IoTeX Bridge Exploited for $4.4M via Compromised Key

- The exploit, which occurred on February 21, 2026, was not due to a smart contract vulnerability but rather a single compromised private key that gave the attacker control over the bridge's contracts on Ethereum. This allowed them to drain assets and mint new, unauthorized tokens. - There are conflicting reports on the total amount stolen; IoTeX states the direct loss is approximately $4.3 million, while security firm PeckShield estimates the impact at over $8 million, which includes the value of additionally minted CIOTX and CCS tokens. - The attacker quickly swapped the stolen assets (including USDC, USDT, IOTX, and WBTC) to ETH on Uniswap and then used THORChain to bridge the funds to the Bitcoin network, a common tactic to make recovery more difficult. - In response, the IoTeX team paused the ioTube bridge and temporarily halted its Layer 1 chain to freeze the attacker's addresses at a network level. They also announced a mainnet upgrade to introduce a blacklist of malicious addresses. - IoTeX publicly sent an on-chain message to the attacker offering a 10% "white-hat" bounty, worth around $440,000, for the return of the stolen funds within a 48-hour window, promising no legal action if they complied. - The IOTX token's price dropped by approximately 22% in the immediate aftermath of the hack, falling from about $0.0054 to a low of $0.0042. - Major South Korean exchanges Upbit and Bithumb placed IOTX on their trading alert lists following the incident, with temporary suspensions of deposits and withdrawals. - IoTeX has stated that if the funds are not returned, a compensation plan for affected users would be announced.