Thursday, February 26, 2026

One compromised private key. One Saturday morning. One bridge that handed over the keys to everything it was supposed to protect.

On February 21, 2026, an attacker quietly obtained the owner key to IoTeX's ioTube bridge validator contract, and with it, administrative control over every asset the bridge was holding.

No exploit. No zero-day. No clever math. Just a single key in the wrong hands, and a four-step execution that drained $4.4M in real bridged assets from the TokenSafe and minted 410 million unbacked CIOTX tokens on top of it.

Onchain investigator Specter was first to flag the bleeding, reporting $4.3M drained.

PeckShield escalated to $8M within ninety minutes.

By the time IoTeX co-founder Raullen Chai told The Block the losses were "around $2M," three different numbers were already circulating and none of them were wrong, they were just counting different things.

Here's what actually happened: The attacker physically stole $4.4M in real assets - USDC, USDT, WBTC, WETH, IOTX, PAXG, DAI, BUSD, and UNI - directly from the bridge reserves.

According to Defimon Alerts, they minted 821 million CIOTX (~$4.09M) and 9.3 million CCS tokens (deprecated tokens with no market value, per Chai) out of thin air using the same stolen access.

IoTeX's own accounting later cited 410M CIOTX, a figure the on-chain mint record does not support.

10 confirmed mint transactions on Ethereum, that total roughly 821M. IoTeX has not explained the discrepancy.

IoTeX's $2M "net loss" claim rests on their assertion that 86% of those minted tokens are now frozen on-chain with no liquidity and can't be moved.

The number that doesn't require trusting anyone: 66.77 BTC (~$4.29M) sitting in four freshly created Bitcoin wallets, visible to anyone with a browser, untouched as of February 23.

IOTX dropped 22% on the news (from $0.0054 to below $0.0042), trading near $0.00467 as of February 24 - roughly 98% below its all-time high of $0.255 set in November 2021.

South Korea's Upbit placed IOTX on its trading alert list and suspended deposits.

IoTeX distributed an emergency patch to chain delegates to blacklist attacker addresses, consensus would resume automatically once enough patched delegates came online, suspended the bridge pending a full independent audit, and began coordinating with exchanges to freeze what they could.

Their L1 chain is currently back online.

The attacker, meanwhile, had already moved through THORChain and is holding stolen assets on Bitcoin.

When a single key can silently transfer ownership of every contract in your bridge stack, what exactly is the security model protecting?

Read more »

We provide an anonymous platform for whistleblowers and DeFi detectives to present their information to the community. All authors remain anonymous. 
We are all rekt.