Disclaimer: Information found on CryptoreNews is those of writers quoted. It does not represent the opinions of CryptoreNews on whether to sell, buy or hold any investments. You are advised to conduct your own research before making any investment decisions. Use provided information at your own risk.
CryptoreNews covers fintech, blockchain and Bitcoin bringing you the latest crypto news and analyses on the future of money.
IoTeX promises a 10% reward to cross-bridge hackers for the return of $4.4 million within a 48-hour timeframe.
Raullen Chai, co-founder and CEO of IoTeX, informed CoinDesk that he would refrain from pursuing legal action if the stolen funds or their equivalent are returned within a 48-hour timeframe.
Nearly $400 million was lost to crypto exploits in January 2026 alone, according to industry estimates. (Photo by Joshua Michaels on Unsplash/Modified by CoinDesk)
What to know:
- IoTeX is offering a 10% white-hat bounty, approximately $440,000, along with a commitment not to pursue legal action if hackers return about $4.4 million taken from its ioTube cross-chain bridge within 48 hours.
- The exploit on February 21 occurred due to a compromised validator owner’s private key on the Ethereum side of the ioTube bridge, which both IoTeX and external experts characterize as an operational security breach rather than a defect in the Layer 1 blockchain or its smart contracts.
- IoTeX monitored the stolen assets across chains, identified bitcoin addresses holding around 66.6 BTC, and is implementing a mainnet upgrade that includes a default blacklist of malicious addresses, although experts caution that assets that have already been swapped or bridged may be challenging or unlikely to recover.
IoTeX has proposed a 10% white-hat bounty for the hacker or hackers who exploited a private key on its ioTube cross-chain bridge, extracting millions of dollars, in return for the voluntary return of the funds within 48 hours.
By doing this, IoTeX is offering $440,000 if the malicious actor or actors return approximately $4.4 million they misappropriated, as stated in an IoTeX post on X, which co-founder and CEO Raullen Chai referred to “as a source of truth” on Monday.
STORY CONTINUES BELOWDon’t miss another story.Subscribe to the Crypto Daybook Americas Newsletter today. See all newslettersSign me up
Chai conveyed to CoinDesk that the team dispatched an onchain message indicating a willingness not to initiate legal proceedings or disclose identifying details to law enforcement if the remaining funds are returned.
“This pertains to the ioTube bridge exploit on February 21, 2026,” Chai mentioned in the communication. “All fund movements across Ethereum, IoTeX, and bitcoin have been comprehensively traced.”
The message indicates that exchange deposits have been flagged and frozen, and it extends a 10% bounty for the retrieval of the remaining funds.
Chai also mentioned that IoTeX is launching a new chain version, Mainnet v2.3.4, requiring node operators to upgrade. This update includes a default blacklist of malicious externally owned account (EOA) addresses.
“This blacklist comprises a collection of malicious or problematic EOA addresses that will be filtered by the node,” Chai stated.
The offer follows a February 21 exploit in which a compromised validator owner private key allowed unauthorized access to ioTube’s bridge contracts.
IoTeX asserted that the situation is “under control,” emphasizing that its Layer 1 blockchain was not impacted and that the breach was contained to the Ethereum-side infrastructure of the bridge.
The IOTX token experienced a decline of roughly 22% following the exploit, falling from $0.0054 to below $0.0042 before making a partial recovery.
Cross-chain bridges have been a significant point of failure in crypto, with numerous high-profile exploits recorded in recent years. Industry reports indicate that over $3.2 billion has been lost due to cross-chain bridge hacks, positioning them as prime targets for sophisticated threat actors.
Responsibility and key control
IoTeX has portrayed the exploit as an operational issue specific to the bridge rather than a failure of its Layer 1 network.
Related Posts
“IoTube is IoTeX’s own cross-chain bridge created and maintained by their team,” Nick Motz, CEO of ORQO Group and CIO of Soil, told CoinDesk. “The breach was due to a compromised validator owner private key on the Ethereum side, which fundamentally represents an operational security failure, rather than a smart contract vulnerability identified by an external source.”
Motz concurred that IoTeX’s Layer 1 was not compromised but noted that user funds were specifically entrusted to the bridge.
“When you construct and operate the bridge infrastructure and the key management fails, it becomes challenging to dissociate from that outcome,” he remarked.
Nanak Nihal Khalsa, co-founder of human.tech, stated that accountability in crypto frequently hinges on key custody.
“Indeed, whoever possesses the private key bears the responsibility for securing it,” Khalsa stated. “Is that a fair responsibility? It’s difficult to determine. However, that’s the current structure of the industry.”
He further noted that liability standards are still evolving compared to traditional finance and advocated for more robust wallet and multisig setups to mitigate similar risks.
The estimates diverge
On-chain analysis conducted by the security firm PeckShield estimated that over $8 million worth of assets were impacted, indicating that the attacker converted funds into ether (ETH) and began bridging them to bitcoin via THORChain.
“The hacker has converted the stolen assets to $ETH and has commenced bridging them to #BTC via #Thorchain,” the firm noted.
Another on-chain investigator, Specter, stated on X that “the private key of @iotex_io may have been compromised,” leading to an estimated loss of $4.3 million.
“Once assets are routed through THORChain […] recovery becomes exceedingly difficult,” Motz explained.
IoTeX mentioned it has pinpointed four bitcoin addresses containing 66.78 BTC valued at approximately $4.3 million at current market prices, and these addresses are being tracked in collaboration with exchanges.
A CoinDesk examination of those addresses on February 23 confirmed they held around 66.6 BTC.
IoTeX did not promptly respond to CoinDesk’s request for a comment.
“Containment is not the same as recovery,” he added. “The assets with tangible market value were swapped and bridged. Those, in my view, are unlikely to be recovered.”
Khalsa similarly expressed that recovery possibilities are unclear. “It’s challenging to estimate how much, if anything, can be retrieved,” he remarked.
IoTeX adjusted its estimate upward to approximately $4.3 million, reflecting the direct asset loss while excluding minted tokens. Motz suggested that broader estimates may more accurately represent the gravity of the breach.
“The compromise of private keys rather than smart contract bugs is becoming a prevailing method of attack,” Motz noted, emphasizing that such incidents target operational security rather than audited code.
Prior to proposing the 10% bounty, IoTeX stated that a compensation plan would be established within the following 48 hours.
