IoTeX offered a 10% white hat reward to the hacker or hackers who exploited a private key on its ioTube cross-chain bridge, siphoning off millions of dollars, in exchange for the voluntary return of funds within 48 hours.
By this measure, IoTeX is offering $440,000 if the malicious actor or actors return approximately $4.4 million they stole, according to an IoTeX X post, which IoTeX co-founder and CEO Raullen Chai pointed to “as a source of truth” on Monday.
Chai told CoinDesk that the team sent a chain message offering not to take legal action or share identifying information with authorities if the remaining funds are returned.
“This refers to the ioTube bridge exploit on February 21, 2026,” Chai said in the message. “All fund movements in Ethereum, IoTeX and bitcoin have been fully traced.”
The message indicates that currency deposits have been flagged and frozen and offers a 10% reward for the return of the remaining funds.
Chai also said that IoTeX is releasing a new version of the chain, Mainnet v2.3.4, which requires node operators to upgrade. The update includes a default blacklist of malicious externally owned account (EOA) addresses.
“This blacklist contains a list of malicious or problematic EOA addresses that will be filtered by the node,” Chai said.
The offering comes after a February 21 exploit in which a compromised validator owner’s private key allowed unauthorized control over ioTube bridge contracts.
IoTeX said the incident is “under control,” saying its Layer 1 blockchain was not affected and the breach was isolated to the Ethereum-side bridge infrastructure.
The IOTX token fell approximately 22% after the exploit, falling from $0.0054 to below $0.0042 before partially recovering.
Cross-chain bridges have been one of the main points of failure for cryptocurrencies, with several high-profile exploits in recent years. According to industry reports, more than $3.2 billion has been lost due to cross-chain bridge hacks, making them a prime target for advanced threat actors.
Key responsibility and control
IoTeX framed the exploit as a bridge-specific operational issue rather than a failure of its Layer 1 network.
“IoTube is the IoTeX cross-chain bridge built and maintained by their team,” Nick Motz, CEO of ORQO Group and CIO of Soil, told CoinDesk. “The breach was due to a compromised validator owner’s private key on the Ethereum side, which is fundamentally an operational security flaw, not a smart contract vulnerability discovered by an external actor.”
Motz agreed that IoTeX Layer 1 was not compromised, but said user funds were specifically entrusted to the bridge.
“When bridge infrastructure is built and operated and key management is what fails, it’s hard to separate yourself from that outcome,” he said.
Nanak Nihal Khalsa, co-founder of human.tech, said that responsibility in the cryptocurrency space often comes down to the custody of keys.
“Yes, whoever has the private key is responsible for protecting it,” Khalsa said. “Is that a reasonable responsibility? It’s hard to say. But that’s how the industry works right now.”
He added that liability rules remain unresolved compared to traditional finance and called for more robust wallet and multi-signature setups to reduce similar risks.
Estimates diverge
On-chain analysis by security firm PeckShield estimated that more than $8 million in assets were affected, saying the attacker exchanged funds in ether (ETH) and began connecting them to bitcoin. via THORChain.
“The hacker exchanged the stolen funds into $ETH and began connecting them to #BTC via #Thorchain,” the company wrote.
Another on-chain researcher, Spectre, said on X that “@iotex_io’s private key may have been compromised,” resulting in an estimated loss of $4.3 million.
“Once assets are routed through THORChain […] recovery becomes extremely difficult,” Motz said.
IoTeX said it has identified four bitcoin addresses containing 66.78 BTC worth approximately $4.3 million at current prices and that the addresses are being monitored in cooperation with the exchanges.
A CoinDesk review of those addresses on February 23 confirmed that they held approximately 66.6 BTC.
IoTeX did not immediately respond to CoinDesk’s request for comment.
“Containment is not the same as recovery,” he added. “Assets with real market value were exchanged and bypassed. In my opinion, they are unlikely to be recovered.”
Khalsa also warned that recovery prospects are uncertain. “It’s difficult to predict how much, if anything, can be recovered,” he said.
IoTeX revised its figure upward to approximately $4.3 million, reflecting direct asset flight but excluding minted tokens. Motz said broader estimates may better capture the severity of the violation.
“Private key compromise, rather than smart contract bugs, is emerging as a dominant attack vector,” Motz said, noting that such incidents target operational security rather than audited code.
Before offering the 10% reward, IoTeX said that a compensation plan would be implemented within the next 48 hours.
