Buy Crypto
Pay with
USD
USD
Buy & Sell
Hot
Buy and sell crypto via Apple Pay, cards, Google Pay, bank transfers, and more
P2P
0 Fees
Zero fees, 400+ payment options, and seamless cryptocurrency buying & selling
Gate Card
Offer easy crypto transactions globally
Markets
Trade
Basic
Advance
Futures
Futures
Hundreds of contracts settled in USDT or BTC
TradFi
Gold
Trade global traditional assets with USDT in one place
Options
Hot
Trade European-style vanilla options
Unified Account
Maximize your capital efficiency
Futures Kickoff
Get prepared for your futures trading
Futures Events
Participate in events to win generous rewards
Demo Trading
Use virtual funds to experience risk-free trading
Earn
Launch
CandyDrop
Collect candies to earn airdrops
Launchpool
Quick staking, earn potential new tokens
HODLer Airdrop
Hold GT and get massive airdrops for free
Launchpad
Be early to the next big token project
Alpha Points
Trade on-chain assets and enjoy airdrop rewards!
Futures Points
Earn futures points and claim airdrop rewards
Investment
Community
Square
Share your post and stay informed about crypto and beyond
Live
moments live
Live crypto market analysis
Chat
Chat with crypto traders
News
What is happening in crypto
More
Promotions
Diğerleri
TradFi
giveaways
Rewards Hub

IoTeX Offers 10% Bounty to Hackers Following $4.4 Million Cross-Chain Bridge Exploit

CryptopulseElite

IoTeX Offers 10% Bounty to Hackers Following $4.4 Million Cross-Chain Bridge ExploitIoTeX, a blockchain platform focused on Internet-of-Things infrastructure, has offered a 10% white-hat bounty totaling approximately $440,000 to the hackers responsible for exploiting its ioTube cross-chain bridge, contingent on the return of roughly $4.4 million in stolen assets within 48 hours.

The offer, communicated via on-chain message and public statements by IoTeX co-founder and CEO Raullen Chai on February 23, 2026, includes a commitment not to pursue legal action or share identifying information with law enforcement if funds are voluntarily returned. The February 21 exploit originated from a compromised validator owner private key on the Ethereum side of the bridge, which IoTeX and external security analysts have characterized as an operational security failure rather than a vulnerability in the project’s Layer 1 blockchain or smart contract architecture.

The stolen funds, initially estimated by blockchain security firms at up to $8.8 million, have been traced by IoTeX across multiple chains, with the project identifying four bitcoin addresses holding approximately 66.6 BTC. IoTeX is rolling out a mainnet upgrade requiring node operators to implement a default blacklist of malicious addresses, though security experts caution that assets already swapped and bridged through protocols like THORChain may be difficult or unlikely to recover.

Bounty Terms and Communication Strategy

IoTeX’s bounty offer follows a pattern established by previous crypto projects that have successfully negotiated with hackers through similar 10% white-hat incentives. Chai confirmed to CoinDesk that the team sent an on-chain message to the attacker outlining the terms, which include a guarantee not to pursue legal action or share identifying information with law enforcement if remaining funds are returned within the 48-hour window.

“All fund movements across Ethereum, IoTeX, and bitcoin have been fully traced,” Chai stated in the on-chain message. The communication also noted that exchange deposits have been flagged and frozen, limiting the attacker’s ability to liquidate stolen assets through centralized platforms.

Technical Cause and Operational Security Failure

The February 21 exploit enabled unauthorized control over ioTube’s bridge contracts through a compromised validator owner private key on the Ethereum side of the infrastructure. Security analysts have emphasized that the breach did not result from a smart contract vulnerability or compromise of IoTeX’s Layer 1 blockchain.

Nick Motz, CEO of ORQO Group and CIO of Soil, told CoinDesk that “the breach came down to a compromised validator owner private key on the Ethereum side, which is fundamentally an operational security failure, not a smart contract vulnerability discovered by an outside actor.” Motz noted that while IoTeX’s Layer 1 remained secure, user funds were entrusted specifically to the bridge infrastructure that the project built and maintained.

Nanak Nihal Khalsa, co-founder of human.tech, framed the incident in terms of industry-wide responsibility norms. “Yes, whoever holds the private key is responsible for securing it,” Khalsa said. “Is that a reasonable responsibility? It’s hard to say. But that’s how the industry works right now.” Khalsa called for stronger wallet and multisig setups to reduce similar risks, noting that liability norms remain unsettled compared to traditional finance.

Asset Tracing, Minting Activity, and Recovery Prospects

Blockchain security firm PeckShield initially estimated losses exceeding $8 million, reporting that the attacker swapped stolen funds into ether and began bridging them to bitcoin via THORChain. On-chain investigator Specter confirmed the compromise, identifying approximately $4.3 million drained directly from the token safe across multiple assets including USDC, USDT, IOTX, PAYG, WBTC, and BUSD.

According to Specter’s analysis, the attacker also leveraged the compromised contracts to mint approximately 111 million CIOTX tokens, IoTeX’s cross-chain token standard designed for multichain liquidity, valued at an estimated $4 million. An additional 9.3 million CCS tokens, valued at roughly $4.5 million, were also drained, though IoTeX has stated that CCS and many other tokens were deprecated long ago and hold no value, and that CIOTX has been largely frozen.

