Rewards Hub 
On February 21, 2026, a single compromised private key gave an attacker full control over IoTeX's ioTube cross-chain bridge on Ethereum. Within hours, roughly $4.3 million in tokens were drained from the bridge's TokenSafe contract, including USDC, USDT, IOTX, WBTC, and BUSD. The attacker then minted an additional 111 million CIOTX tokens (worth an estimated $4 million) and 9.3 million CCS tokens ($4.5 million), pushing independent loss estimates fromPeckShield past $8 million total.
IoTeX's own figure sits at $4.3 million in direct asset losses. Either way, the stolen funds were swapped into ETH through Uniswap and bridged to Bitcoin via THORChain before anyone could freeze them. IOTX dropped 22% in the aftermath, falling from $0.0054 to below $0.0042 before partially recovering.
What Happened to IoTeX's ioTube Bridge?
The ioTube bridge is IoTeX's in-house cross-chain infrastructure, built to move tokens between its Layer 1 blockchain and networks like Ethereum, Binance Smart Chain, and Base. The attacker didn't find a bug in a smart contract or exploit a flaw in the code logic. Instead, they compromised the validator owner's private key on the Ethereum side of the bridge, which gave them administrative control over two contracts: MintPool (which creates wrapped tokens) and TokenSafe (which holds locked assets backing those wrapped tokens).
With that single key, the attacker could both withdraw real assets from the vault and mint new wrapped tokens out of thin air. The sequence unfolded between 7 and 9 AM UTC on February 21. On-chain analyst Specter flagged the suspicious transactions by 4:20 AM EST, roughly three hours before IoTeX posted its first public acknowledgment on X.
Network validators and community members coordinated to pause the ioTube bridge once the breach was identified, preventing further drainage. IoTeX then halted its Layer 1 chain entirely to freeze the attacker's addresses at the network level. The chain was expected to resume within 24 to 48 hours pending security upgrades and a mainnet update that would blacklist the malicious addresses by default.
IoTeX co-founder and CEO Raullen Chai confirmed the incident was isolated to the Ethereum-side bridge infrastructure. The IoTeX L1 chain, its Roll-DPoS consensus mechanism, and all native smart contracts were unaffected. Bridges connected to BSC, Base, and other supported networks also remained operational throughout.
How the Attacker Laundered the Funds
The laundering playbook followed a pattern that security firms have flagged repeatedly in 2025 and 2026. Stolen tokens were swapped into ETH on Uniswap, consolidated into a few wallets, and then bridged to the Bitcoin network throughTHORChain, a decentralized cross-chain liquidity protocol that processes swaps without KYC.
IoTeX identified four Bitcoin wallets holding approximately 66.6 BTC (worth roughly $4.3 million at current prices) as of February 23. CoinDesk independently confirmed the balances. But as Nick Motz, CEO of ORQO Group, told CoinDesk: once assets are routed through THORChain, recovery becomes extremely difficult. The protocol's permissionless nature means there's no central entity to issue a freeze order or reverse transactions.
This isn't a novel tactic. THORChain has emerged as a preferred laundering route for sophisticated attackers precisely because it bridges between UTXO chains (like Bitcoin) and account-based chains (like Ethereum) without intermediaries. The same pattern appeared in a 2023 wallet hack tracked by blockchain sleuth ZachXBT.
More troubling: on-chain analysts have linked the attacker's funding wallet to the $49 million Infini stablecoin platform exploit from February 2025, where a former contract developer retained admin privileges and executed a delayed drain. Both attacks share the same signature: long dwell time, insider-level key access, privileged contract abuse, and cross-chain laundering via THORChain. Chai told The Block the team has evidence suggesting the IoTeX attack was planned six to eighteen months in advance.
The 10% Bounty Offer: How Crypto Negotiations Work
Two days after the exploit, IoTeX sent an on-chain message to the attacker offering a 10% white-hat bounty, roughly $440,000, in exchange for the return of remaining funds within 48 hours. The message also promised not to pursue legal action or share identifying information with law enforcement if the attacker complied.
This approach has become a standard crisis response across DeFi. It works like this: the project identifies the attacker's wallets, makes a public offer via on-chain transaction data (the only reliable way to reach an anonymous hacker), and sets a deadline. If the hacker returns the funds, they keep the bounty. If they don't, the project typically escalates to law enforcement, on-chain bounty hunters, and exchange cooperation to freeze any assets that touch centralized infrastructure.
