IoTeX offered a 10% white-hat bounty to the hacker or hackers who exploited a private key on its cross-chain bridge ioTube, siphoning millions of dollars, in exchange for voluntary repayment of funds within 48 hours.
With the move, IoTeX is offering the $440,000 if the malicious actor(s) return about $4.4 million they stole, according to an IoTeX X post that IoTeX co-founder and CEO Raullen Chai pointed to “as a source of truth” on Monday.
Chai told CoinDesk that the team sent an onchain message offering not to pursue legal action or share identifying information with law enforcement if the remaining funds are returned.
“This concerns the exploitation of the ioTube bridge on February 21, 2026,” Chai said in the announcement. “All fund movements across Ethereum, IoTeX and bitcoin have been fully tracked.”
The message says that exchange deposits have been flagged and frozen and offers a 10% bounty for refunding remaining funds.
Chai also said that IoTeX is rolling out a new chain version, Mainnet v2.3.4, that requires node operators to upgrade. The update includes a default blacklist of malicious Externally Owned Account (EOA) addresses.
“This blacklist contains a list of malicious or problematic EOA addresses that will be filtered by the node,” Chai said.
The offer comes after a February 21st exploit in which a compromised validator owner’s private key enabled unauthorized control of ioTube’s bridge contracts.
IoTeX said the incident is “under control” and said its Layer 1 blockchain was not affected and that the breach was isolated to the bridge’s Ethereum-side infrastructure.
The IOTX token fell about 22% after the exploit, dropping from $0.0054 to below $0.0042 before partially recovering.
Cross-chain bridges have been one of crypto’s main points of failure, with several high-profile exploits in recent years. According to industry reports, more than $3.2 billion has been lost to cross-chain hacks, making them a prime target for advanced threat actors.
Responsibility and key control
IoTeX framed the exploit as an operational issue specific to the bridge, rather than a flaw in its Layer 1 network.
“IoTube is IoTeX’s own cross-chain bridge built and maintained by their team,” Nick Motz, CEO of ORQO Group and CIO of Soil, told CoinDesk. “The breach came down to a compromised validation owner private key on the Ethereum side, which is fundamentally an operational security flaw, not a smart contract vulnerability discovered by an external actor.”
Motz agreed that IoTeX’s Layer 1 was not compromised, but said the user assets were entrusted specifically to the bridge.
“When you’re building and operating the bridge infrastructure and the key management is what’s failing, it’s hard to separate yourself from that outcome,” he said.
Nanak Nihal Khalsa, co-founder of human.tech, said that responsibility in crypto often comes down to key custody.
“Yes, whoever has the private key is responsible for securing it,” Khalsa said. “Is that a reasonable responsibility? It’s hard to say. But that’s the way the industry works right now.”
He added that liability norms remain unclear compared to traditional finance and called for stronger wallet and multisig setups to reduce similar risks.
The estimates diverge
On-chain analysis by security firm PeckShield estimated that more than $8 million worth of assets were affected, and said the attacker exchanged funds for ether (ETH) and began bridging them to bitcoin via THORChain.
“The hacker has exchanged the stolen funds for $ETH and has begun bridging them to #BTC via #Thorchain,” the company wrote.
Another onchain researcher, Specter, said on X that “the private key of @iotex_io may have been compromised,” resulting in an estimated loss of $4.3 million.
“Once assets are routed through THORChain […] recovery is going to be extremely difficult,” Motz said.
IoTeX said it has identified four bitcoin addresses with 66.78 BTC worth about $4.3 million at current prices and that the addresses are being monitored in cooperation with exchanges.
A CoinDesk review of these addresses on February 23 confirmed that they held around 66.6 BTC.
IoTeX did not immediately respond to CoinDesk’s request for comment.
“Containment is not the same as healing,” he added. “The actual market value shares were swapped and bridged. It is unlikely, in my view, that they will recover.”
Khalsa also warned that the prospects for recovery are uncertain. “It is difficult to predict how much, if any, can be recovered,” he said.
IoTeX revised its figure upwards to approximately $4.3 million, which reflects the direct asset outflow but excludes minted tokens. Motz said broader estimates can better capture the severity of the breach.
“Private key compromise rather than smart contract flaws is emerging as a dominant attack vector,” Motz said, noting that such incidents target operational security rather than audited code.
Before IoTeX offered the 10% bounty, IoTeX said a compensation plan would be in place within the next 48 hours.
