The IoTeX blockchain network has publicly offered a 10% "white-hat" bounty, worth approximately $440,000, to the hacker responsible for a $4.4 million exploit of its ioTube cross-chain bridge. The offer, made via an on-chain message and a public post on X, demands the return of the stolen funds within a 48-hour window in exchange for no legal pursuit and confidentiality.
The incident occurred on February 21, 2026, when a compromised validator owner private key on the Ethereum side of the bridge enabled unauthorized control. This allowed the attacker to mint 410 million CIOTX tokens—cross-chain representations of the native IOTX token—and subsequently swap them for other cryptocurrencies. IoTeX co-founder and CEO Raullen Chai confirmed that all fund movements across Ethereum, IoTeX, and Bitcoin have been fully traced, and exchange deposits have been flagged and frozen.
The IOTX token fell roughly 22% following the exploit, dropping from $0.0054 to below $0.0042 before partially rebounding. IoTeX has identified four Bitcoin addresses holding approximately 66.78 BTC (worth ~$4.3 million) and is monitoring them in cooperation with exchanges.
In response to the breach, IoTeX is rolling out a new chain version, Mainnet v2.3.4, which requires node operators to upgrade. The update includes a default blacklist of malicious externally owned account (EOA) addresses to be filtered by the node. The company emphasized that its Layer 1 blockchain was not affected and the breach was isolated to the Ethereum-side infrastructure of the bridge.
Security firm PeckShield's on-chain analysis estimated losses exceeding $8 million, noting the attacker swapped funds into Ether (ETH) and began bridging them to Bitcoin via THORChain. Another investigator, Specter, estimated a $4.3 million loss. IoTeX later revised its figure to approximately $4.3 million, reflecting the direct asset drain but excluding minted tokens.
Industry experts highlighted the operational security failure. Nick Motz, CEO of ORQO Group, stated, "The breach came down to a compromised validator owner private key... which is fundamentally an operational security failure, not a smart contract vulnerability." Nanak Nihal Khalsa, co-founder of human.tech, pointed to unresolved liability norms in crypto compared to traditional finance, calling for stronger wallet and multisig setups.
Cross-chain bridges remain a critical vulnerability in crypto, with industry reports indicating over $3.2 billion lost to bridge hacks. IoTeX stated a compensation plan for affected users would be announced within 48 hours, independent of the bounty outcome.
