How IoTeX Responded to the ioTube Bridge Incident: A Full Month in Review

Posted by the IoTeX Foundation

One month ago, on February 21, 2026, IoTeX faced an unprecedented challenge when our ioTube bridge was exploited. Today, we want to take a step back and review everything that happened, including IoTeX's recovery efforts this past month. We are committed to sharing the full picture with our community – you deserved transparency from day one, and you still do.

This is not just an incident post-mortem. It is a record of how the IoTeX Foundation, our Delegates, our exchange partners, and most importantly, our community came together under pressure and emerged stronger.

What Happened

In the early hours of February 21, 2026, our team detected a security breach targeting the Ethereum-side of the ioTube bridge. A sophisticated attacker — later attributed by Chainalysis to the same group behind the $49M Infini exploit — had compromised an employee's machine through a suspected social engineering attack, enabling them to dwell for a prolonged duration within our infrastructure.

On February 21, 01:51 UTC, they initiated the attack by first upgrading an ioTube bridge Validator contract to a malicious version. This authorized the attacker to drain ~$4.4M in bridge reserve assets (WBTC, ETH, USDC, USDT, DAI, PAXG, UNI, BUSD, CCS) and mint 410M CIOTX tokens in an attempt to extract further value from the network.

It was a professional, patient, and carefully planned attack. What followed was our response.

Immediate Response: Hours, Not Days

Our team detected the incident at 8:01 AM UTC on February 21 — within hours of the exploit firing. Our first public community alert went out at 9:39 AM UTC, less than two hours after detection. By 10:03 AM UTC, our validator network had voluntarily suspended the IoTeX chain as a precautionary measure. By that evening, on-chain tracing of all stolen fund movements had been completed.

Let us be clear about something important: the IoTeX L1 chain itself was never compromised. The incident was isolated strictly to the Ethereum-side ioTube bridge contracts. Your IOTX on-chain and on exchanges was safe the entire time. The total supply and circulating supply of IOTX was never affected.

Within 72 hours of the attack:

• 29 attacker wallets had been identified and blacklisted
• Mainnet v2.3.4 was developed, tested, and deployed — permanently freezing ~45M IOTX in attacker wallets at the network level
• The IoTeX chain was back online as of February 24, 06:06 AM UTC
• Formal reports had been filed with the FBI and global law enforcement
• Our team was actively coordinating with Binance and 20+ exchange partners on asset freezes

We want to specifically thank our IoTeX delegates — including iotexcore, binancenode, samsungnext, iosg, ankr, rockx, metanyx, fuzzland, smartstake, and many others — whose around-the-clock coordination made the chain halt and subsequent recovery possible in record time.

Transparent Communication, From the Very Beginning

We published our first full technical incident report within 24 hours. Over the weeks that followed, we published another three official updates that comprehensively covered root cause analysis, chain recovery status, impact clarification, asset tracing, compensation plan, and governance roadmap. We also hosted a live community Q&A on Discord. We published every key development publicly and transparently as it happened to the IoTeX community.

That commitment to transparency extended to our communications to exchanges as well. When DAXA — the Digital Asset Exchange Association representing Korea's major exchanges — issued an Investment Warning against IOTX and asked detailed technical questions, we responded with full forensic documentation, on-chain evidence, precise timelines, and a complete remediation roadmap, addressing every follow-up question in detail in the past whole month.

We believe our community and our regulatory partners deserve the same quality of information. That will never change.

100% Compensation for All Impacted Users

From the moment we published our first update, we made one unconditional promise: every affected user will receive 100% compensation, regardless of how much of the stolen funds are ultimately recovered. All compensation is funded entirely from the IoTeX Foundation Treasury in stablecoins and non-IOTX reserves, with zero IOTX liquidation on public markets.

We first executed upon that promise by launching the ioTube Claims Portal on March 2, nine days after the incident. The compensation structure is outlined below:

• Tier 1 (≤ $10,000 affected): 100% immediate payout in stablecoins — covering over 90% of all affected wallets
• Tier 2 (> $10,000 affected): $10,000 immediate payout + remaining balance in quarterly tranches over 12 months + a 10% Loyalty Bonus in 12-month staked IOTX

As of today, the compensation claim portal is live and payouts are commencing. If you were affected and have not yet submitted your claim, please visit iotube-claims.iotex.io to submit your claim.

