In the days following the attack, during which approximately 5,402.4 ETH worth of assets were stolen, the cross-chain bridge between VerusCoin and Ethereum did not reach the traditional conclusion of “total loss.” On May 22, 2026, according to on-chain public information and disclosures from PeckShield, the attacker reversed 4,052.4 ETH from an address they controlled to the Verus-related address 0xF9AB28cB7b72B518e6a351FbdaBe69362cBC1A74, which accounted for approximately 75% of the total stolen amount, equating to about 8.5 million dollars at the time; the remaining roughly 1,350 ETH, about 2.8 million dollars, was kept by the attacker, with multiple reports directly referring to this 25% as a “white-hat bounty.” This extremely rare ratio design of “70% returned, 30% kept” turned a typical cross-chain bridge attack into an event with the color of “on-chain reconciliation,” and what truly deserves further inquiry is how this approach of returning most of the funds in exchange for factual immunity will change the dynamics of security games around cross-chain bridges and the boundary understanding of so-called white-hat behavior.

The Turning Point from Attack to Fund Recovery

Looking back in time, the starting point of the story was still a rather ordinary cross-chain bridge incident. A few days before May 22, 2026, the VerusCoin <-> Ethereum Bridge, connecting VerusCoin and Ethereum, was exploited by attackers, with assets on the bridge rapidly transferred away, leaving approximately 5,402.4 ETH drained. For those familiar with this space, this scene is not unfamiliar: in many past bridge attacks, contracts were often drained, project teams urgently closed the bridge, and affected users waited for a long time, and once the “stolen assets” figure was written into the announcement, it was very difficult to erase it completely on-chain.

However, the development trajectory of Verus this time clearly deviated from the conventional script of “lost funds.” Shortly after the attack occurred, security agencies began tracking relevant addresses on-chain, with PeckShield identifying and disclosing abnormal transactions based on monitoring. The event quickly escalated within a few days, and on May 22, the turning point appeared in a reverse transaction— the attacker transferred 4,052.4 ETH from their controlled wallet to the Verus-related address 0xF9AB28cB7b72B518e6a351FbdaBe69362cBC1A74. Unlike those suffering bridges that wait endlessly for compensation, this refund, making up about 75% of the stolen amount, made the outsiders realize for the first time that this was no longer a one-sided pillage, but rather a gradual process of “negotiating terms and seeking reconciliation” on-chain. This turning point also laid a decisive foundation for the subsequent 75% of the funds being officially returned.

On-chain Return and Reconciliation of 4,052 ETH

On May 22, 2026, a transaction from the attacker's controlled address to the Verus-related address 0xF9AB28cB7b72B518e6a351FbdaBe69362cBC1A74 was captured by on-chain security agencies: 4,052.4 ETH was returned, amounting to roughly 8.5 million dollars at the price when the event was disclosed. According to AiCoin data, this amount corresponds to about 75% of the previously stolen total of approximately 5,402.4 ETH. PeckShield promptly issued an early warning based on on-chain monitoring for this “returned payment,” and multiple media outlets followed up with reports, with the attack transitioning from one-sided theft to a public “return” that everyone could observe in real-time on their browsers.

More conversationally intriguing was the remaining approximately 1,350 ETH—about 25%, or roughly 2.8 million dollars, which did not get transferred out, but was directly referred to by multiple reports and social media users as a “white-hat bounty.” Numerically, this event was therefore divided into a clear structure of 75% return + 25% bounty: 4,052.4 ETH returned to the project address, 1,350 ETH stayed with the attacker, without lawyers’ letters or arbitration courts, only several transactions recorded in the Ethereum ledger serving as default reconciliation proof, which also made the Verus cross-chain bridge incident resemble a security accident that completed profit allocation entirely on-chain.

The Boundary of White-hat Bounties and Gray Areas

In the traditional sense, white-hat vulnerability bounties have a relatively clear process: researchers disclose vulnerabilities to project parties responsibly, ensuring no actual losses to users occur, and then receive rewards according to pre-announced bounty terms. The path of the Verus cross-chain bridge incident, however, was almost reversed: the attacker first exploited the vulnerability to steal about 5,402.4 ETH, then returned 4,052.4 ETH to the Verus-related address 0xF9AB28cB7b72B518e6a351FbdaBe69362cBC1A74, keeping around 1,350 ETH. Current public information lacks authoritative sources confirming whether Verus had issued clear bounty rules prior to the attack, but numerous bilingual reports have directly designated this 25% retained portion as a “white-hat bounty,” and the identity of the attacker was renamed between “hacker” and “white-hat,” placing the entire process inherently within the gray area between white-hat and hacker.

