On May 18, 2026, the security organization Blockaid reported that the Verus-Ethereum cross-chain bridge was under attack, with assets on the bridge being continuously withdrawn, resulting in losses of approximately 11.58 million dollars, and the attack was still ongoing at the time of the incident exposure; almost within the same time window, another dark industrial chain bypassed the contracts themselves, using a softer entry point—hacker groups were accused of quietly taking over multiple high-profile X accounts, including investor Keith Gill (@TheRoaringKitty), Pepe the Frog creator Matt Furie, and the official WinRAR account, continuously releasing promotional content for weeks, guiding users to buy their self-created tokens, and then utilizing multiple public chains such as Solana, BNB Chain, Ethereum, and Tron for cross-chain transfers and money laundering, with cumulative profits estimated to exceed 14 million dollars. On-chain analyst Specter has publicly organized some behavior paths of these addresses and accounts; currently, there is no evidence to suggest that the attack on the Verus cross-chain bridge and this account hijacking scam originated from the same organization, but the high temporal overlap of the two incidents and the loss of 11.58 million dollars caused by 'infrastructure vulnerabilities' compared to over 14 million dollars gained through 'social engineering hijacking' methods forces the entire cryptocurrency industry to face a question again: when both protocol security and social security are simultaneously compromised, how much can existing defenses still hold against such refined attacks?
Verus cross-chain bridge suffers 11.58 million loss
On May 18, the monitoring system of the security organization Blockaid sounded the alarm: there were abnormal outgoing behaviors on the Verus-Ethereum cross-chain bridge, with assets on the bridge being systematically emptied. Blockaid disclosed that by the time they issued the warning, the cross-chain bridge had already suffered a loss of approximately 11.58 million dollars, and the attack had not stopped; funds were still being continuously transferred. This indicates that Verus, as an asset channel connecting Ethereum and another chain, was in an 'open state' for a considerable period, leaving all assets and applications passing through and relying on this bridge in a position of unknown risk.
To understand the weight of 11.58 million dollars, it is crucial to consider the position of cross-chain bridges within the DeFi system. Cross-chain bridges facilitate the transfer of assets between different public chains, and once issues arise at the bridge end, it is often not just one or two users that suffer, but all the traffic on the entire 'cross-chain asset highway.' Unlike ordinary contracts, cross-chain bridges aggregate a large amount of locked assets and cross-chain certificates, often relying on complex smart contract logic or a few key signatures to maintain operation; therefore, they have always been prime targets for attackers—common attack vectors involve either the precise exploitation of vulnerabilities within the contract itself or breaching key signature keys off-chain. Regarding the Verus incident, publicly available information has yet to indicate any specific type of vulnerability, suspicious transaction details, or internal implementation analysis of the contract; the external community can only categorize it as the latest example of 'cross-chain bridges having issues' and thereby confirm again that in a multi-chain world, once such infrastructure is compromised, the radius of risk dispersion almost never remains limited to a single contract level.
X accounts compromised: celebrities used for fraud
If the failure of cross-chain bridges exposes vulnerabilities at the protocol level, another attack line that surfaced simultaneously is the blatant 'human engineering.' According to on-chain analyst Specter, a hacker group took over multiple high-profile people's and brands' X accounts over a few weeks, including the investor Keith Gill (@TheRoaringKitty), who gained fame through the 'Roaring Kitty' image, Pepe the Frog creator Matt Furie, and the official WinRAR account. The precise timing of when each account was hijacked and the specific names of the promoted tokens mainly come from single sources and need further cross-verification, but it is already quite clear that accounts were used for fraud.
Once in control of these accounts, hackers began to intensively publish content related to new tokens, creating a FOMO atmosphere with phrases like 'internal opportunities' and 'limited-time issuance,' guiding retail investors into engagement with their self-created tokens, thus constructing a typical social engineering scam: what users trust is the celebrity avatar and the verified blue tick, rather than the actual key holders behind it. As funds were funneled in, the group then facilitated cross-chain transfers and laundering through multiple public chains, including Solana, BNB Chain, Ethereum, and Tron. Estimates suggest this model has generated over 14 million dollars for them, exerting a significant impact on the trust system of retail investors that relies on 'avatar endorsement' for decision-making and the overall account security reputation of the platform.
Multi-chain money laundering routes extend pursuit battles
After completing token arbitrage and initial cashing out, such groups standardly break down their profits into several small pools of funds: some are exchanged for other assets on the original chain via decentralized exchanges and then bridged to Solana, followed by further exchanges within the local ecosystem; another portion is successively bridged to BNB Chain, Ethereum, and Tron, repeating the 'exchange-split-cross-chain' process. As disclosed in public materials, in this case, the use of multiple mainstream public chains such as Solana, BNB Chain, Ethereum, and Tron has stretched profits originally concentrated in a few addresses into a complex set of monetary trails, greatly elongating the detection paths.