Every cent recovered from the attacker will be directed exclusively to compensating affected users or reimbursing the Foundation Treasury. Any recovered funds will be held in a public multi-sig wallet, and we will continue to provide transparent updates on compensation and recovery on a regular basis.

All Major Exchanges Resume Operations Within One Month

Immediately following the incident, deposits and withdrawals were paused across major exchanges as a standard precaution. Our exchange relations team moved immediately, notifying 20+ partners and coordinating closely throughout the recovery. The results speak for themselves:

Within one week: Binance, Coinbase, Bitget, Gate.io, HashKey, KuCoin, MEXC, LBank and more had fully resumed IOTX deposits and withdrawals.

Within one month: a total of 11 exchange partners were fully operational with IOTX deposits and withdrawals re-opened.

IOTX trading itself was never halted on any major exchange throughout the entire incident. Your exchange-held IOTX was safe and tradeable at all times.

Korean Exchanges: Lifting the DAXA Investment Warning

Among the most challenging situations we faced was the Investment Warning issued against IOTX by three major Korean exchanges — Upbit, Bithumb, and Coinone — under DAXA oversight. This kind of warning can have serious implications for trading access and market perception.

We are proud to report that following our comprehensive formal responses to DAXA, the DAXA Investment Warning has been lifted and Korean exchanges have resumed normal deposits and withdrawals for IOTX. This was largely due to our responsiveness and transparency in addressing each and every question from DAXA in full – we provided on-chain evidence, a detailed incident timeline, our complete compensation plan, our security remediation roadmap, and proof of supply integrity.

To our knowledge, IoTeX is one of the only projects that has successfully navigated a DAXA Investment Warning review of this nature in this timeframe. This outcome reflects the quality of the work our team put into response, and the trust we have worked to build with exchanges over the years. We thank DAXA for their fair and thorough cooperation throughout the past month.

Securing the Future of IoTeX: Multiple IIPs, Systemic Reform

The most important thing we can do beyond making affected users whole is make sure this never happens again. We are not simply patching what broke, but replacing it with something fundamentally more secure.

IIP-56: Full Deprecation of CIOTX Across All Networks has passed. CIOTX has been permanently deprecated on Ethereum, Base, Solana, BSC, and Polygon. All exit channels are closed for the attacker-minted tokens and legitimate holders will be compensated through the Claims Portal.

IIP-57: Trustless ZK-Proof Bridge is in the community review phase. This is the future of cross-chain infrastructure on IoTeX: a bridge that mathematically proves IoTeX consensus happened correctly, verified on Ethereum, with zero intermediaries and zero private keys to steal. We are working with the Ethereum Foundation on this and when complete it will be the most secure bridge architecture in the industry.

Beyond the IIPs detailed above, we have completed a comprehensive infrastructure overhaul:

• All bridge contracts transitioned to multi-signature governance
• All GCP and AWS credentials rotated and compromised service accounts decommissioned
• Hardware Security Modules (HSMs) deployed for all sensitive keys, eliminating software-based key storage permanently
• Real-time transaction monitoring with automated alerts and on-chain circuit breakers
• Organization-wide security hardening, including mandatory hardware 2FA, endpoint protection, social engineering awareness training
• Independent third-party security audit of all bridge infrastructure currently underway
• Expanded bug bounty program launched

A Message to Our Community

This was the hardest month in IoTeX's history. A sophisticated, well-funded, and patient adversary targeted us, executed their attack, and exploited weaknesses in our system. There is no minimizing that.

What we can say, with evidence, is this: we detected it fast, we moved decisively, we communicated openly, we protected the core network, we made every affected user whole, we handled every regulatory and exchange relationship with professionalism and transparency, and we used this moment to drive structural reforms that will make IoTeX significantly more secure than it was before.

The IoTeX L1 was never compromised. Our community never lost faith. Our exchange partners stepped up. Our delegates worked around the clock. And the IoTeX Foundation honored every commitment we made.

The fundamentals of IoTeX — our technology, our team, our community, our mission to empower Real-World AI — are intact and stronger than ever. The best days of IoTeX are still ahead. Thank you for standing with us.

— The IoTeX Foundation, March 2026

If you were affected by the ioTube bridge incident, please submit your compensation claim at iotube-claims.iotex.io.