The Verus protocol has recovered the majority of funds stolen in a bridge exploit, after the attacker agreed to a bounty deal. On May 22, the exploiter returned 4,052 Ether (ETH) — worth approximately $8.5 million — to the project’s wallet, while retaining 1,350 ETH ($2.8 million) as a reward. The return came just days after the Verus-Ethereum bridge was drained of over $11.5 million on May 18.
Blockchain security firm PeckShield confirmed the transfer, noting that 75% of the stolen assets were sent back under the terms of a bounty hastily offered by Verus. The team had given the hacker 24 hours to return the bulk of the funds in exchange for keeping a quarter of the loot. The returned ETH was moved to a team-controlled address, while the 1,350 ETH bounty was later shifted to a separate wallet.
The exploit itself stemmed from a logic flaw in the bridge’s cross-chain transfer validation. Attackers forged a transaction that lacked proper source-amount checks, allowing them to drain 1,625 ETH, 103.6 tBTC, and nearly 147,000 USDC. Those assets were consolidated into roughly 5,402 ETH before the negotiation took place. Unlike many bridge hacks where funds are laundered through mixers, this direct engagement enabled a swift partial recovery.
The incident underscores the persistent risks of cross-chain infrastructure. DeFi hacks totalled $634 million in April 2026 alone, with bridges remaining a prime target. While May losses have dropped to around $38 million, the Verus case highlights how proactive bounty programs can recover assets faster than law enforcement. Still, the practice remains divisive: some see it as pragmatic damage control, while others argue it incentivizes future attacks.