For Verus and affected users, accepting a 75% fund return was essentially a choice between “zero tolerance on moral grounds” and “maximum damage control in reality”; once this 1,350 ETH is generally recognized by the market as a “bounty,” it equates to completing an after-the-fact signed bounty agreement on-chain. In the past, there have been cases of attackers choosing to return most funds under public pressure and on-chain tracking, ultimately perceived by some as white-hats. This model of first using vulnerabilities to “lock in chips” and then exchanging returns for immunity and bounty might objectively provide a new profit expectation for future attackers: as long as they are willing to return the majority, they could have the opportunity to complete the “whitewashing” in gray areas. For project parties, this is both a pragmatic option to raise short-term fund recovery rates and a potential amplifier of moral risk. The Verus cross-chain bridge’s precedent of achieving on-chain reconciliation with 75% returned and 25% retained will likely be used as a negotiation anchor by parties in subsequent security incidents, thus changing the entire industry’s understanding of the boundaries of “white-hat bounties.”

How On-chain Transparency Approaches a “Collaborative Outcome”

In traditional finance, disappearing with the money used to be the default script for attackers; however, in the Verus cross-chain bridge incident, this script was rewritten from the beginning by the public ledger. The cross-chain bridge contracts and the attacker’s address were exposed on a public blockchain, with every transfer, split, and passage leaving permanent records. Following the attack, security agencies swiftly locked down the involved addresses based on on-chain monitoring and tracked the abnormal transfer of approximately 5,402.4 ETH, leading up to the key transaction on May 22 when the attacker returned 4,052.4 ETH to the Verus-related address 0xF9AB28cB7b72B518e6a351FbdaBe69362cBC1A74. PeckShield and other agencies successively labeled these paths and disclosed them to the public. For the attacker, this means that regardless of how the funds were maneuvered, they would be tagged as “dirty money,” and any future attempts to exit through exchanges, protocols, or other on-chain services could trigger risk controls and blacklist them, thus progressively raising the cost of continuing to hold or realize all stolen assets.

In such a structure, the funding path and address labels themselves become bargaining chips at the negotiation table: project parties could use “your every move is being seen” and “these addresses could be blocked more broadly at any moment” to push for lower prices while leaving room for gray reconciliation of “returning most, keeping a small part” under public and compliance pressure. In this case, the attacker, under continuous public monitoring and reporting, chose to return approximately 75% of the ETH while retaining about 25%, which was described by several reports as “white-hat bounty,” reflecting a practical implementation of this game logic. For cross-chain bridge designers, this raises a more ruthless yet realistic risk management proposition: when preparing for the worst-case scenario, it cannot only consider technical pauses of contracts, upgrades, and repairs but must also clearly plan what steps the entire team is willing and able to take if entering a “negotiation stage”—from monitoring and disclosure strategies to whether to accept partial fund loss in exchange for rapid first aid—so that they face the complete risk profile of cross-chain bridges as high-risk infrastructure only after including this space in threat modeling.

White-hat Transformation of Cross-chain Bridges Post-Verus

In the Verus cross-chain bridge incident, the attacker first stole approximately 5,402.4 ETH, and then on May 22 identified 4,052.4 ETH back to 0xF9AB28cB7b72B518e6a351FbdaBe69362cBC1A74, packaging the 1,350 ETH they retained as a “white-hat bounty,” effectively completing a partial reconciliation on-chain at a ratio of “75% returned + 25% bounty,” without court intervention or forced law enforcement traces. This provided a realistic template for “black hat to white hat transformation” in the heavily affected area of cross-chain bridges. For future cross-chain and DeFi projects, a more feasible strategy is not to passively enter such temporary negotiations afterward but to clarify during normal operations: what the upper limits of bounty funds are, who has the authority to recognize “white-hat bounties” under what conditions during emergencies, and how user asset gaps will be compensated along established paths, thus aiming to preemptively transform gaming space into public safety budgets and rules rather than allowing attackers to dictate pricing afterward. What remains to be observed is whether future attackers will further increase the stakes above Verus’s 25%, attempting to elevate the “white-hat bounty” ratio, and how project parties and potential regulators will treat such gray reconciliations reached through on-chain transactions. These variables will determine whether the Verus model will solidify into a replicable security governance tool or merely be proven as a one-time compromise under pressure.

Join our community, let’s discuss together, and become stronger!
On-chain Telegram community: https://t.me/AiCoinWhaleData
On-chain community: https://www.aicoin.com/link/chat?cid=10000322
AiCoin on-chain Twitter: https://x.com/aicoinwhaledata
AiCoin exclusive Hyperliquid benefits: https://app.hyperliquid.xyz/join/AICOIN88
AiCoin exclusive Aster benefits: https://www.asterdex.com/zh-CN/referral/9C50e2

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。