,350 ETH as a bounty.
-
Has Verus acknowledged receiving the returned funds?
As of press time, the Verus team had not formally acknowledged receipt of the returned 4,052.4 ETH. The attacker has since moved the retained bounty to a new wallet address.
-
What is Verus doing to secure the bridge going forward?
Following the exploit, Verus said its focus is hardening the bridge against vulnerabilities, conducting additional audits, and developing a community-led plan to address fund losses — without venture capital backing.
TheBlock