Verus Bridge Loses $11.5M Days After Its Own Critical Security Update

The Verus-Ethereum Bridge was drained for $11.58 million on May 18, 2026. One transaction. Gone.

The attacker pulled 103.6 tBTC, 1,625 ETH, and 147,000 USDC from the bridge reserves, then converted everything into 5,402.4 ETH through Uniswap. All of it now sits in a single wallet.

What the Timeline Actually Shows

Seven days before the drain, the Verus team released v1.2.16-1. The release, pushed by developer Asherda on May 11, 2026, carried a clear label: “CRITICAL BITCOIN CVE PATCH AND NETWORK RESILIENCY UPDATE.”

It addressed CVE-2024-52911, a vulnerability in Bitcoin Core versions 0.14.1 through 28.4 that could allow maliciously crafted blocks to crash nodes. The team called it critical and recommended all operators upgrade immediately.

That patch was not a bridge security fix. The bridge had its own problem no one had publicly named yet.

PeckShield flagged the abnormal outflow from the bridge contract within minutes of the transaction confirming. As PeckShieldAlert posted on X, the exploiter swapped stolen assets for 5,402.4 ETH worth roughly $11.4 million, with funds parked at 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9.

Hi @veruscoin It seems abnormal assets outflow (~$11.4m) from Verus-Ethereum Bridge: https://t.co/2Ol7cngtjY

The funds are currently parked in the following address: https://t.co/YaMyk4ffZH pic.twitter.com/UMhgLOtjSm

— PeckShield Inc. (@peckshield) May 18, 2026

The attacker’s wallet had been funded with 1 ETH through Tornado Cash approximately 14 hours before the exploit fired. That is not a spontaneous move.

The Pitch That Did Not Survive Contact

Verus built its bridge security case on one core argument. The project’s homepage stated: “No Code to Exploit. Currency, DeFi, identity and data operations are blockchain primitives. Validated by protocol rules, not custom code.”

No smart contracts. No audits required. No attack surface.

One transaction ended that argument. The attacker called an unknown method on the bridge contract. Internal transfers fired. By the time the block confirmed, $11.58 million had moved out.

As PeckShieldAlert confirmed on X, the pattern matched a premeditated operation. The Tornado Cash funding 14 hours prior, the immediate swap to ETH through Uniswap, the consolidation into a single trackable wallet. None of that happens by accident.

#PeckShieldAlert The @veruscoin Verus-Ethereum Bridge has been drained for 103.6 $tBTC, 1.625K $ETH, and 147K $USDC.

The exploiter swapped the stolen assets for 5,402.4 $ETH (~$11.4M), which currently sits in 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9.

The attacker’s address… https://t.co/DK0CDUAcqb pic.twitter.com/NMa8abhaTH

— PeckShieldAlert (@PeckShieldAlert) May 18, 2026

For any DeFi user currently holding assets in a cross-chain bridge that markets itself as audit-exempt or code-free, the wallet address sitting on Etherscan right now is worth looking at.