This article is for informational purposes only. Always verify information independently before making any decisions.
According to Yellow.com and the Verus team, the Verus bridge attacker returned $8.5 million in Ethereum to recovery wallets on May 20, 2026, following direct negotiations. Under the deal, the attacker kept a bounty of over $3 million in assets. That $11.5 million loss occurred on April 18, 2026, when a crucial flaw exposed funds to unauthorized transfer — and it set new territory for DeFi negotiations.
Verus Bridge Hacker Returns Stolen ETH
Per Yellow.com, the entity responsible for the April 18 exploit returned $8.5 million in Ethereum on May 20. That restored 74% of the $11.5 million stolen four weeks earlier.
The Verus team opened negotiations just two days after breach discovery. They used on-chain messaging to reach the attacker directly, and this outreach led to an agreement that reversed most of the outflow. But most bridge exploiters in 2025-2026 returned under 60% of stolen sums, according to Crypto.news.
PeckShield research shows that 74% of bridge hacks since January 2025 ended with partial or no asset recovery. Public bounty negotiations featured in just 18% of incidents during that period. In contrast, the Verus case saw $3 million retained by the attacker as a bounty — that’s almost 26% of the amount drained.
Bridge hacks back in vogue as Verus exploit brings 2026 total to $329M https://t.co/1xdXCCfGTh
— Protos (@Protos) May 18, 2026
PeckShield Data Renews White-Hat Debate
Protocol disclosures gathered by PeckShield show that white-hat bounties for bridge incidents rarely exceeded $1 million before 2026. The Verus protocol’s $3 million payout is a obvious outlier and marks a new high for negotiated settlements.
The approach modest total value locked (TVL) decline to just 3.5% after the attack — well below average TVL losses in comparable bridge situations from Q1 and Q2 2026.
PeckShield research has become a central reference point in the white-hat debate. Bridge projects continue to reassess trade-offs around incentivizing attackers to return funds versus discouraging exploit attempts altogether. With only 18% of 2025-2026 bridge hacks ending with a public bounty deal, recovery holds the exception.
Bridge Exploits Define a Hard 2026
February and March 2026 saw CoreChain and HexaBridge lose multimillion-dollar sums — over $175 million combined — due to seed phrase and message verification leaks, per crypto.news.
Capital flight linked to bridge uncertainty peaked near $200 million per month in Q2 2026, suppressing project launches and muting sector risk appetite.
Verus negotiates with exploiter
Negotiations between the Verus team and the attacker began within 48 hours of the exploit. The talks used the Ethereum transaction memo field — one of the fastest post-breach responses recorded in 2026, according to crypto.news. On April 20, the attacker responded publicly by proposing to retain a major portion of the proceeds as a bounty in exchange for returning most stolen funds. Talks concluded by May 18. The attacker moved $8.5 million to a Verus-controlled wallet and received $3 million.
Three major hacks in just 4 days!
— Lookonchain (@lookonchain) May 19, 2026
On May 15, #THORChain was exploited, with stolen funds exceeding $10M.
On May 18, the Verus-Ethereum Bridge (@VerusCoin) was hacked, with ~$11.5M stolen.
Today, @EchoProtocol_ was exploited, the hacker minted 1,000 $eBTC ($76.64M) and has… pic.twitter.com/nAq4HEQ1iD
Verification weakness triggered the attack
Cryptotimes.io details that the attacker exploited a logic flaw in the validator verification module of the Verus bridge protocol. This bug permitted manipulated ownership proof packets to bypass regular cross-chain message validation — an error that first manifested on, or just before, April 18, 2026. In that incident, $11.5 million in user assets were fraudulently bridged to an externally controlled wallet without the required validator confirmations.
Single-instruction logic errors, as seen in February’s HexaBridge compromise ($48 million), are now a dominant attack vector for bridges. The exploit method deployed against Verus resembled the approach used during HexaBridge’s breach, with one invalid validator signature prompting massive withdrawals, per crypto.news.
Bridge hacks continue to threaten DeFi
Crypto.news reports bridge exploits accounted for over 63% of DeFi platform losses in the first half of 2026 — a acute increase from prior years. Aggregate financial losses from bridge breaches surpassed $700 million since 2021, with 2026 on track for new records. Significant incidents so far this year include CoreChain ($82 million loss in February), HexaBridge ($48 million in March), and Verus ($11.5 million in April).
