A Two-Hour Window That Cost $8.8 Million
Between 7:00 and 9:00 AM UTC on February 21, 2026, an attacker with a compromised private key systematically emptied IoTeX's cross-chain bridge contracts. As of the time of writing, on-chain analyst Specter estimates total losses at approximately $8.8 million, though IoTeX has pushed back on that figure, stating the actual damage is "significantly lower than circulating rumors suggest."
The breach hit IoTeX's TokenSafe and MinterPool contracts, giving the attacker authorized access rather than exploiting a smart contract vulnerability. That distinction matters: this was not a code bug. Someone gained control of the keys that governed the bridge's funds, and the contracts executed exactly as designed, just for the wrong person.
IOTX, the native token of the IoTeX network, dropped 9.2% within hours of the exploit going public. Daily trading volume surged over 507% as holders scrambled to assess the damage.
What the Attacker Took and Where It Went
The initial drain pulled $4.3 million in tokens from the bridge's TokenSafe, including USDC, USDT, IOTX, PAYG, WBTC, and BUSD. But the attacker did not stop at withdrawals.
Using the same compromised access, the hacker minted 111 million CIOTX tokens worth roughly $4 million and drained $4.5 million in CCS tokens. The unauthorized minting raised the total estimated loss to nearly $9 million and introduced a separate concern about token supply integrity. If minted tokens enter circulation and get sold before the team can freeze them, the dilution compounds the direct theft.
The stolen assets were quickly swapped to ETH. Specter tracked approximately 45 ETH being bridged to the Bitcoin network through THORChain, the cross-chain liquidity protocol that enables native swaps between blockchains without intermediaries. THORChain has become the preferred laundering route for exploit funds because it does not require KYC, operates permissionlessly, and moves assets across chain boundaries where single-chain freezing tools lose visibility.
Why Private Key Exploits Keep Happening
Private key compromises account for some of the largest losses in crypto history, and IoTeX's breach follows a well-documented pattern. The attacker did not need to find a logic flaw in a smart contract or manipulate an oracle. They needed one thing: the key that controls the bridge's administrative functions.
Cross-chain bridges remain the single most dangerous attack surface in crypto. According to industry data, over $1.5 billion in stolen funds flowed through bridge exploits in 2025 alone, representing more than half of all crypto theft that year. The total damage from bridge hacks since 2022 exceeds $2.8 billion.
The IoTeX bridge, called ioTube, connects the IoTeX Layer 1 chain with Ethereum and other EVM-compatible networks. IoTeX itself is an EVM-compatible blockchain focused on Decentralized Physical Infrastructure Networks (DePIN), with partnerships including Google, Samsung, and ARM. Its market cap sat near $46 million at the time of the exploit.
For a $46 million market cap project, losing $8.8 million in a single exploit is catastrophic. That figure represents roughly 19% of the token's entire market capitalization, a ratio that dwarfs most bridge hacks in relative terms.
IoTeX's Response and the Recovery Playbook
IoTeX confirmed the breach by 10:30 AM UTC, roughly three and a half hours after the attack began. The team stated they were "fully engaged, working around the clock to assess and contain" the situation and had "already coordinated with major exchanges and security partners, which are actively assisting in tracing and freezing the hacker's assets."
The playbook for post-exploit recovery follows a predictable sequence: confirm the breach, engage exchanges to flag and freeze tainted addresses, work with blockchain analytics firms to trace fund flows, and negotiate with the attacker if possible. Some protocols have recovered funds through bug bounty negotiations, where the attacker returns the majority in exchange for keeping a percentage as a "white hat" reward and avoiding prosecution.
The challenge with THORChain routing is that once funds cross into Bitcoin, they become significantly harder to trace and freeze. Bitcoin's UTXO model combined with mixing services creates layers of obfuscation that Ethereum's account-based model does not offer. The 45 ETH already bridged to Bitcoin may be unrecoverable.
What Bridge Users Should Check Right Now
If you held tokens in ioTube or interacted with IoTeX's bridge contracts, the immediate steps are straightforward but time-sensitive:
-
Revoke approvals. If you ever granted token approvals to IoTeX bridge contracts, revoke them immediately using Revoke.cash or a similar tool. A compromised key may still have access to contracts that can pull from wallets with standing approvals.
