The IoTeX blockchain network made headlines after hackers drained $4.4 million from its ioTube cross-chain bridge, with stolen funds quickly converted and bridged to Bitcoin. In response, IoTeX publicly offered a 10% white-hat bounty of $440,000 to the attacker in exchange for the return of the remaining funds within 48 hours. This incident has reignited serious concerns about the security of cross-chain bridge infrastructure across the entire crypto industry.
A Brazen Exploit Shakes the IoTeX Network
On February 21, 2026, a sophisticated attacker quietly compromised a validator owner’s private key on the Ethereum side of IoTeX’s ioTube bridge. This was not a flashy smart contract bug or a zero-day vulnerability in the code itself. Rather, it was an operational security failure, one that gave the attacker complete control over the bridge’s most sensitive contracts.
Furthermore, once the attacker gained access, they wasted no time. They upgraded the bridge contract to a malicious version, which in turn allowed them to bypass the signing and verification procedures entirely. As a result, they seized control of two critical systems: MintPool and TokenSafe. From there, the attacker minted a staggering 410 million CIOTX tokens and siphoned assets worth approximately $4.4 million directly from the bridge reserves.
Additionally, the stolen assets were not limited to one type of token. According to blockchain security firm PeckShield, the haul included USDC, USDT, IOTX, WBTC, PAYG, and BUSD. Consequently, the attacker swapped all of these assets into Ethereum (ETH) using decentralized exchanges, including Uniswap. Then, in a move that security analysts immediately flagged, the funds were bridged to Bitcoin via THORChain.
How the Stolen Funds Moved Toward Bitcoin
The pivot to Bitcoin was deliberate and strategic. THORChain is a decentralized liquidity protocol that enables cross-chain swaps without requiring a centralized intermediary. Therefore, routing funds through it significantly complicates recovery efforts. Security expert Motz put it plainly: “Once assets are routed through THORChain, recovery becomes extremely difficult.”
Nevertheless, IoTeX’s team moved quickly. On-chain analysts and blockchain forensics teams traced the flow of funds and identified four specific Bitcoin addresses holding approximately 66.78 BTC, worth roughly $4.3 million at current prices. Moreover, a review of those addresses on February 23 confirmed they still held about 66.6 BTC at the time of writing. IoTeX announced it is monitoring those Bitcoin addresses in close cooperation with cryptocurrency exchanges. (Source: CoinDesk — https://www.coindesk.com/business/2026/02/23/iotex-bridge-exploit-sparks-debate-over-losses-and-recovery-prospects)
Meanwhile, PeckShield estimated the total affected assets at more than $8 million when factoring in the unauthorized minting of CIOTX tokens. IoTeX, however, revised its own figure to approximately $4.3 million, reflecting the direct asset drain and excluding the minted tokens. Regardless of which number one accepts, this was one of the more significant bridge exploits in recent memory.
IoTeX’s Bold Bounty Offer
Faced with a complex recovery situation, IoTeX co-founder and CEO Raullen Chai took an approach that has become increasingly common across the DeFi industry. He publicly offered the attacker a 10% white-hat bounty, totaling $440,000, in exchange for the voluntary return of the remaining stolen funds within 48 hours. Additionally, Chai committed to not pressing legal charges and promised that no identifying information would be shared with law enforcement if the hacker complied.
This type of offer follows a model used by other major DeFi protocols after breaches, including Poly Network and Cream Finance. In some of those cases, hackers did return the funds in exchange for the bounty. Essentially, the strategy turns a purely adversarial situation into a negotiable one. By offering $440,000 to recover $4 million, the math still heavily favors IoTeX and its users.
Furthermore, the 48-hour deadline carries implied weight. It suggests the team may be pursuing parallel tracks, including on-chain monitoring, exchange cooperation, and legal avenues, that could become more viable after that window closes. Accordingly, the pressure on the attacker to act was real, not just symbolic. (Source: The Block — https://www.theblock.co/post/390698/iotex-hit-by-private-key-exploit-draining-up-to-8-8-million-from-bridge-contracts)
Bitcoin as the Hacker’s Exit Route
The choice of Bitcoin as the final destination for stolen funds is worth examining closely. Bitcoin’s blockchain is transparent, meaning every transaction is publicly visible. At the same time, Bitcoin does not have native smart contract freezing capabilities the way Ethereum-based tokens do. Therefore, once assets arrive in Bitcoin wallets, the tools available for freezing or recovering them are far more limited.
In contrast, IoTeX was able to lock or freeze more than 86% of the 410 million CIOTX tokens that were minted during the attack. The team also confirmed that 52.4 million IOTX, representing about 12.8% of the minted tokens, had been moved to Binance, and that they are working with the exchange to freeze those funds. Consequently, the portion of stolen assets that made it to Bitcoin represents the most difficult recovery challenge facing the project right now.
Security researcher Motz also noted a broader trend here. “Private key compromise rather than smart contract bugs is emerging as a dominant attack vector,” he said, adding that such incidents target operational security rather than audited code. This shift is significant. It means that even a perfectly written smart contract can be exploited if the keys controlling it are not protected properly. (Source: BitcoinWorld — https://bitcoinworld.co.in/iotex-hack-bounty-cross-chain-bridge/)
Possible Connections to a Previous Major Hack
The investigation into the IoTeX exploit revealed a potentially alarming connection. On-chain investigator Specter posted on X that a funding trail appeared to link the IoTeX attacker’s wallet to the $49 million hack of stablecoin neobank Infini in February 2025. That earlier incident involved a former contract developer, identified on-chain as shaneson.eth, who allegedly retained administrative privileges and drained the platform’s vault.
