IoTeX bridge exploit raises debate over losses and recovery prospects as CEO offers 10% bounty

IoTeX offered a 10% white-hat bounty to the hacker or hackers who exploited a private key on its cross-chain bridge ioTube, siphoning millions of dollars, in exchange for the voluntary return of funds within 48 hours.

With this move, IoTeX is offering the $440,000 if the malicious actor or actors return roughly $4.4 million they stole, according to an IoTeX X post, to which IoTeX co-founder and CEO Raullen Chai pointed “as a source of truth” on Monday.

Chai told CoinDesk that the team sent an onchain message offering not to pursue legal action or share identifying information with law enforcement if the remaining funds are returned.

“This is regarding the ioTube bridge exploit on Feb. 21, 2026,” Chai said in the message. “All fund movements across Ethereum, IoTeX, and bitcoin have been fully traced.”

The message states that exchange deposits have been flagged and frozen and offers a 10% bounty for the return of remaining funds.

Chai also said IoTeX is rolling out a new chain version, Mainnet v2.3.4, requiring node operators to upgrade. The update includes a default blacklist of malicious externally owned account (EOA) addresses.

“This blacklist contains a list of malicious or problematic EOA addresses that will be filtered by the node,” Chai said.

The offer comes after a Feb. 21 exploit in which a compromised validator owner private key enabled unauthorized control over ioTube’s bridge contracts.

IoTeX said the incident is “under control,” saying that its Layer 1 blockchain was not affected and that the breach was isolated to the Ethereum-side infrastructure of the bridge.

The IOTX token fell roughly 22% following the exploit, dropping from $0.0054 to below $0.0042 before partially rebounding.

Cross-chain bridges have been one of crypto’s main failure points, with several high-profile exploits in recent years. According to industry reports, more than $3.2 billion has been lost due to cross-chain bridge hacks, making them a prime target for advanced threat actors.

Responsibility and key control

IoTeX framed the exploit as an operational issue specific to the bridge rather than a failure of its Layer 1 network.

“IoTube is IoTeX’s own cross-chain bridge built and maintained by their team,” Nick Motz, CEO of ORQO Group and CIO of Soil, told CoinDesk. “The breach came down to a compromised validator owner private key on the Ethereum side, which is fundamentally an operational security failure, not a smart contract vulnerability discovered by an outside actor.”

Motz agreed that IoTeX’s Layer 1 was not compromised but said user funds were entrusted specifically to the bridge.

“When you build and operate the bridge infrastructure and the key management is what fails, it’s difficult to separate yourself from that outcome,” he said.

Nanak Nihal Khalsa, co-founder of human.tech, said responsibility in crypto often comes down to key custody.

“Yes, whoever holds the private key is responsible for securing it,” Khalsa said. “Is that a reasonable responsibility? It’s hard to say. But that’s how the industry works right now.”

He added that liability norms remain unsettled compared to traditional finance and called for stronger wallet and multisig setups to reduce similar risks.

The estimates diverge

On-chain analysis by security firm PeckShield estimated more than $8 million worth of assets were affected, saying the attacker swapped funds into ether (ETH) and began bridging them to bitcoin BTC$64,790.39 via THORChain.

“The hacker has swapped the stolen funds to $ETH and has started bridging them to #BTC via #Thorchain,” the firm wrote.

Another onchain investigator, Specter, said on X that “the private key of @iotex_io may have been compromised,” resulting in an estimated $4.3 million loss.

“Once assets are routed through THORChain […] recovery becomes extremely difficult,” Motz said.

IoTeX said it has identified four bitcoin addresses holding 66.78 BTC worth roughly $4.3 million at current prices and that the addresses are being monitored in cooperation with exchanges.

A CoinDesk review of those addresses on Feb. 23 confirmed they held roughly 66.6 BTC.

IoTeX did not immediately respond to CoinDesk’s request for comment.

“Containment is not the same as recovery,” he added. “The assets with actual market value were swapped and bridged. Those are, in my assessment, unlikely to be recovered.”

Khalsa similarly cautioned that recovery prospects are uncertain. “It’s hard to predict how much, if any, can be recovered,” he said.

IoTeX revised its figure upward to approximately $4.3 million, reflecting the direct asset drain but excluding minted tokens. Motz said broader estimates may better capture the severity of the breach.

“Private key compromise rather than smart contract bugs is emerging as a dominant attack vector,” Motz said, noting that such incidents target operational security rather than audited code.

Before offering the 10% bounty, IoTeX said a compensation plan would be in place within the next 48 hours.