IoTeX Offers $440,000 Bounty for Return of $4.4M Stolen Funds
What Happened to the ioTube Bridge?
IoTeX is offering a 10% white-hat bounty — roughly $440,000 — if hackers return about $4.3 million stolen from its ioTube cross-chain bridge within 48 hours. The proposal includes a pledge not to pursue legal action or share identifying information with law enforcement if the remaining funds are sent back.
The exploit occurred on Feb. 21 and stemmed from a compromised validator owner private key on the Ethereum side of the ioTube bridge. IoTeX said its Layer 1 blockchain was not affected and described the incident as isolated to the bridge’s Ethereum-side infrastructure.
“This is regarding the ioTube bridge exploit on Feb. 21, 2026,” co-founder and CEO Raullen Chai said in an onchain message. “All fund movements across Ethereum, IoTeX, and bitcoin have been fully traced.”
Chai added that exchange deposits linked to the exploit had been flagged and frozen, and confirmed the 10% bounty offer for the return of remaining funds.
Investor Takeaway
How Much Was Lost — And Can It Be Recovered?
Estimates of the total damage diverged in the hours following the breach. IoTeX revised its own figure to approximately $4.3 million, reflecting direct asset losses while excluding minted tokens. Onchain investigator Specter cited a similar figure of about $4.3 million. Security firm PeckShield estimated that more than $8 million worth of assets were affected.
PeckShield said the attacker swapped the stolen funds into ether and began bridging them to bitcoin via THORChain. “The hacker has swapped the stolen funds to $ETH and has started bridging them to #BTC via #Thorchain,” the firm wrote.
IoTeX said it identified four bitcoin addresses holding 66.78 BTC, worth roughly $4.3 million at current prices, and that the addresses were being monitored in coordination with exchanges. A CoinDesk review confirmed the wallets held around 66.6 BTC as of Feb. 23.
Recovery prospects remain uncertain. “Containment is not the same as recovery,” said Nick Motz, CEO of ORQO Group and CIO of Soil. “The assets with actual market value were swapped and bridged. Those are, in my assessment, unlikely to be recovered.”
Nanak Nihal Khalsa, co-founder of human.tech, offered a similar view. “It’s hard to predict how much, if any, can be recovered,” he said.
Was This a Smart Contract Failure?
IoTeX framed the breach as an operational security issue tied to key management rather than a flaw in its core blockchain or audited contracts. The validator owner private key controlling the bridge contracts was compromised, enabling unauthorized access.
“IoTube is IoTeX’s own cross-chain bridge built and maintained by their team,” Motz said. “The breach came down to a compromised validator owner private key on the Ethereum side, which is fundamentally an operational security failure, not a smart contract vulnerability discovered by an outside actor.”
He added that while IoTeX’s Layer 1 was not compromised, users had entrusted funds to the bridge infrastructure. “When you build and operate the bridge infrastructure and the key management is what fails, it’s difficult to separate yourself from that outcome,” he said.
Khalsa said responsibility in crypto still centers on key custody. “Yes, whoever holds the private key is responsible for securing it,” he said. “Is that a reasonable responsibility? It’s hard to say. But that’s how the industry works right now.”
What Is IoTeX Changing Now?
Alongside the bounty offer, IoTeX is rolling out Mainnet v2.3.4 and requiring node operators to upgrade. The update includes a default blacklist of malicious externally owned account addresses.
“This blacklist contains a list of malicious or problematic EOA addresses that will be filtered by the node,” Chai said.
Before announcing the 10% bounty, IoTeX said a compensation plan would be put in place within 48 hours.
The IOTX token fell about 22% after the exploit, dropping from $0.0054 to below $0.0042 before partially rebounding.
Cross-chain bridges remain a frequent attack surface in crypto. Industry reports estimate that more than $3.2 billion has been lost in bridge-related exploits over recent years, as attackers increasingly target operational security and key management rather than contract code.