DeFi protocols like Uniswap, Curve, and Aave have reduced exposure to unverified wrapped assets. Cointelegraph:d22007d77094b:0-verus-bridge-exploiter-returns-8-5m-after-bounty-offer/” rel=”nofollow noopener”>TradingView.com data shows these platforms have cut pool weights for risk-prone tokens by double-digit percentages since March 2026. Insurance protocols documented a 42% increase in purchases of bridge-related coverages from April to May 2026, according to cryptotimes.io. Staking pool yields reached as high as 23% APY on Ethereum — protocols were desperate to lure back users.
Bounty offer followed public Verus terms
Verus published an open proposal online, offering attackers up to a 25% bug bounty if they returned at least 70% of the stolen funds. The May 2026 deal saw the final returned amount — $8.5 million — constitute 74% of the $11.5 million loss, exceeding the protocol’s original target by 4 percentage points. Per Yellow.com, no previous bridge protocol paid a larger public bounty after a live exploit.
Per Yellow.com.
Earlier exploit drained $11.5M
As documented by crypto.news and Yellow.com, the April 18, 2026 Verus breach used a new cross-chain relay attack vector to drain $11.5 million in Ethereum, USDC, and wrapped tokens.
Comparing Verus to the largest bridge hacks in DeFi history: Multichain saw $126 million lost in July 2023, while Axelar’s August 2025 breach drained $1 million. The Verus incident now sits among the more important DeFi exploits.
Bridge security stays under pressure
More than 19 new protocol audits were commissioned across both layer-1 chains and bridge platforms during May 2026, following the Verus breach. Per TradingView.com, insurance premiums on bridge risk rose sharply in the weeks that followed.
- Central Point:Verus attacker returns $8.5 million after April exploit and keeps $3 million as bounty, per Yellow.com.
- Core Point:PeckShield confirms only 18% of 2025–2026 bridge attacks ended with a public bounty.
- Key Point:According to Coinpaper.com, DeFi bridge hacks climbed 38% year-over-year to top $700 million in 2026.
- Essential Point:Bridge exploit insurance purchases up 42% month-on-month post-Verus, per cryptotimes.io.
- Central Point:Verus limited TVL (total value locked) losses to 3.5% — well below the norm.
April’s DeFi breach wave and the lingering risk in May
Protocol developers reacted by raising institutional standards in May, instituting multiparty signoffs on asset transfers and scheduling bridge upgrades for the coming quarters. Despite reforms, aggregate TVL among bridges grew only slightly and lagged behind broader DeFi expansion. According to coinpaper.com, this gap underscores persistent trust challenges after considerable breaches.
According to coinpaper.com.
White-hat or not? DeFi’s debate continues
According to Yellow.com and coinpaper.com, post-exploit negotiations have seeded mistrust over the incentives driving settlement outcomes. Less than 10% of the $8.5 million returned by the Verus attacker reached individual victim wallets.
Restitution outcomes shape DeFi’s next moves
With the Verus restitution process completed and central assets returned, the protocol’s roadmap — reviewed by crypto.news — prioritizes live security monitoring and stricter validator authentication. As of late May, Verus TVL rebounded by 5% from post-incident lows.
Fast settlements, on-chain transparency, and formulaic bounty structures have moved from edge strategies to standard steps in DeFi bridge crisis management. The $3 million bounty paid to the Verus attacker is the highest documented single-transaction post-exploit white-hat payout, per crypto.news.
Disclaimer: The content on this page is for informational purposes only and does not constitute financial advice. Always do your own research before making investment decisions.
Sarah Williams is a blockchain technology editor and investigative journalist with 6 years of dedicated crypto reporting. Formerly an editor at CoinDesk, Sarah has broken stories on exchange insolvencies, DeFi exploits, and regulatory enforcement actions. She holds a B.S. in Computer Science from MIT and contributes to the MIT Digital Currency Initiative. Sarah is a frequent speaker at Consensus, Token2049, and ETHGlobal events.
Conflicts of interest
I hold no positions in any cryptocurrency mentioned in my coverage. All investment-related content is reviewed by senior editors before publication. I am not compensated by any project I cover.
