May's DeFi Hack Tally Grows: Verus Bridge Loses $11.58M

The tally of decentralized finance exploits in May continued to climb after the Verus-Ethereum Bridge reportedly suffered a security breach. Attackers drained roughly $11.58 million in digital assets. Multiple blockchain security firms flagged the exploit on Monday, warning users about suspicious activity linked to the bridge.

The Verus loss arrives three days after THORChain halted trading. A breach of one vault drained over $10 million in protocol-owned funds. THORChain said user balances were not affected. DeFiLlama data shows that 12 DeFi protocols were hit in May 2026 before Verus. Collective losses already exceed $20 million this month.

The Verus Bridge: What Was Drained and How

Blockchain security company Blockaid flagged the exploit in a post on X. Security researchers identified the attacker’s externally owned account (EOA) as 0x5aBb91B9c01A5Ed3aE762d32B236595B459D5777. PeckShield said the attacker drained three distinct assets before consolidating into a single token:

103.6 tBTC – tokenized Bitcoin on Ethereum, worth roughly $7.1 million at prevailing rates
1,625 ETH – native Ethereum, worth about $3.4 million
147,000 USDC – Circle’s stablecoin, worth $147,000

The stolen assets were swapped into 5,402.4 ETH, valued at around $11.4 million. The funds remain in the wallet: 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9. “The attacker’s address was initially funded with 1 ETH via Tornado Cash ~14 hours ago,” a PeckShield post read. That obfuscation tactic is standard: exploiters use the mixer to break the on-chain trail before launching the attack.

Practical rule:

Exposure: Who Is at Risk and What the Market Faces

The direct exposure is limited to users who had assets locked in the Verus-Ethereum Bridge at the time of the exploit. Verus has not confirmed whether user funds are fully covered or whether the protocol will issue reimbursements. Recovery rates in similar bridge hacks vary widely. Some protocols have fully restored funds via treasury or insurance. Others have left users with permanent losses.

Second-order effects

Market confidence in cross-chain bridges – Each high-profile exploit erodes trust in the bridge model. May already saw THORChain halt trading after a vault breach. The KelpDAO bridge drain alone accounted for $292 million in losses in April 2026, making it the year’s largest single hack.
Liquidity providers – Anyone supplying liquidity to the Verus bridge faces direct loss of principal. The protocol’s TVL will likely drop sharply as LPs withdraw remaining funds.
Verus token (VRSC) – The native token may face selling pressure if the protocol needs to raise funds for restitution or if the exploit triggers a loss of confidence in the broader Verus ecosystem.

May’s DeFi Exploit Timeline: 13 Incidents and $31.5M Lost

DeFiLlama data shows that 12 DeFi protocols were hit in May 2026 before Verus. Collective losses already topped $20 million before the Verus and THORChain incidents. Adding the $11.58 million from Verus and the $10 million+ from THORChain brings the May total to over $31.5 million. April 2026 set the year’s benchmark, with protocols losing more than $606 million across 12 incidents.

Month	Number of Incidents	Total Losses	Largest Single Hack
April 2026	12	$606M	KelpDAO bridge ($292M)
May 2026 (to date)	13	>$31.5M	Verus Bridge ($11.58M)

Note: May total includes Verus and THORChain. THORChain’s loss was protocol-owned, not user funds.

Key insight:

Two Scenarios: What Would Reduce or Worsen the Risk

What would reduce the risk

Verus publishes a post-mortem – A transparent breakdown of the vulnerability (smart contract bug, private key compromise, oracle manipulation) allows other bridge operators to patch similar flaws.
Insurance or treasury reimbursement – If Verus covers user losses, confidence in the protocol may recover. Without reimbursement, TVL will likely collapse.
Increased bridge security standards – Protocols that adopt multi-sig governance, time-locked withdrawals, and formal audits may attract liquidity away from riskier bridges.

What would worsen the risk

Attacker moves funds to a centralized exchange – If the 5,402.4 ETH hits a KYC-compliant exchange, law enforcement may freeze the assets. If the funds go to a non-KYC exchange or mixer, recovery becomes near impossible.
Verus fails to communicate – Silence from the team amplifies uncertainty. Users may assume the worst and withdraw remaining liquidity, triggering a bank-run dynamic.
Copycat exploits – If the vulnerability is common to other bridges using similar code, attackers may replicate the method before patches are deployed.

Affected Assets: tBTC, ETH, and USDC After the Drain

Beyond the stolen assets, the broader crypto market may see indirect pressure. Bridge exploits often lead to a short-term dip in Ethereum and Bitcoin as liquidators sell collateral or LPs exit positions. The Verus bridge is relatively small compared to major protocols, so systemic contagion is unlikely. Still, three assets deserve attention.

tBTC – The tokenized Bitcoin supply on Ethereum could see a slight reduction if the stolen 103.6 tBTC is not recovered. tBTC’s peg has held through previous exploits, supply shocks at this scale are manageable.
ETH – The attacker’s 5,402.4 ETH hoard is a potential overhang. If sold in bulk, it could pressure spot ETH prices. $11.4 million is a small fraction of daily ETH volume, the psychological impact may outweigh the mechanical effect.
USDC – The 147,000 USDC is trivial for Circle’s stablecoin. The exploit adds to the narrative of DeFi risk, which may push some capital into centralized stablecoins like USDC or USDT.

The Structural Risk of Bridges

May 2026 is on track to be the second-worst month for DeFi hacks this year, behind only April. The concentration of bridge exploits – Verus, THORChain, KelpDAO – points to a structural weakness in cross-chain infrastructure. Bridges rely on complex smart contract logic to lock and mint assets across chains, creating a large attack surface. Bridge risk is not diversifiable by holding multiple tokens. The vulnerability sits at the infrastructure layer.

Traders who use bridges for arbitrage or yield farming should treat each bridge as a separate counterparty risk. For watchlists, the key question is whether Verus will survive the exploit. The protocol’s response in the next 48 hours will determine whether this is a one-off loss or a terminal event. Monitor the attacker wallet and Verus’s official channels for updates.

For broader context on DeFi lending hack losses and the crypto market, see DeFi Lending Hack Losses: $3 per $10,000 Deposited and our crypto market analysis.