Hacker Converts $11.5M Stolen from Verus Bridge to ETH via Tornado Cash

How the Attack Unfolded in Real Time

A cyber attacker stole $11.5 million from the Verus-Ethereum cross-chain bridge on May 18, 2026. Security analysts traced the theft to a coordinated exploit. The hacker quickly moved funds into Ethereum and routed them through Tornado Cash, a privacy tool often used to obscure transaction trails. The attack originated from compromised bridge protocols.

The breach targeted the asset transfer mechanism between Verus and Ethereum networks. Initial findings suggest the attacker exploited a vulnerability in the bridge’s validation logic, allowing unauthorized minting of ETH tokens backed by stolen Verus assets. Once the funds were pulled, they were consolidated into a single wallet. Within hours, the hacker began converting the stolen balance into ETH. This step minimized traceability and prepared the funds for laundering.

On-chain data shows the exploit occurred in multiple rapid transactions shortly after 11:00 UTC. The attacker triggered false verification signals, tricking the bridge into releasing ETH equivalents without actual Verus collateral. Over 27,000 ETH worth of Verus tokens were forged and swapped. Blockaid, which flagged the incident live, confirmed the receiving wallet had prior links to high-risk addresses. The entire theft was executed in under 18 minutes.

Could This Happen to Other Cross-Chain Bridges?

Security experts noted unusual gas spikes during the transaction sequence, indicating deliberate timing to avoid detection. „This wasn’t a random probe,” said a blockchain analyst familiar with the case. „The precision suggests insider knowledge or extensive pre-testing on testnets.” The use of Tornado Cash followed minutes after the final swap, splitting the ETH into smaller, obfuscated transfers.

Cross-chain bridges remain a prime target due to their complex trust models and high asset concentration. The Verus incident adds to a growing list of bridge exploits, including past breaches at Wormhole and Multichain. Unlike smart contract platforms, bridges often rely on external validators or oracles, creating weak points. Over $2 billion in crypto has been lost to bridge attacks since 2022.

Verus has not issued a public response. However, community moderators on official forums acknowledged the breach and urged users to halt transactions. No rollback or recovery plan has been announced. Experts warn that without stronger audit standards and decentralized validation, similar attacks will persist.

Frequently Asked Questions

How did the hacker convert Verus assets into ETH? The attacker exploited a flaw in the bridge’s verification system, allowing fake deposits to trigger ETH withdrawals. These were then sent to a private wallet for further processing.

Why was Tornado Cash used? Tornado Cash mixes cryptocurrency transactions to hide their origin. By routing the stolen ETH through it, the hacker made tracking and recovery significantly harder.

Is any of the stolen money recoverable? Recovery depends on whether exchanges or wallet providers freeze linked addresses. Given the use of privacy tools, chances are low but not impossible. Law enforcement may still trace off-ramp points.