The track record is mixed but better than doing nothing.
|
Hack
|
Amount Stolen
|
Bounty Offered
|
Outcome
|
|
Euler Finance (Mar 2023)
|
$197M
|
10% + $1M info bounty
|
Full recovery after weeks of negotiation
|
|
Poly Network (Aug 2021)
|
$612M
|
"Mr. White Hat" title
|
Full return (hacker claimed it was for fun)
|
|
Sentiment Protocol (Apr 2023)
|
$1M
|
$95K (10%)
|
90% returned in 2 days
|
|
KyberSwap (Nov 2023)
|
$46M
|
10% ($4.6M)
|
Hacker demanded full protocol control instead
|
|
IoTeX (Feb 2026)
|
$4.3M
|
10% ($440K)
|
Pending as of Feb 24
|
The Euler Finance case is the most instructive parallel. When the protocol lost $197 million in March 2023, it first offered a 10% bounty. The hacker initially moved $1.78 million to Tornado Cash and stopped responding. Euler then announced a $1 million reward for information leading to the hacker's arrest. That escalation, combined with behind-the-scenes pressure from law firm Morrison Foerster and the growing realization that laundering $197 million is harder than stealing it, led the attacker to return all recoverable funds with an apology.
KyberSwap is the cautionary counterexample. The hacker not only rejected the 10% offer but responded with a counter-demand for full control of the protocol, its founding company, and all assets. That negotiation went nowhere.
Why Private Key Exploits Keep Happening
Here's what makes the IoTeX breach significant beyond the dollar amount: the smart contracts themselves worked exactly as designed. Every audit could have been clean. The vulnerability was human, not technical.
Private key compromises accounted for 88% of stolen funds in Q1 2025, according to The Block, and the trend has continued into 2026. The industry spent billions on smart contract audits while attackers walked through the front door.
The pattern repeats across the biggest bridge hacks in crypto history:
|
Bridge Hack
|
Year
|
Loss
|
Root Cause
|
|
Ronin (Axie Infinity)
|
2022
|
$624M
|
5 of 9 validator private keys compromised
|
|
Wormhole
|
2022
|
$326M
|
Signature verification bypass (code flaw)
|
|
BNB Bridge
|
2022
|
$568M
|
Proof verifier bug (code flaw)
|
|
Nomad
|
2022
|
$190M
|
Trusted root exploit (code flaw)
|
|
Flow blockchain
|
Dec 2025
|
$3.9M
|
Private key compromise
|
|
CrossCurve
|
Feb 2026
|
$3M
|
Missing validation check
|
|
IoTeX (ioTube)
|
Feb 2026
|
$4.3M+
|
Validator owner private key compromised
|
Ronin remains the cautionary tale. Sky Mavis controlled four of nine validators on its own bridge, and an unrevooked access permission from a temporary arrangement gave the attacker (later attributed to North Korea's Lazarus Group) enough keys to authorize fraudulent withdrawals. Nobody noticed for six days.
IoTeX detected its breach within hours, which is a genuine improvement. But detection speed doesn't prevent the initial theft when a single private key grants administrative access to millions in locked assets. As Immunefi's Mitchell Amador observed, with code becoming less exploitable, the main attack surface in 2026 is people.
The Broader Cross-Chain Risk Picture
Cross-chain bridge hacks have consumed over $2.8 billion since 2022, making bridges crypto's single most dangerous attack surface by dollar volume. January 2026 alone saw nearly $400 million in total crypto theft industry-wide, and bridge exploits continue to represent a disproportionate share.
The fundamental problem is architectural. Bridges concentrate enormous value in a small number of contracts controlled by a small number of keys. That concentration creates exactly the kind of high-reward, single-point-of-failure target that sophisticated attackers (including state-sponsored groups) are willing to spend months or years planning to exploit.
Recovery rates tell the story. According to industry analysis of 2025 bridge hacks, only about 4.6% of stolen funds were voluntarily returned through negotiated bounties. Another 13% was frozen or rendered unusable through swift team action. But 53.6% of stolen bridge funds remain sitting in dormant wallets, waiting for attention to shift before being laundered further.
Several approaches are emerging to address the structural weakness:
Native light client verification (projects like Succinct and Polymer) removes the validator trust assumption entirely by verifying source chain state through zero-knowledge proofs. Multi-signature improvements with key rotation policies reduce the blast radius of any single compromise. Hardware security modules for validator key storage make remote key extraction significantly harder. Rate-limiting withdrawals, even from privileged addresses, would have capped the IoTeX drain to a fraction of total losses if implemented.
None of these are theoretical. They exist in production on other bridges. The question is why many projects, including IoTeX, haven't adopted them yet.
What Happened to IOTX Price?
IOTX was trading around $0.0054 before the exploit was made public. The token dropped as low as $0.0042 in the immediate aftermath, a roughly 22% decline. As of February 24, IOTX trades near $0.0045 with a market cap of approximately $43 million on CoinMarketCap.
