The DeFi protocol Verus has lost approximately $11.5 million due to an attack on its cross-chain bridge with Ethereum. This was reported by cybersecurity experts from Blockaid, PeckShield, and GoPlus.

🔎 Verus-Ethereum Bridge $11.58M drain — Suspected root cause

Same class as Wormhole-2022 / Nomad-2022: source ↔ destination economic-value binding gap.

What the bridge correctly verifies:
✓ Notarized Verus state root (8/15 valid notary sigs, all cryptographically sound)
✓…

— Blockaid (@blockaid_) May 18, 2026

According to PeckShield, the hacker drained 103.6 tBTC, 1625 ETH, and 147,000 USDC, then exchanged the assets for 5402 ETH. At the time of publication, the funds remain in the attacker’s wallet.

#PeckShieldAlert The @veruscoin Verus-Ethereum Bridge has been drained for 103.6 $tBTC, 1.625K $ETH, and 147K $USDC.

The exploiter swapped the stolen assets for 5,402.4 $ETH (~$11.4M), which currently sits in 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9.

The attacker’s address… https://t.co/DK0CDUAcqb pic.twitter.com/NMa8abhaTH

— PeckShieldAlert (@PeckShieldAlert) May 18, 2026

The hacker obtained funds for transaction fees through the mixer Tornado Cash just 14 hours before the breach.

Experts from GoPlus explained that the attacker initiated a low-cost transaction and triggered a contract function to withdraw reserves en masse. The likely cause of the incident is a vulnerability in the withdrawal logic or a signature forgery during cross-network message verification.

🚨GoPlus安全警报:@veruscoin 的 Verus-Ethereum Bridge 被攻击,损失约1150万美元

攻击者通过桥合约单笔交易从 Ethereum 侧转移大量资产(1,625 ETH + 103.57 tBTC + 147k USDC)。

这是 2026 年桥相关攻击的又一典型案例,此前 Kelp DAO、Hyperbridge 等桥已累计损失数亿美元。… pic.twitter.com/SB7JmfHggl

— GoPlus中文社区 (@GoPlusZH) May 18, 2026

Verus developers have not commented on the situation. The bridge between Verus and Ethereum was launched in October 2023. The protocol itself has been operational since 2018 and focuses on user privacy.

The decentralized finance industry frequently faces such threats. The total amount of funds lost in DeFi hacks exceeds $7.7 billion.

Source: DefiLlama.

Cross-chain bridge vulnerabilities account for over $3.2 billion in losses.

In April, Kelp was hacked, allegedly by the Lazarus Group. This incident became the largest in the DeFi sector this year.

In May, hackers stole $10 million from the cross-chain protocol THORChain. The project developers confirmed the hack and denied the launch of a compensation program.