In February 2026, IoTeX was the victim of a hack targeting its ioTube cross-chain bridge. The attacker took advantage of a compromised private key to steal at least $4.4 million from the protocol.
Inside the Attack
The IoTeX hack was made possible by a compromised private key, an increasingly common attack vector in the Web3 space. This key belonged to the account owning the Validator contract on the Ethereum side of the project’s ioTube cross-chain bridge. This key was used to perform a malicious upgrade to the contract that bypassed validation and signature checks and granted the attacker control over the project’s TokenSafe and MintPool.
The TokenSafe is the contract where the project stored its reserves. After gaining access, the attacker drained an estimated $4.3 million worth of tokens from the vault using the administrator privileges assigned to the compromised account.
Control over the MintPool allowed the attacker to perform unauthorized minting of approximately 111 million CIOTX tokens (worth about $4 million). The majority of these tokens were frozen on the IoTeX and Binance blockchains, and only approximately $1.7 million was swapped via a DEX and officially considered “at risk.”
The nature of this attack and the fact that various assets could be frozen contributed to wide variance in the estimated value of the attack. IoTeX initially claimed losses of approximately $2 million and later updated its estimates to $4.4 million in its official write-up. Other estimates of the hack’s value ran as high as $8.8 million since they included the value of the minted assets as well, which IoTeX discounted in their valuation since many of these were later frozen and unusable by the attacker.
Lessons Learned from the Attack
The IoTeX hack was another example of a attack enabled by a compromised private key. The attacker gained control over the account that managed a critical smart contract, upgraded it to bypass protections, and drained and minted tokens for profit.
Protecting against these types of threats requires implementing security best practices such as cold storage and multi-sig wallets. A multi-signature wallet would break control over the contract in question across multiple keys, dramatically increasing the difficulty of performing this type of attack.
While stealing a private key is one way an attacker could have carried out this hack, it’s far from the only one. To learn more about how to address major off-chain security threats, read our blog on top risks to account security and how to prevent them.