Chai acknowledged the connection in comments to The Block, saying, “We have multiple pieces of evidence suggesting this is a planned attack that could have been developing for six to eighteen months already.” This suggests the IoTeX exploit was not opportunistic. On the contrary, it may have been a carefully premeditated operation, with the attacker spending months positioning themselves before striking. Given that context, the move to quickly bridge funds to Bitcoin makes even more sense as part of a well-planned exit strategy.
What IoTeX Is Doing to Fix the Problem
Beyond the bounty offer, IoTeX has taken a series of concrete steps to address the situation. To begin with, the team rolled out a new chain version, Mainnet v2.3.4, which requires all node operators to upgrade. This update includes a default blacklist of malicious externally owned account (EOA) addresses to prevent those addresses from interacting with the network going forward.
In addition, IoTeX confirmed that the bridge itself will remain suspended across all chains until an independent security audit is completed. Exchange withdrawals were expected to resume within 24 to 48 hours following the patch rollout. The IOTX token fell roughly 22% in the immediate aftermath of the exploit, dropping from $0.0054 to below $0.0042, before partially recovering. The fact that it did recover somewhat reflects a degree of community confidence in the team’s response.
Looking ahead, IoTeX also announced plans to introduce multisig requirements and a 24-hour timelock for bridge transactions. The team is accelerating governance proposal IIP-55, which aims to decentralize bridge validators. Furthermore, they plan to set transaction limits and expand their existing bug bounty program. Taken together, these are the kinds of structural improvements that should meaningfully reduce the risk of a similar incident in the future. (Source: Bloomingbit — https://en.bloomingbit.io/feed/news/106535)
Cross-Chain Bridges Remain a Persistent Target
This IoTeX incident does not exist in isolation. Cross-chain bridges have been one of the most frequently exploited areas of the entire crypto ecosystem for years. The reason is straightforward: bridges hold large quantities of assets in a concentrated location, and they often involve complex interactions between multiple blockchains, each with different security assumptions.
Moreover, as more assets flow between networks, the value locked in bridge contracts grows. Accordingly, the incentive for attackers to target them grows as well. In the IoTeX case, the attack vector was not the bridge code itself but rather the private key of the validator controlling it. This is a reminder that technical audits of smart contracts, while necessary, are not sufficient on their own. Human and operational security practices must be equally robust.
Additionally, the use of THORChain to bridge stolen assets to Bitcoin adds another layer of complexity to an already difficult recovery situation. THORChain was designed to enable decentralized cross-chain swaps, and it performs that function well. Nevertheless, that same functionality makes it a useful tool for those looking to move assets across chains without leaving easy recovery pathways. The Bitcoin network itself is immutable, meaning no central authority can reverse or freeze a completed Bitcoin transaction.
The Broader Lesson for DeFi Security
One of the most important takeaways from the IoTeX bridge hack is that the threat landscape is evolving faster than many teams realize. Attackers are increasingly sophisticated. They study their targets for months, identify the weakest link in the operational chain, and then strike at the right moment. In IoTeX’s case, that weakest link was a single private key with enormous control over the bridge infrastructure.
For that reason, the industry continues to move toward multi-signature schemes and threshold signature systems. These approaches distribute key control across multiple parties so that no single compromised key can give an attacker complete control. Furthermore, time-locked withdrawals, real-time transaction monitoring, and decentralized validator sets all serve as additional layers of protection that teams should prioritize.
The 10% bounty model is also worth noting as a practical recovery tool. While it may feel counterintuitive to reward a criminal, the practical reality of blockchain security makes it one of the more effective options available. Prosecuting anonymous hackers operating across multiple blockchains is slow, expensive, and uncertain in outcome. A negotiated return of funds, even at a 10% cost, often serves users better than years of legal proceedings.
As the 48-hour deadline passed, the crypto community watched closely to see whether the attacker would take the deal. Regardless of the outcome in this specific case, the incident reinforced a lesson the industry has been absorbing repeatedly: securing cross-chain bridge infrastructure requires much more than clean code. It demands rigorous key management, decentralized control structures, and constant vigilance from operations teams at every level.
Bitcoin continues to play a central role in these incidents, both as a legitimate store of value for millions of users worldwide and, unfortunately, as a preferred exit route for those seeking to launder stolen digital assets. Understanding that dual role is essential for anyone building or investing in the cross-chain ecosystem going forward. The IoTeX situation is a pointed reminder that Bitcoin’s properties of transparency without reversibility cut both ways in a crisis, and that the industry still has significant work to do before cross-chain infrastructure can be considered truly secure.
Sources
- CoinDesk: IoTeX Bridge Exploit Sparks Debate Over Losses and Recovery Prospects https://www.coindesk.com/business/2026/02/23/iotex-bridge-exploit-sparks-debate-over-losses-and-recovery-prospects
- The Block: IoTeX Hit by Private Key Exploit Draining Up to $8.8 Million from Bridge Contracts https://www.theblock.co/post/390698/iotex-hit-by-private-key-exploit-draining-up-to-8-8-million-from-bridge-contracts
- BitcoinWorld: IoTeX Hack: Urgent $440K Bounty Offer Reveals Critical Cross-Chain Bridge Vulnerability https://bitcoinworld.co.in/iotex-hack-bounty-cross-chain-bridge/
- Bloomingbit: IoTeX Bridge Hit by Attack, Recovery and Compensation Plan Disclosed Within 48 Hours https://en.bloomingbit.io/feed/news/106535
- CryptoRank: IoTeX Bridge Hack Exposes Critical Bridge Vulnerabilities https://cryptorank.io/news/feed/17499-iotex-bridge-hack-crypto-theft
- PeckShield Security Alerts on X https://twitter.com/PeckShieldAlert
- THORChain Documentation: Cross-Chain Swaps Explained https://docs.thorchain.org