IoTeX has identified four bitcoin addresses holding 66.78 BTC worth approximately $4.3 million at current prices and stated that the addresses are being monitored in cooperation with exchanges. A CoinDesk review of those addresses on February 23 confirmed they held roughly 66.6 BTC.

Recovery prospects remain uncertain. Motz warned that “once assets are routed through THORChain… recovery becomes extremely difficult,” adding that “containment is not the same as recovery. The assets with actual market value were swapped and bridged. Those are, in my assessment, unlikely to be recovered.” Khalsa similarly cautioned that “it’s hard to predict how much, if any, can be recovered.”

Market Response and Network Actions

The IOTX token fell approximately 9-22% following the exploit, dropping from $0.0054 to below $0.0042 before partially rebounding. Trading volume surged more than 500% in the immediate aftermath.

IoTeX temporarily halted its blockchain following the incident, with Chai stating the chain would resume within 24-48 hours after implementing address freezing measures. The project is rolling out Mainnet v2.3.4, requiring node operators to upgrade and including a default blacklist of malicious externally owned account (EOA) addresses that will be filtered by nodes.

Chai told The Block that recovery efforts are underway and initial estimates suggest the potential loss is significantly lower than circulating rumors, with the amount currently estimated at approximately $2 million. “We have immediately notified all exchanges to freeze the hacker’s address, they won’t be able to even deposit the token,” Chai said.

Connection to Prior Exploit

On-chain investigator Specter flagged a potential funding trail connecting the IoTeX attacker’s wallet to the $49 million hack of stablecoin neobank Infini in February 2025, one of the largest exploits of last year. The Infini team had accused a former contract developer, known on-chain as shaneson.eth, of retaining administrative privileges and draining the platform’s vault.

Chai told The Block that “we have multiple pieces of evidence suggesting this is a planned attack that could have been developing for six to eighteen months already,” though it remains unclear whether this refers specifically to the potential Infini hacker connection.

Industry Context

The incident adds to a sustained pattern of cross-chain bridge vulnerabilities, which industry reports indicate have resulted in more than $3.2 billion in losses across multiple exploits. Private key compromises accounted for 88% of stolen funds in Q1 2025 and have continued as a persistent threat into 2026, according to Chainalysis, which reported that crypto theft topped $3.4 billion in 2025.

“Private key compromise rather than smart contract bugs is emerging as a dominant attack vector,” Motz said, noting that such incidents target operational security rather than audited code.

IoTeX, founded in 2017, positions itself as a blockchain platform for real-world AI and decentralized physical infrastructure networks (DePINs). The project maintains partnerships with Google, Samsung, and ARM, and integrated with Polygon’s AggLayer in late 2024.

Frequently Asked Questions

What is the 10% white-hat bounty offered by IoTeX?

IoTeX has offered approximately $440,000, representing 10% of the roughly $4.4 million in stolen assets, to the hackers responsible for the ioTube bridge exploit if they voluntarily return the funds within 48 hours. The offer includes a commitment from IoTeX not to pursue legal action or share identifying information with law enforcement.

How did the IoTeX bridge exploit occur?

The February 21, 2026 exploit resulted from a compromised validator owner private key on the Ethereum side of the ioTube cross-chain bridge. Security analysts characterize this as an operational security failure rather than a vulnerability in IoTeX’s Layer 1 blockchain or smart contract architecture. The attacker gained unauthorized control over bridge contracts and drained tokens directly from the vault.

Can the stolen funds be recovered?

Recovery prospects are uncertain. While IoTeX has identified bitcoin addresses holding approximately 66.6 BTC and is coordinating with exchanges to monitor and freeze assets, the attacker swapped stolen funds into ether and bridged them to bitcoin via THORChain, a protocol that makes recovery extremely difficult. Security experts note that assets already swapped and bridged are unlikely to be recovered, though the bounty offer provides an incentive for voluntary return.

Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to Disclaimer.
Comment
0/400
No comments
Trade Crypto Anywhere Anytime
qrCode
Scan to download Gate App
Community
  • 简体中文
  • English
  • Tiếng Việt
  • 繁體中文
  • Español
  • Русский
  • Français (Afrique)
  • Português (Portugal)
  • Bahasa Indonesia
  • 日本語
  • بالعربية
  • Українська
  • Português (Brasil)
    • About UsCareersNewsroomSponsor of Oracle Red Bull RacingFC Inter Official Sleeve PartnerUser AgreementRisk WarningPrivacy PolicyCookie PolicyMedia KitProof of ReservesLicenseSecurityGateToken (GT)GUSDGate ChainGate EventsLaw EnforcementSummitsGate Ventures
    P2PConvert & Block TradingSpot TradingMarginEarn CenterETFFuturesTradFiStocksAlphaNFTGate PayGate LifeGift CardGate OTCGate CharityGate ShopWeb3Gate Perp DEXGate Vault
    VIP BenefitsInstitutionalUser FeedbackAnnouncementFeesHelp CenterSubmit a RequestListingSmart Contract SecurityDevelopersVerification SearchP2P Merchant ApplicationAffiliate ProgramTradingViewCrypto CalendarCross-Chain Solution
    Gate LearnCrypto CoursesCrypto GlossaryCryptocurrency PricesBig DataBitcoin HalvingEthereum (ETH) UpgradeCrypto WikiCrypto Calculator