ioTube Bridge Incident Update No.2: Chain Resumed, Recovery Underway

This is our second update since the ioTube bridge security incident on February 21. Our priority remains the security of the network and the total restoration of affected user assets. Today, we are reporting on three key areas: the successful resumption of the IoTeX chain, a definitive impact analysis, and our recovery status and compensation roadmap.

1. The IoTeX Mainnet is Back Online

As of February 24, 06:06 AM UTC, the IoTeX mainnet has resumed full operation.

Over the past 48 hours, our core team worked with delegates around the clock to build, test, and deploy Mainnet v2.3.4. This chain-level security upgrade permanently blacklists all 29 identified attacker wallets. Approximately 45 million IOTX in those wallets is now permanently frozen at the network level. These funds are now permanently inaccessible to the attacker. No transaction involving these addresses will ever be processed again.

• Network Status: The chain is producing blocks normally. You can monitor live activity at iotexscan.io/blocks.
• Delegate Appreciation: We extend our gratitude to the 36 Delegates, including mrtrump, iotexcore, pubxpayments, chainshield, ioseallsimon, envirobloq, hotspotty, longz, ankr, nebulaguard, taskrunner, metanyx, cryptozoo, fuzzland, chainalytics, iotfi, iogpt, moonrise, gamefantasy, humano, iotexlab, satoshimusk, swft, goodwill, smartstake, keys, rockx, iotexn, emmasiotx, coredev, binancenode, matrix, dappera, thebottoken, hofancrypto, and bittaker, whose swift coordination made this recovery possible.

Exchange Coordination:

We have notified 20+ exchange partners and are coordinating closely to restore deposit and withdrawal services.

Deposits and withdrawals were paused as a standard precaution following the incident. Now that the chain is live with the security upgrade in place, we expect services to come back online progressively over the coming hours and days.

We are also working closely with DAXA (the Korean Digital Asset Exchange Association), having submitted a formal response with full incident documentation, our compensation commitment, and our security remediation roadmap.

IOTX trading has remained active on all major exchanges throughout the incident. The chain pause did not affect exchange-held balances — your IOTX on exchanges has been safe the entire time.

2. Clarifying the Actual Impact

Data regarding the total loss has fluctuated in third-party reports. Following a rigorous on-chain forensic analysis, we can provide the following breakdown:

A. Unauthorized Token Minting (410M CIOTX)

While 410 million tokens were minted, 99.5% of these assets have been neutralized:

• 76.8% (315M): Permanently locked on Ethereum & Base with zero liquidity.
• 9.9% (40.5M): Permanently frozen via the v2.3.4 upgrade.
• 12.8% (52.4M): Deposited to Binance; freeze coordination is underway.
• 0.4% (1.7M): The only portion successfully liquidated via DEX.

B. Bridge Reserve Drain (~$4.4M)

This represents the realized economic loss. The attacker drained reserve assets (USDC, USDT, WETH, WBTC), converted them to approximately 2,183 ETH, and bridged ~1,464 ETH to Bitcoin via THORChain, eventually converting them into 66.78 BTC.

• These assets are currently held across four identified Bitcoin addresses.
• Status: Not a single satoshi has moved since Feb 21. These wallets are under 24/7 surveillance and have been flagged globally.

The Bottom Line: While the "face value" of minted tokens appeared high, the actual economic damage is contained. The IoTeX Foundation commits 100% compensation for every affected user, funded by the Foundation Treasury. A dedicated communication with full eligibility criteria, the claim process, and the portal timeline will be provided in the following Update shortly.

3. Active Recovery & Legal Action

Behind the scenes, our recovery operation has been running around the clock since the moment we detected the breach. Without going into operational details, here is what we can share:

We have filed formal reports with U.S. law enforcement, including the FBI, and are actively coordinating on preservation requests and subpoenas.

We are working with leading blockchain analytics and asset recovery firms to trace, flag, and freeze stolen assets across every chain and service the attacker touched. Over 20 exchanges have been notified and are cooperating.

We have also engaged independent on-chain investigators who have identified links between this attacker's funding wallet and other recent exploits — suggesting this is the work of an organized threat actor, not an opportunistic hack.

The attacker should understand: the 48-hour bounty window expires on February 25. After that, every tool at our disposal — legal, technical, and investigative — will be brought to bear. The offer to return 90% and walk away still stands. It won't stand forever.

4. Structural Security Upgrades: Making Sure This Never Happens Again

This incident was the result of an operational security failure (compromised key), not a vulnerability in the IoTeX blockchain code or smart contract. To prevent any recurrence, we are implementing:

• IIP-55: Transitioning to Decentralized Bridge Governance via a multi-party validator committee to prevent single point failure.
• Multi-signature + time-lock controls on all privileged bridge operations
• Independent security audit of all ioTube infrastructure — currently underway
• On-chain circuit breakers, credential management overhaul, and an expanded bug bounty program

Next Steps:

A full compensation plan will be published in our next update. The dedicated portal for the compensation claim process and eligibility criteria will be released shortly.

Thank you for your continued patience and support as we strengthen the IoTeX ecosystem.

The IoTeX Team