IoTeX Bridge Hack: Full On-Chain Analysis Report

On February 21, 2026, the decentralized ecosystem of IoTeX (IOTX) faced a significant security breach targeting its cross-chain infrastructure. Unlike many smart contract exploits that rely on coding errors, this incident was a “Private Key Compromise” involving a critical validator. Initial estimates suggested a loss of approximately $8 million, though rapid intervention by the IoTeX team and partner exchanges successfully mitigated the final impact to roughly $2 million. This report dissects the attacker’s methodology, tracks the movement of stolen funds across chains, and evaluates the long-term implications for bridge security.

Contextual Background

IoTeX operates as a decentralized network designed for the Internet of Things (IoT), utilizing bridges to maintain interoperability with Ethereum and other EVM-compatible chains. These bridges act as custodians of liquidity. The breach occurred specifically on the Ethereum-side bridge contracts, where the private key of a validator owner was compromised, granting the attacker administrative control over the bridge’s vault.

While this was a direct infrastructure attack, it highlights a broader trend in the crypto space where sophisticated social engineering and permission exploits are rising. For instance, we recently saw how attackers use malicious permit transactions to steal assets like XAUT, proving that whether it’s a bridge validator or an individual wallet, signature and key security is the primary target.

Detailed Timeline of the Exploit

February 21, 2026: The Breach

• 07:00 – 09:00 UTC: The attacker gained access to the Ethereum-side contracts using the compromised validator key. The primary targets were the TokenSafe and MinterPool contracts.
• 09:15 UTC: The “drain” phase began. Major assets including USDC, USDT, IOTX, WBTC, BUSD, and DAI were siphoned from the bridge reserves.
• 10:30 UTC: To maximize the exploit, the attacker used the compromised permissions to illegally mint 111M CIOTX (approx. $4M) and $4.5M in CCS tokens.

February 21, Midday: Discovery and Containment

• 12:00 UTC: PeckShieldAlert (@PeckShieldAlert) issued the first public warning. On-chain data showed the attacker swapping stolen tokens for ETH via Decentralized Exchanges (DEXs) like Uniswap and Rizzolver.
• 14:00 UTC: The IoTeX core team initiated an “Emergency Pause” on the bridge. This critical move prevented further outflows and protected remaining assets.

February 22 – 23: Tracking the Proceeds

• On-chain analysts, including @0xOwnerpaiN and BeosinAlert, identified the attacker’s pivot to the Bitcoin network. Using THORChain, the attacker bridged the stolen ETH into BTC to obfuscate the money trail.

Technical Analysis: Exploit Mechanics

The attack followed a sophisticated multi-stage execution model designed to bypass traditional security layers:

 Administrative Hijack

Bridge contracts are typically governed by multi-signature (Multi-sig) wallets. In this instance, the compromise of a single validator’s private key allowed the attacker to bypass consensus and interact directly with the high-level functions of the MinterPool.

Liquidity Draining & Illegal Minting

Beyond simply stealing existing liquidity, the attacker exploited the “Mint” function. By creating new, unbacked tokens (CIOTX and CCS), the attacker artificially inflated their haul, effectively devaluing the tokens held by legitimate users in the secondary market.

Obfuscation and Laundering

To avoid detection by Centralized Exchanges (CEXs), the attacker converted the diverse basket of stolen assets into 2,319 ETH ($3.94M). Subsequently, they utilized the cross-chain liquidity protocol THORChain which requires no KYC to swap the ETH for 62.15 BTC.

This level of technical sophistication in moving funds is becoming common. Just as this attacker used complex swaps to hide their trail, other scammers are using deceptive on-chain tactics like address poisoning scams to drain USDT to trick users into sending funds directly to criminal-controlled wallets.

Critical Wallet Addresses (On-Chain Evidence)

The following addresses are central to the ongoing investigation and should be monitored by security researchers:

A) Ethereum Exploit Entry Point:

The origin of all draining transactions:

0x6487b5003369f88034a7e94628a887ed442f

B) ETH Relay and Swap Hubs:

• 0xa5f24f4f89f62dd2df9a4a46b9f81f6590025d97: Contains approximately $248K in frozen assets recovered by exchanges.
• 0x39c188…: Used for DEX swaps and the final THORChain outbound bridge.

C) Bitcoin Destination Wallets (Current Status: Unspent):

As of February 23, the stolen funds remain parked in the following BTC addresses:

1. 135oSa2fobTxtHtm5dwTREDyRY2o1DG1Aw
   • Balance: ~13.80 BTC (~$941,000)
2. 16xusPKLMyqK68SkhfXDtic6AJPDi51tqh
   • Balance: ~19.966 BTC (~$1.3 Million)
3. 12V7jhcPnqnGbRFMasSW2CZVBd8qpvUgAK
   • Balance: ~9.72 BTC (~$664,000)
4. 1PN2BoHU4buDQWcrNHk9T9NBA2qX8oyYEc
   • Balance: ~18.66 BTC (~$1.28 Million)

Financial and Market Impact

• Gross Theft: Estimated between $8,000,000 and $9,000,000.
• Net Loss: Reduced to $2,000,000 through the cooperation of CEXs (Binance, OKX) and the prompt freezing of accounts.
• Token Performance: IOTX experienced a 9% intraday drop following the news. The token remains down approximately 87% from its All-Time High (ATH).
• Community Sentiment: While bridge reserves were hit, user wallets on the IoTeX Mainnet remained unaffected, providing some relief to the long-term holder base.

Mitigation and Industry Lessons

The IoTeX team’s response serves as a blueprint for crisis management:

1. Swift Interdiction: The decision to pause the bridge within hours was the single most effective factor in limiting the loss.
2. Strategic Collaboration: Working with Binance and other hot wallet originators allowed for the identification of the attacker’s entry points.
3. Infrastructure Hardening: Moving forward, IoTeX has implemented mandatory Hardware Security Modules (HSM) and enhanced Multi-sig protocols for all validator keys.

Lessons for the DeFi Ecosystem:

• Key Management is Everything: A single point of failure in private key management can jeopardize a billion-dollar protocol.
• Bridge Vulnerability: Cross-chain bridges remain the “weakest link” in the blockchain stack. Decentralized monitoring and real-time alerts are no longer optional.
• The THORChain Dilemma: The ease with which hackers can bridge into BTC via THORChain highlights a growing need for better on-chain tracing tools and regulatory discussions regarding non-custodial bridges.

The IoTeX Bridge hack of 2026 is a stark reminder that security is not a static state but a constant race against bad actors. While the recovery of $6 million is a victory for the community, the remaining $2 million loss highlights the persistent risks of centralized key management. As we move toward a multi-chain future, transparency, rapid response, and robust encryption must remain the industry’s top priorities.