A coordinated exploit drained roughly $11.5 million from the Verus-Ethereum bridge on May 18, security firm Blockaid confirmed. The attacker converted stolen Verus assets to Ethereum within hours of the breach and moved funds through Tornado Cash, a privacy mixer that complicates recovery efforts.
How the exploit unfolded
Details on the vulnerability are still scarce. What's clear is that the attacker targeted the bridge's cross-chain logic, siphoning funds in a single, well-timed operation. Once the Verus tokens were seized, they were swapped for ETH on decentralized exchanges. Blockaid caught the conversion and flagged the wallet's next move: a deposit into Tornado Cash.
The Tornado Cash link
Privacy mixers like Tornado Cash are the go-to tool for laundering stolen crypto. Blockaid's analysis ties the attacker's wallet directly to the mixer, making it nearly impossible to freeze or trace the funds further. This is a familiar pattern — but the speed of the laundering here stands out. Within hours of the exploit, the assets were obfuscated beyond reach.
As of Tuesday morning, the Verus-Ethereum bridge is still running, though users have reported delays in transaction finality. No official statement has come from the Verus team yet. Blockaid says it's monitoring the attacker's wallet for any further movement. The exploit is the latest reminder that cross-chain bridges remain prime targets — and that recovery, once funds hit a mixer, is all but off the table.
