One private key. That's all it took to compromise the IoTeX ioTube bridge in February 2026.
The attacker got hold of the validator owner key for the Ethereum side of the bridge. With it, they upgraded the Validator contract to a malicious version that stripped out all validation checks. From there, they drained the TokenSafe vault — USDC, USDT, IOTX, WBTC — and minted roughly 111 million CIOTX tokens and 9.3 million CCS tokens out of thin air.
Total losses? Depends who you ask. IoTeX said $2 million in confirmed economic impact. PeckShield put it above $8 million when you count the minted tokens. That disagreement matters — whether minted-but-frozen tokens count as realized losses affects everything from insurance claims to regulatory filings.
How it worked
Cross-chain bridges lock assets on one chain and issue representative tokens on another. The security of that model depends entirely on whoever controls the validators. In ioTube's Proof-of-Authority setup, a small number of keys hold outsized power. One key controlled contract upgrades, vault access, and token minting.
The attacker upgraded the contract, removing all signature checks, then moved through 189 transactions in rapid sequence — grabbing assets, minting tokens, swapping to ETH on Uniswap, and bridging everything to Bitcoin through THORChain. Within hours, the stolen funds were sitting in four BTC wallets holding about 66.6 BTC.
IoTeX's CEO told The Block the attack was likely planned six to eighteen months in advance. This wasn't someone stumbling onto an unlocked door.
The response
IoTeX acted fast. They froze 80–90% of the unauthorized tokens at the bridge level before they could be sold. The Layer 1 chain, consensus, and non-Ethereum bridges were all unaffected. Two days later, they sent an on-chain message offering the attacker a 10% bounty to return the rest.
The quick containment actually helped the forensic picture. Because most illicit tokens were frozen before liquidation, the evidence trail stayed relatively intact. Compare that to cases where assets scatter across dozens of chains before anyone reacts — a much harder starting point.
What made it hard to investigate
Multi-chain incidents are always a headache. You're working across IoTeX, Ethereum, and Bitcoin — three chains with different data structures, block times, and explorer tooling. Building an accurate timeline means careful cross-chain synchronization.
The minted tokens added another layer. If you don't track them separately from legitimately circulating tokens, you distort both the forensic analysis and loss calculations.
And once funds hit THORChain, the trail gets significantly harder to follow. Those swaps happen at the protocol level, not through identifiable exchange accounts.
On-chain analysts also flagged a funding trail overlap with the $49M Infini hack from February 2025. No formal attribution yet, but worth watching — it suggests the same group may be behind multiple bridge exploits.
The real lesson
Private key compromises accounted for 88% of stolen funds in Q1 2025, and the pattern continued into 2026. When one key controls upgrades, vault access, and minting authority, you're one compromise away from total loss. IoTeX has committed to redesigning with stronger multi-party key custody. Given that this attack was planned over a year in advance, the redesign can't afford to be incremental.