IoTeX, a blockchain challenge centered on Web-of-Issues units, supplied a ten% white-hat bounty to the hacker or hackers who exploited a non-public key on its cross-chain bridge ioTube, siphoning thousands and thousands of {dollars}, in trade for the voluntary return of funds inside 48 hours.
With this transfer, IoTeX is providing the $440,000 if the malicious actor or actors return roughly $4.4 million they stole, in line with an IoTeX X publish, to which IoTeX co-founder and CEO Raullen Chai pointed “as a supply of reality” on Monday.
Quite a few crypto tasks have supplied related 10% bounties to hackers after being breached. Hackers someday return funds in trade for this bounty.
Chai informed CoinDesk that the staff despatched an onchain message providing to not pursue authorized motion or share figuring out info with legislation enforcement if the remaining funds are returned.
“That is concerning the ioTube bridge exploit on Feb. 21, 2026,” Chai mentioned within the message. “All fund actions throughout Ethereum, IoTeX, and bitcoin have been absolutely traced.”
The message states that trade deposits have been flagged and frozen and presents a ten% bounty for the return of remaining funds.
Chai additionally mentioned IoTeX is rolling out a brand new chain model, Mainnet v2.3.4, requiring node operators to improve. The replace features a default blacklist of malicious externally owned account (EOA) addresses.
“This blacklist comprises an inventory of malicious or problematic EOA addresses that might be filtered by the node,” Chai mentioned.
The provide comes after a Feb. 21 exploit by which a compromised validator proprietor non-public key enabled unauthorized management over ioTube’s bridge contracts.
IoTeX mentioned the incident is “underneath management,” saying that its Layer 1 blockchain was not affected and that the breach was remoted to the Ethereum-side infrastructure of the bridge.
The IOTX token fell roughly 22% following the exploit, dropping from $0.0054 to beneath $0.0042 earlier than partially rebounding.
Cross-chain bridges have been certainly one of crypto’s foremost failure factors, with a number of high-profile exploits in recent times. In keeping with trade experiences, greater than $3.2 billion has been misplaced resulting from cross-chain bridge hacks, making them a chief goal for superior menace actors.
Accountability and key management
IoTeX framed the exploit as an operational concern particular to the bridge reasonably than a failure of its Layer 1 community.
“IoTube is IoTeX’s personal cross-chain bridge constructed and maintained by their staff,” Nick Motz, CEO of ORQO Group and CIO of Soil, informed CoinDesk. “The breach got here right down to a compromised validator proprietor non-public key on the Ethereum facet, which is essentially an operational safety failure, not a sensible contract vulnerability found by an outdoor actor.”
Motz agreed that IoTeX’s Layer 1 was not compromised however mentioned person funds had been entrusted particularly to the bridge.
“Whenever you construct and function the bridge infrastructure and the important thing administration is what fails, it’s troublesome to separate your self from that end result,” he mentioned.
Nanak Nihal Khalsa, co-founder of human.tech, mentioned accountability in crypto usually comes right down to key custody.
“Sure, whoever holds the non-public key’s accountable for securing it,” Khalsa mentioned. “Is {that a} cheap accountability? It’s exhausting to say. However that’s how the trade works proper now.”
He added that legal responsibility norms stay unsettled in comparison with conventional finance and referred to as for stronger pockets and multisig setups to scale back related dangers.
The estimates diverge
On-chain evaluation by safety agency PeckShield estimated extra than $8 million value of belongings had been affected, saying the attacker swapped funds into ether (ETH) and started bridging them to bitcoin by way of THORChain.
“The hacker has swapped the stolen funds to $ETH and has began bridging them to #BTC by way of #Thorchain,” the agency wrote.
One other onchain investigator, Specter, mentioned on X that “the non-public key of @iotex_io might have been compromised,” leading to an estimated $4.3 million loss.
“As soon as belongings are routed by means of THORChain […] restoration turns into extraordinarily troublesome,” Motz mentioned.
IoTeX mentioned it has recognized 4 bitcoin addresses holding 66.78 BTC value roughly $4.3 million at present costs and that the addresses are being monitored in cooperation with exchanges.
A CoinDesk assessment of these addresses on Feb. 23 confirmed they held roughly 66.6 BTC.
IoTeX didn’t instantly reply to CoinDesk’s request for remark.
“Containment isn’t the identical as restoration,” he added. “The belongings with precise market worth had been swapped and bridged. These are, in my evaluation, unlikely to be recovered.”
Khalsa equally cautioned that restoration prospects are unsure. “It’s exhausting to foretell how a lot, if any, will be recovered,” he mentioned.
IoTeX revised its determine upward to roughly $4.3 million, reflecting the direct asset drain however excluding minted tokens. Motz mentioned broader estimates might higher seize the severity of the breach.
“Personal key compromise reasonably than sensible contract bugs is rising as a dominant assault vector,” Motz mentioned, noting that such incidents goal operational safety reasonably than audited code.
Earlier than providing the ten% bounty, IoTeX mentioned a compensation plan could be in place throughout the subsequent 48 hours.
UPDATE (Feb. 23, 2026, 23:21 UTC): Provides context on bounties supplied after hacks.