Cross-chain money laundering is tricky because each jump between chains and each asset conversion interrupts the continuity of traditional on-chain analysis: different public chains use different address systems and transaction semantics, while bridging protocols and DEX insert multiple intermediary addresses in between, causing the origins and destinations of funds to be layered and restructured. Under this kind of path spanning multiple ecosystems, reconstructing the flow of funds post-event and further pinpointing responsible entities poses real pressure on technological capabilities and cross-border judicial evidence collection. Although on-chain analysis tools continue to advance in multi-chain identification, labeling systems, and path restoration, public information shows that facing such multi-chain, multi-hop, frequently-exchanged models, quickly identifying and effectively blocking during attacks and laundering remains quite challenging; this is precisely the current ceiling faced by tracking technology and cross-border law enforcement collaboration.
The resonance risk of cross-chain bridges and social engineering
On one end is the 'invisible' underlying infrastructure being compromised. On May 18, 2026, the Verus-Ethereum cross-chain bridge was monitored by a security organization as being under attack, with funds being continuously withdrawn at the contract level, with reported losses of approximately 11.58 million dollars, typically falling under the category of exploiting vulnerabilities at the protocol and smart contract infrastructure levels: as long as a gap opens in the bridge's logic, the assets layered upon it will be quickly drained. On the other end is the 'visible' information entrance being quietly taken over: hacker groups hijacked several high-profile X accounts including Keith Gill (@TheRoaringKitty), Pepe the Frog creator Matt Furie, and WinRAR official; using the trust halo of 'official' and 'celebrity' to promote self-created tokens, then frequently transferring between multiple public chains like Solana, BNB Chain, Ethereum, and Tron, with cumulative profits estimated to exceed 14 million dollars. The timing of both types of incidents largely concentrated in the same recent phase, but existing public information clearly indicates that it remains undecided whether there is a direct correlation between the Verus cross-chain bridge attack and this X account hijacking scam, lacking concrete evidence to validate the operation of the same hacker group.
For ordinary users, this highly overlapping timing of risks, independent in dimension, feels like being compressed simultaneously from both upper and lower layers: on the technical level, even if users never actively participate in high-risk cross-chain operations, as long as the bridge or protocol they rely on is breached, on-chain assets may still be affected without any awareness; on the cognitive level, even if the contract itself is not faulty, once users regard the hijacked 'official' or 'celebrity' accounts as trustworthy sources, driven by emotions and herd mentality to engage in token trading, they may fall into a carefully arranged trap. When infrastructure vulnerabilities and social engineering take turns appearing at the same stage, relying solely on 'being careful' or preventing a single risk point has become challenging to constitute a complete defense.
What can we learn from this dual incident
From the ongoing handling of the Verus-Ethereum cross-chain bridge attack to the token fraud involving hijacked high-profile X accounts, it is quite clear: the system's vulnerabilities lie on one hand in contracts and architecture, and on the other in accounts and attention. For cross-chain bridge project teams, in the absence of a complete technical review and remediation plan for the current Verus incident, the identifiable improvement direction is nothing new—past incidents have already proven that more thorough contract auditing, more granular real-time monitoring, and risk switches that can be pulled at any time can at least narrow the loss window after an attack is discovered, rather than allowing assets to continue to be drained as seen this time even after being detected. More crucially, emergency plans need to be written in runbooks, not press releases: who has the authority to pause the bridge under what conditions, how to quickly issue risk warnings externally, and how to collaborate with security teams and analysts to track suspected attack addresses need to be rehearsed in advance rather than dealt with post hoc. Platforms and KOLs must acknowledge their role as amplifiers in on-chain scams—this time, the hacker group was able to estimate that over 14 million dollars were siphoned through hijacking accounts such as @TheRoaringKitty, Matt Furie, and WinRAR, largely relying on gaps in the platform's account protection, abnormal login detection, and content review; high-impact accounts that do not default to enable hardware keys and multi-factor authentication or set higher scrutiny thresholds for 'sudden appearing speculative posts' are, in effect, providing ready ammunition for social engineering attacks. As for ordinary users, what needs to be acknowledged is: the projects and accounts that seem most familiar to you are precisely the ones easiest for hackers to use to bypass your vigilance, so whether engaging in cross-chain operations or participating in new tokens, 'multi-factor authentication' and 'delaying decisions intentionally' should be considered the minimum standard—at least ensure cross-verification of information sources,逐项 comparison of contract addresses, test with small amounts first, and allow time for reflection before deciding whether to stake more.
Join our community, let's discuss and become stronger together!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh
AiCoin On-chain: https://aicoin.com/hyperliquid
AiCoin exclusive Hyperliquid benefits: https://app.hyperliquid.xyz/join/AICOIN88
AiCoin exclusive Aster benefits: https://www.asterdex.com/zh-CN/referral/9C50e2
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
