IoTeX is offering a 10% white hat bounty to hackers who stole millions of dollars using private keys on its cross-chain bridge, ioTube, in exchange for voluntary return of funds within 48 hours.
IoTeX will offer $440,000 in compensation if malicious actors return the roughly $4.4 million they stole, according to a post on IoTeX
Chai told CoinDesk that the team sent an on-chain message stating that if the remaining funds were returned, no legal action would be taken or identifying information shared with law enforcement.
“This is related to the ioTube bridge vulnerability on February 21, 2026,” Chai said in the message. “All fund flows on Ethereum, IoTeX, and Bitcoin have been fully traced.”
The message states that exchange deposits have been flagged and frozen, with a 10% reward being offered for the return of remaining funds.
Chai also said that IoTeX is launching a new chain version, Mainnet v2.3.4, requiring node operators to upgrade. This update includes a default blacklist of malicious Externally Owned Account (EOA) addresses.
“This blacklist contains a list of malicious or problematic EOA addresses that will be filtered by nodes,” Chai said.
The proposal follows an exploit on February 21, in which a compromised validator owner private key enabled unauthorized control of the ioTube bridge contract.
IoTeX said the incident was “contained,” its layer 1 blockchain was not affected, and the vulnerability was isolated from the Ethereum side of the bridge’s infrastructure.
Following the breach, the IOTX token fell by approximately 22%, from $0.0054 to below $0.0042 before partially rebounding.
Cross-chain bridges have been one of the main points of failure for cryptocurrencies, with a number of high-profile vulnerabilities emerging in recent years. According to industry reports, cross-chain bridge hacking attacks have caused more than $3.2 billion in losses, making it a prime target for advanced threat actors.
Responsibilities and critical controls
IoTeX considers this vulnerability to be a bridge-specific operational issue and not a malfunction of its Layer 1 network.
“IoTube is IoTeX’s own cross-chain bridge, built and maintained by their team,” Nick Motz, CEO of ORQO Group and CIO of Soil, told CoinDesk. “This breach is down to a compromise of the validator owner’s private key on the Ethereum side, which is fundamentally an operational security failure rather than a smart contract vulnerability discovered by an external actor.”
Motz agreed that IoTeX’s Layer 1 was not compromised, but said user funds were specifically entrusted to the bridge.
“When you build and operate bridge infrastructure, critical management fails, and it’s hard to separate yourself from that outcome,” he said.
Human.tech co-founder Nanak Nihal Khalsa said responsibility in the cryptocurrency space often boils down to key custody.
“Yes, whoever holds the private key has a responsibility to keep it secure,” Khalsa said. “Is that a reasonable responsibility? It’s hard to say. But that’s the way the industry works now.”
He added that accountability norms remain fluid compared to traditional finance and called for more robust wallets and multi-signature setups to reduce similar risks.
There is probably a disagreement
On-chain analysis by security firm PeckShield estimated that more than $8 million worth of assets were affected, saying the attackers converted the funds into ether (ETH) and began transferring them to Bitcoin Via Thor Chain.
“Hackers have converted the stolen funds into ETH and begun bridging them to #BTC via #Thorchain,” the company wrote.
Specter, another on-chain investigator, said on X that “@iotex_io’s private keys may have been compromised,” resulting in an estimated $4.3 million in losses.
“Once an asset is routed through THORChain […] Recovery becomes extremely difficult,” Motz said.
IoTeX said it has identified four Bitcoin addresses holding 66.78 BTC, worth approximately $4.3 million at current prices, and is working with exchanges to monitor these addresses.
CoinDesk conducted a review of these addresses on February 23 and confirmed that they held approximately 66.6 BTC.
IoTeX did not immediately respond to CoinDesk’s request for comment.
“Containment does not equate to recovery,” he added. “Assets with actual market value were exchanged and bridged. In my assessment it is unlikely that these assets will be repossessed.”
Khalsa also warned that the outlook for recovery was uncertain. “It’s hard to predict how much, if any, will be recovered,” he said.
IoTeX raised its figure to approximately $4.3 million, reflecting direct asset losses but excluding minted tokens. Motz said a broader estimate might better reflect the severity of the breach.
“Private key leaks rather than smart contract vulnerabilities are becoming the primary attack vector,” Motz said, noting that such incidents target operational security rather than audited code.
Before offering the 10% bounty, IoTeX said it would work out a compensation plan within the next 48 hours.