Trading volume spiked over 500% in the 24 hours following the hack, surging past $17 million as panic sellers exited and opportunistic traders entered. South Korea's Upbit placed IOTX on its trading alert list and temporarily suspended deposits and withdrawals. Binance also suspended IoTeX-related transactions as a precautionary measure.
The token's all-time high of $0.26, set in November 2021, now sits 98% above current levels. Even before the hack, IOTX had been declining steadily throughout late 2025 and early 2026, reflecting broader weakness in mid-cap altcoins rather than project-specific issues. The hack accelerated an existing trend rather than creating a new one.
IoTeX said a compensation plan for affected users would be published within 48 hours of the incident. Most of the minted CIOTX and CCS tokens have been frozen or are under active recovery, which should limit the long-term market impact from unauthorized token supply.
What This Means for Traders
Three practical takeaways from the IoTeX hack:
Bridge exposure is protocol risk. If you hold wrapped tokens on any chain (CIOTX, wETH, wBTC through third-party bridges), your exposure isn't just to the underlying asset. It's to the bridge's key management, validator security, and operational practices. A bridge hack can devalue wrapped tokens to zero even while the underlying asset remains fine. Ask yourself if you actually need bridge exposure or if native alternatives exist.
Watch the bounty deadline. IoTeX's 48-hour window from the bounty offer creates a near-term catalyst. If the attacker returns funds, it removes a significant overhang and could trigger a relief rally. If the deadline passes without response, expect IoTeX to escalate to law enforcement and potentially a public information bounty, similar to Euler's playbook. The chain's restart timeline and compensation plan will also influence short-term price action.
Private key hacks are the new meta. Smart contract audits have improved dramatically since 2021. Code-level exploits, while still occurring (CrossCurve's missing validation check in February 2026), are becoming less common relative to operational security failures. Before interacting with any bridge, check that the project uses multi-signature wallets with distributed key holders, has hardware security modules for validator keys, and rate-limits privileged operations. IoTeX's ioTube bridge apparently relied on a single validator owner key for critical Ethereum-side contracts. That single point of failure is what the attacker exploited.
FAQ
Is IoTeX a scam after the bridge hack?
No. IoTeX is a legitimate project founded in 2017 with partnerships with Google, Samsung, and ARM, plus integration with Polygon's AggLayer. The hack targeted ioTube's bridge infrastructure through an operational security failure, not the Layer 1 chain itself. That said, losing $4.3 million from a preventable private key compromise raises fair questions about the team's security practices, particularly given evidence the attack was planned months in advance.
Will the hacker return the IoTeX funds?
Impossible to predict. On-chain analysts have linked the attacker's wallet to the $49 million Infini exploit from 2025, which suggests a sophisticated, organized operation rather than an opportunistic theft. Organized attackers are less likely to negotiate than solo hackers who got in over their heads (like the Euler case). The funds moving through THORChain into Bitcoin makes recovery through legal channels particularly difficult.
How much did IoTeX actually lose?
The number depends on who you ask. IoTeX officially cites approximately $4.3 million in direct asset drains from the TokenSafe contract. PeckShield's broader estimate exceeds $8 million when including minted CIOTX and CCS tokens. IoTeX initially claimed losses around $2 million before revising upward. The discrepancy matters because minted tokens that were subsequently frozen may not represent permanent losses.
Are cross-chain bridges safe to use?
Bridges remain the highest-risk infrastructure in crypto by dollar volume lost. Over $2.8 billion has been stolen from bridge exploits since 2022. If you use bridges, minimize the amount and duration of exposure, prefer bridges that use decentralized validator sets or zero-knowledge proof verification, and avoid leaving wrapped tokens sitting idle in bridge contracts longer than necessary.
Bottom Line
The IoTeX hack is a $4.3 million case study in why the crypto security problem has shifted from code to keys. The smart contracts worked. The audits didn't matter. A single compromised private key, potentially obtained through months of patient planning by an attacker linked to a previous $49 million exploit, was enough to drain a bridge vault that thousands of users depended on.
IoTeX's 10% bounty offer follows a playbook that has worked before (Euler, Sentiment) and failed before (KyberSwap). The outcome will likely hinge on the attacker's identity: an organized group with laundering infrastructure already in place, or someone who recognizes that 66 BTC sitting in monitored wallets is harder to spend than a clean $440,000 bounty.
For traders, the broader lesson is structural: cross-chain bridges concentrate value in ways that attract the most sophisticated attackers in the world, including state-sponsored groups. Until the industry moves decisively toward trustless verification (ZK proofs, native light clients) and away from validator key models, every bridge with meaningful TVL is a target. The question isn't if the next bridge hack will happen. It's which bridge, and how the project responds.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Cryptocurrency investments carry significant risk. Always conduct your own research before making investment decisions.
