May DeFi is not calm! Verus cross-chain bridge hacked for $11.58M, with this month’s attack incidents rising to 13

Verus, a privacy-focused and decentralized blockchain network, is currently facing a hacker attack on its Ethereum cross-chain bridge, and has so far suffered losses of approximately $11.58 million. Before the Verus incident, 12 DeFi projects had already been attacked in May.

Verus cross-chain bridge hacked, losses exceed $11.58 million

Verus, a privacy-focused and decentralized blockchain network, is experiencing a hacker attack on its Ethereum cross-chain bridge. It has currently lost approximately $11.58 million, and the official team has not yet responded publicly to the public or the media.

According to investigations by cybersecurity firms PeckShield and Blockaid, on-chain data shows that the attacker drained 103.6 tBTC, 1,625 ETH ($ETH), and 147,000 $USDC from the cross-chain bridge, and converted all of the stolen assets into 5,402 $ETH.

Image source: Blockaid

GoPlus, a security provider, further analyzed that the attacker likely sent low-value transactions to the cross-chain bridge contract, and called specific functions to batch-transfer reserve assets from the contract to the hacker’s wallet. This incident is highly likely to have been caused by forged cross-chain message verification, withdrawal-logic bypass, or an access-control vulnerability.

Yu Xuan, the founder of SlowMist, also pointed out that the reason for the theft may be that the attacker constructed a fake Merkle proof that passed the verification of Verus’s Ethereum bridge (not open-sourced), allowing them to successfully withdraw funds (ETH/tBTC/USDC). The specific details still need further verification.

Image source: Yu Xuan

In addition, about 14 hours before the attack began, the attacker’s address transferred 1 ETH into the address via the Tornado Cash mixer as initial funding. As of now, the Verus official team has not issued any public response regarding this incident.

Verus case happened three days after THORChain’s incident

The timing of the Verus cross-chain bridge attack coincided with another well-known cross-chain liquidity protocol, THORChain, being hacked three days earlier.

Crypto City reported that on May 15, THORChain confirmed that it had been hacked, with losses totaling approximately $10.8 million. After suspicious transactions were discovered, the official team immediately halted trading and some cross-chain functions, and worked with security teams to carry out an investigation.

Preliminary investigations indicate that the hacker likely succeeded by exploiting vulnerabilities in the GG20 TSS multi-signature scheme and malicious-node collaboration. However, users’ wallets were not compromised. Losses mainly concentrated in the protocol’s own liquidity and internal asset pools.

DeFi hackers shift targeting to the infrastructure layer; concealment and destructive power increase

This year has been anything but calm for DeFi. According to DeFiLlama data, before the Verus incident in May 2026, 12 DeFi protocols had already been attacked, with total losses exceeding $20 million that month alone. Including Verus, the number is 13, and the loss scale reached the tens of millions of dollars.

Recent incidents of hacker attacks show that attackers have shifted their goals from simply finding smart contract vulnerabilities to attacking deeper infrastructure layers.

The risk of cross-chain protocols is far higher than that of single-chain DeFi, because their architecture involves multiple complex components, including cross-chain information synchronization, verification nodes, asset routing, and multi-signature processes.

Now, infrastructure-layer attacks include remote procedure calls (RPC), validation networks, oracles, and cross-chain information systems. These types of attacks are often harder to detect, and once successful, they can easily directly affect and transfer large amounts of funds.

Taking the KelpDAO hack that occurred in early 2026 as an example, the protocol suffered losses of as much as $292 million in a short period. A later report published by LayerZero, a cross-chain protocol, said the core issue was that KelpDAO’s cross-chain configuration used a single-validator model.

Image source: KelpDAO The KelpDAO hack in early 2026 resulted in losses of up to $292 million in a short time

By poisoning the RPC, hackers tampered with some nodes’ on-chain state information, causing validators to incorrectly judge the authenticity of the information. Ultimately, they succeeded in forging cross-chain information and bypassing security checks. LayerZero’s co-founder publicly admitted that the protocol had design flaws and said it was willing to take responsibility.

• **Detailed report:**LayerZero First Admits Design Flaw—Analyzing the Security Blind Spots Behind KelpDAO’s $290 Million Hack

Turning crisis into an opportunity; DeFi enters a period of re-examination

2026 is undoubtedly an unsettled year for the DeFi space, but frequent security incidents are also an opportunity that pushes the industry to review and grow.

Many “decentralized” cross-chain systems still heavily rely on a small number of validation nodes or relay infrastructure in practice. As long as a single validation node is poisoned, attackers can forge cross-chain information and arbitrarily create or transfer assets out of thin air.

As the scale of on-chain capital grows, hackers are investing more resources into researching weaknesses in cross-chain architectures, increasing both the difficulty and the potential impact scale of infrastructure-layer attacks.

In the future, DeFi development is expected to shift from pursuing high-speed innovation to a more robust model where security is prioritized. This includes modular architectures, permission isolation, real-time risk monitoring, and multi-layer verification systems, which will become key focuses of the next phase of infrastructure. As cross-chain protocols gradually become an important backbone of decentralized finance, market requirements for their stability and security will inevitably become more stringent.

At the same time, when major protocols openly acknowledge architecture design flaws, it also indicates that the Web3 industry is developing a more mature culture of accountability. After the KelpDAO incident, the industry quickly pooled $300 million to rescue bad debts, demonstrating the resilience of the Ethereum ecosystem.

Further Reading:
DeFi is too slow for the young, too dangerous for the old: we’re all taking interest from government bonds and carrying junk bond risk?

Rescuing DeFi bad debts! Giants like Aave quickly raise $300 million, demonstrating Ethereum ecosystem collaboration