The Verus-Ethereum Bridge is the latest name on a list that keeps growing in 2026.

On May 18 — today — hackers extracted 103.6 tBTC, 1,625 ETH, and approximately 147,000 USDC before swapping everything into roughly 5,402 ETH. All of it currently sitting in wallet 0x65Cb…25F9. The attack was detected while still active by Blockaid's exploit detection system — which means the drain was happening in real time before anyone could stop it.

The preparation pattern is textbook. The attacker's address was funded with 1 ETH through Tornado Cash approximately 14 hours before the exploit. That's not coincidence. That's a standard playbook — obscure the funding source, wait for the trail to cool, then execute.

What makes this one particularly significant is the timing. Kelp DAO was drained for $292 million weeks ago. Solv Protocol just migrated $700 million in tokenized Bitcoin infrastructure off LayerZero onto Chainlink CCIP specifically because of cross-chain bridge security concerns. The industry was already mid-conversation about bridge vulnerabilities when this one hit.

Whether the vector came from validator systems, smart contract logic, or something else in the protocol architecture — the outcome is always the same. Bridges hold massive locked liquidity. Their complex architecture creates attack surfaces. And the attackers are more patient and more prepared than most bridge security teams.

This is not a new problem. It is the same problem repeating across different protocol names with different dollar amounts attached.

I wrote about bridge vulnerabilities as Part 3 of the Infrastructure Risk series before this happened. Today just proved why that conversation matters.

Users are still waiting for information on recovery and reimbursements. That wait is also familiar.

Bridge security is still the most exploited category in DeFi. Nothing about 2026 has changed that reality.

— R3N | @CRYPT_R3N

Full infrastructure risk breakdown: medium.com/@r3nn