IoTeX Hack

On February 21, 2026, IoTeX, an IoT-focused blockchain, lost about $8.9 million when an attacker compromised the private keys controlling a cross-chain bridge. Per Halborn, the key compromise allowed the attacker to forge withdrawal transactions and drain bridge reserves, an infrastructure-level failure rather than a flaw in the bridge’s smart-contract logic. The incident fit the dominant Q1 2026 pattern in which private-key and cloud-key management failures, not on-chain bugs, accounted for the majority of classified incidents. It reinforced long-standing guidance for bridge operators to secure signing keys with multi-party computation or hardware modules, distribute validator authority, and continuously monitor reserves for anomalous withdrawals.