PeckShield's on-chain monitor flagged an attack on the Verus-Ethereum bridge in the early hours of May 18, 2026 UTC, with roughly $11.4 million siphoned out of the contract before the exploiter began routing funds through Tornado Cash. Coin Bureau amplified the alert in a post that drew more than 7,400 views within the first hour, putting the incident firmly on the radar of bridge-focused security teams.
The exploit landed against a softening market. Bitcoin trades at $76,952 as of May 18, down 1.5% over 24 hours, while ETH sits at $2,122 (-3.0%) and the Crypto Fear & Greed Index reads 39, in Fear territory. None of those moves are exploit-driven, but they shape the environment any bridge team has to respond inside.
Sequence of the attack
Verus runs a two-way peg between its own proof-of-power chain and Ethereum mainnet via a smart contract that holds wrapped versions of bridged assets. According to the PeckShield alert, the attacker drained the contract in a single transaction, took control of approximately $11.4M in mixed assets, and began converting the proceeds into ETH on a DEX before depositing into Tornado Cash.
That routing pattern matches the standard bridge-exploit playbook of the last 18 months: hit the contract, swap to ETH within minutes, push through a mixer before the team can coordinate a freeze with centralized exchanges. The speed is what makes recovery hard. Once funds enter Tornado, the on-chain trail effectively ends for forensic purposes, even if off-chain intelligence later helps identify the operator.
Verus has not yet issued a public post-mortem at the time of writing. The team's last X update predates the incident. Bridge users should treat any pending withdrawals as untrusted until the team publishes a status update and confirms which contract addresses are still safe to interact with.
Verus is small, but the loss is meaningful
Verus is not a top-100 chain. The protocol is best known for its merge-mined PoW design and a small but active developer community that ships native CryptoConditions-based smart contracts. $11.4M is therefore a large fraction of bridged value, not a rounding error against a multi-billion-dollar TVL.
Two practical consequences follow. Bridged Verus assets on Ethereum may trade at a sharp discount until the team confirms remaining backing. Anyone holding wrapped VRSC or other bridged Verus tokens on Ethereum should assume the peg is broken until proven otherwise. Liquidity providers in any DEX pool involving those wrapped assets should also expect adverse selection during the discovery window.
Bridge risk is structural, not accidental
This is the second notable bridge-related incident in a fortnight. Earlier this month, THORChain halted its network after a suspected multichain exploit, and Kraken's migration from LayerZero to Chainlink CCIP was a direct response to an April bridge incident. None of those events share a code base with Verus. They share a category.
Cross-chain bridges concentrate value in a single contract that must accept messages from a foreign consensus system. That design surface has produced the largest single losses in DeFi history. The fix is partly engineering and partly architectural: smaller bridge balances, better message verification, kill switches, and conservative cap limits all reduce the worst-case loss, but no production bridge has eliminated the category risk.
For card users and self-custody wallet holders, the read-across is narrower but real. Many self-custody card products settle through bridged stablecoins or wrapped tokens. The custody risk on the card itself is one layer. The bridge risk on whatever asset funds the card is a separate layer, and the two need to be evaluated independently.
Open questions for the Verus team
The team will need to address several points in any post-mortem. The first is the root cause: was this a signature verification flaw, an admin key compromise, a price-oracle issue, or a logic bug in the bridging contract. The second is the status of remaining bridged liquidity and whether the team can backstop affected users from a treasury or insurance fund. The third is the path forward: a pause and patch, a redeployment to a new contract, or a longer rebuild.
Until those answers arrive, the prudent stance for affected users is to assume losses are not socialized and to take no action that depends on the old bridge contract being safe.
Overview
Approximately $11.4M was drained from the Verus-Ethereum bridge in the early hours of May 18, 2026 UTC, with PeckShield identifying the incident and the attacker rapidly moving proceeds through Tornado Cash. Verus has not yet published a post-mortem. The exploit fits the recurring pattern of bridge incidents that has driven major protocols to rebuild their cross-chain stacks over the last quarter, and reinforces that bridge concentration risk remains a structural weakness rather than a one-off engineering failure.
