IoTeX offered a 10% bounty to hacker(s) who exploited a private key on its ioTube cross-chain bridge, siphoning off millions of dollars, in exchange for voluntarily returning funds within 48 hours.
With the move, IoTeX is offering $440,000 if the bad actor(s) returns approximately $4.4 million they stole, according to an article from IoTeX
Chai told CoinDesk that the team sent a chain message offering not to take legal action or share identifying information with law enforcement if the remaining funds were returned.
“This is the February 21, 2026 ioTube bridge exploit,” Chai said in the post. “All fund movements on Ethereum, IoTeX and Bitcoin have been fully traced.”
The message states that exchange deposits have been flagged and frozen and offers a 10% bonus for the return of remaining funds.
Chai also said that IoTeX is rolling out a new version of the chain, Mainnet v2.3.4, requiring an upgrade of node operators. The update includes a default blacklist of malicious external account addresses (EOAs).
“This blacklist contains a list of malicious or problematic EOA addresses that will be filtered by the node,” Chai said.
The offering follows a February 21 exploit in which a compromised private key of the validator owner enabled unauthorized control over ioTube’s bridge contracts.
IoTeX said the incident was “under control,” saying its layer 1 blockchain was not affected and the breach was isolated to the Ethereum-side bridge infrastructure.
The IOTX token fell approximately 22% following the exploit, falling from $0.0054 to below $0.0042 before partially rebounding.
Cross-chain bridges have been one of the major failure points in crypto, with several high-profile exploits in recent years. According to industry reports, over $3.2 billion has been lost due to cross-chain bridge hacks, making them a prime target for advanced threat actors.
Responsibility and key control
IoTeX presented the exploit as a bridge-specific operational issue rather than a failure of its Layer 1 network.
“IoTube is IoTeX’s own cross-chain bridge, built and maintained by their team,” Nick Motz, ORQO Group CEO and CIO of Soil, told CoinDesk. “The breach was due to a compromised private key of the validator owner on the Ethereum side, which is fundamentally an operational security failure, not a smart contract vulnerability discovered by an outside actor.”
Motz agreed that IoTeX Layer 1 was not compromised, but said user funds were specifically entrusted to the bridge.
“When you build and operate the bridge infrastructure and key management is what fails, it’s hard to separate yourself from that outcome,” he said.
Nanak Nihal Khalsa, co-founder of human.tech, said accountability in crypto often comes down to custody of the keys.
“Yes, whoever holds the private key is responsible for its security,” Khalsa said. “Is that a reasonable liability? It’s hard to say. But that’s the way the industry works now.”
He added that accountability standards remain unstable compared to traditional finance and called for stronger wallet and multisig setups to reduce similar risks.
Estimates differ
On-chain analysis by security firm PeckShield estimated that more than $8 million in assets were affected, claiming that the attacker exchanged funds for ether (ETH) and began linking them to bitcoin. via THORChain.
“The hacker exchanged the stolen funds for $ETH and began linking them to #BTC via #Thorchain,” the company wrote.
Another onchain investigator, Specter, said on
“Once the assets are routed through THORChain […] recovery becomes extremely difficult,” Motz said.
IoTeX said it identified four Bitcoin addresses holding 66.78 BTC worth approximately $4.3 million at current prices and that the addresses were being monitored in cooperation with exchanges.
A CoinDesk review of these addresses on February 23 confirmed that they held approximately 66.6 BTC.
IoTeX did not immediately respond to CoinDesk’s request for comment.
“Containment is not the same as recovery,” he added. “Assets with real market value have been exchanged and filled. It is, in my opinion, unlikely that they will be recovered.”
Khalsa also warned that the outlook for recovery is uncertain. “It is difficult to predict how much, if anything, will be recoverable,” he said.
IoTeX revised its figure upward to around $4.3 million, reflecting direct asset flight, but excluding issued tokens. Motz said broader estimates could better capture the severity of the violation.
“Private key compromise rather than smart contract bugs is emerging as a dominant attack vector,” Motz said, noting that such incidents target operational security rather than audited code.
Before offering the 10% bonus, IoTeX said that a compensation plan would be put in place in the next 48 hours.