-
Move IOTX off centralized exchanges temporarily. With volume spiking 507% and the situation still developing, price volatility will remain elevated. If you are a long-term holder, consider whether your position is sized appropriately for a project that just lost 19% of its market cap in bridge funds.
-
Check for unauthorized CIOTX tokens. The minting of 111 million CIOTX tokens means new supply entered the ecosystem. If you hold CIOTX or any wrapped IoTeX tokens, verify that the supply figures match pre-exploit levels before making any trading decisions.
For users of self-custody wallets and crypto cards, this exploit reinforces a core principle: bridge interactions carry inherent risk that scales with the security model of the bridge operator. Cards that let you spend directly from self-custody, like those from MetaMask or Gnosis Pay, avoid the bridge risk entirely because your funds never leave your wallet until the moment of purchase.
The Bigger Picture for Bridge Security
The IoTeX hack is the latest data point in an unresolved crisis. Cross-chain bridges aggregate massive pools of liquidity behind a small number of administrative keys. When those keys are compromised, the entire pool is at risk.
The industry has proposed several solutions: multi-party computation (MPC) for key management, timelocks that delay large withdrawals, proof-based bridges that verify transactions cryptographically rather than trusting a set of signers, and insurance protocols that cover bridge deposits. Some of these are in production. Most major bridges still rely on multi-sig schemes that are only as strong as the operational security of their signers.
IoTeX's exploit also highlights a secondary risk: minting authority. The attacker did not just drain existing funds. They created new tokens. Any bridge that gives administrative keys the power to mint wrapped tokens is exposing users to unlimited downside if those keys are compromised. The $4.3 million direct theft is bad. The $4 million in minted CIOTX tokens is potentially worse, because it undermines trust in the token's supply guarantees.
Until bridge architecture moves fully to proof-based or trustless designs, private key compromises will remain the most efficient attack vector in crypto. No amount of smart contract auditing can protect against a compromised key.
FAQ
How much was stolen in the IoTeX bridge hack? On-chain analyst Specter estimates total losses at approximately $8.8 million, including $4.3 million in direct token theft and additional losses from minted CIOTX and CCS tokens. IoTeX has stated the actual figure is lower than public estimates but has not provided a specific number.
What tokens were stolen? The attacker drained USDC, USDT, IOTX, PAYG, WBTC, and BUSD from the bridge's TokenSafe. They also minted 111 million CIOTX tokens and drained $4.5 million in CCS tokens using the same compromised access.
Where are the stolen funds now? The attacker swapped stolen assets to ETH and began routing funds to Bitcoin through THORChain. As of the time of writing, approximately 45 ETH had been bridged to Bitcoin, making recovery significantly more difficult.
Is it safe to use IoTeX's bridge right now? No. Until IoTeX confirms the root cause is patched and the compromised keys are rotated, users should not interact with ioTube bridge contracts. Revoke any existing token approvals to IoTeX bridge contracts immediately.
What is IoTeX? IoTeX is an EVM-compatible Layer 1 blockchain focused on Decentralized Physical Infrastructure Networks (DePIN). It aims to connect real-world devices to blockchain networks and has partnerships with Google, Samsung, and ARM.
Overview
IoTeX's cross-chain bridge was drained for an estimated $8.8 million on February 21, 2026, after an attacker compromised a private key controlling the bridge's TokenSafe and MinterPool contracts. The hacker stole $4.3 million in tokens, minted $4 million in CIOTX, and drained $4.5 million in CCS before routing funds through THORChain to Bitcoin. IOTX dropped 9.2% with a 507% volume spike. The exploit follows a pattern of bridge hacks that have collectively cost the industry billions since 2022, and reinforces why self-custody spending solutions that avoid bridge interactions remain the safest way to use crypto for everyday purchases.
Recommended Reading
- Specialized AI Detects 92 Percent of Real-World DeFi Exploits While Generic Models Catch Just a Third
- Uniswap Founder Hayden Adams Says the Ad Economy Needs to Go After a Fake Google Ad Drains a Trader's Entire Net Worth
- Coinbase Custodies 80 Percent of US Crypto ETF Assets After $31 Billion in Inflows, and the Concentration Risk Is Getting Harder to Ignore
