Attacker returns $8.5M after Verus bridge exploit under negotiated deal

An attacker who drained the Verus-Ethereum bridge this week has now sent back most of the funds under a negotiated settlement, turning a fresh DeFi exploit into a familiar kind of post-hack bargain. On May 22, blockchain security firm PeckShield said the exploiter returned 4,052.4 ETH, worth about $8.5 million, to a Verus team wallet. (cryptotimes.io) Verus had offered to let the attacker keep 1,350 ETH — roughly $2.8 million — if the rest was returned. The recovery leaves Verus with most, but not all, of the assets taken in the May 18 exploit. ### How much money came back, and how much did the attacker keep? (docs.verus.io) PeckShield said 4,052.4 ETH was sent back to a Verus team address on May 22. At prevailing prices cited in coverage of the transfer, that amounted to about $8.5 million. The same reports said the attacker retained 1,350 ETH, valued at roughly $2.8 million, under the terms of the bounty arrangement. PeckShield said the returned amount represented about 75% of the total stolen from the bridge. ### What was Verus offering in exchange for the return? (cryptotimes.io) The Block reported that Verus offered the exploiter 1,350 ETH as a bounty in exchange for returning the rest of the funds and for a commitment by the project not to pursue legal action or further investigation. That framed the transfer less as an unsolicited return than as a negotiated recovery. Crypto Times and other follow-up reports described the arrangement as a previously agreed bounty deal. Those reports cited PeckShield’s onchain monitoring for the returned transfer and the share of funds recovered. (cryptotimes.io) ### What was stolen in the first place? On May 18, the Verus-Ethereum bridge was drained of about $11.5 million to $11.58 million in crypto assets, according to multiple reports published after the attack. Cointelegraph and other outlets said the stolen assets were consolidated into Ether after the exploit. (theblock.co) FinanceFeeds and other reports put the loss at roughly $11.58 million, while coverage of the exploit said the bridge attack involved a forged proof or forged transfer message. The exact wording varies by outlet, but the reported loss range is consistent with the later recovery math. (cryptotimes.io) ### What do reports say about how the bridge was exploited? Reports published after the May 18 attack said the exploiter used a forged cross-chain proof or import payload to trigger releases from the Ethereum-side bridge. Cointelegraph described the exploit as involving a fake cross-chain message, while other reports said the flaw let the bridge release funds without equivalent backing on the Verus side. (cointelegraph.com) Defi-Planet, citing security researchers, said the exploit targeted the bridge’s `submitImports` path. That description has not been independently confirmed here from a Verus technical postmortem, so it remains an external characterization of the attack path. (financefeeds.com) ### What happens next for users and the protocol? Verus documentation says users affected on the Verus-to-Ethereum route can use the project’s refund process through the bridge refund page. The documentation says the process relies on the refund address originally set during bridging and may take time to complete in the background. (cointelegraph.com) As of May 22, the clearest next steps are onchain accounting of the recovered ETH, user refund processing, and any technical disclosure from Verus on the bridge flaw and remediation. PeckShield’s transfer alert and Verus’s refund documentation are the public reference points now available. (cryptotimes.io) (docs.verus.io) (defi-planet.com)