News
18 May 2026, 13:40
Citi Warns Bitcoin Faces Unique Quantum Computing Vulnerability Due to Slow Upgrades

BitcoinWorld Citi Warns Bitcoin Faces Unique Quantum Computing Vulnerability Due to Slow Upgrades Bitcoin, the world’s largest cryptocurrency by market capitalization, faces a unique and potentially severe threat from the rise of quantum computing, according to a new analysis from Citigroup. The report, covered by CoinDesk, highlights that Bitcoin’s conservative governance structure and slow protocol upgrade speed make it particularly susceptible to attacks that could compromise a significant portion of its circulating supply. The Core Vulnerability: Exposed Public Keys Citi analyst Alex Saunders identified that the primary weakness lies in public keys that have already been exposed on the blockchain. Unlike modern best practices where public keys are only revealed when a transaction is spent, older Bitcoin addresses and transaction types have their public keys permanently visible. This includes early pay-to-public-key (P2PK) addresses and the wallet widely believed to belong to Bitcoin’s pseudonymous creator, Satoshi Nakamoto. According to recent estimates, between 6.5 million and 6.9 million Bitcoin have already had their public keys exposed. This represents roughly one-third of the total circulating supply, currently valued at approximately $450 billion. In a future where sufficiently powerful quantum computers exist, an attacker could theoretically use Shor’s algorithm to derive the private key from a public key, allowing them to forge transactions or steal funds from those addresses. The ‘Harvest Now, Decrypt Later’ Threat Saunders also warned of a more immediate and insidious tactic: ‘harvest now, decrypt later’ attacks. In this scenario, malicious actors collect encrypted data or on-chain transaction information today, storing it until quantum technology matures enough to decrypt it. This means that even transactions that are secure by today’s standards could become vulnerable in the future, posing a long-term risk to privacy and asset security. The report underscores that while quantum computing is not yet a practical threat to Bitcoin, the window for proactive defense is narrowing. The timeline for when a quantum computer capable of breaking Bitcoin’s Elliptic Curve Digital Signature Algorithm (ECDSA) will exist remains uncertain, with estimates ranging from a decade to several decades. However, the sheer value at stake and the slow pace of Bitcoin’s governance make preparation critical. Why Bitcoin’s Governance Matters Bitcoin’s decentralized and conservative upgrade process, while a strength for security and stability, is a weakness in this context. Implementing quantum-resistant cryptographic algorithms, such as Lamport signatures or lattice-based cryptography, would require a soft fork or hard fork, demanding broad consensus among miners, node operators, and the community. This process can take years, as seen with past upgrades like SegWit or Taproot. The report suggests that Bitcoin’s governance structure may not be able to react quickly enough once a quantum threat becomes imminent. Conclusion The Citi analysis serves as a sobering reminder that even the most established blockchain networks are not immune to future technological disruptions. While quantum computing remains a nascent field, the potential for catastrophic financial loss is real. The report calls for the cryptocurrency industry, and Bitcoin in particular, to begin planning and testing quantum-resistant upgrades now, rather than waiting for a crisis. For Bitcoin holders, the key takeaway is to be aware of the risks associated with old, exposed addresses and to consider moving funds to more secure, modern wallets that minimize public key exposure. FAQs Q1: What makes Bitcoin vulnerable to quantum computers? Bitcoin uses the Elliptic Curve Digital Signature Algorithm (ECDSA) for security. A sufficiently powerful quantum computer could run Shor’s algorithm to derive a private key from a public key, allowing an attacker to forge signatures and steal funds. Bitcoin’s slow upgrade process makes it difficult to implement quantum-resistant cryptography quickly. Q2: How much Bitcoin is at risk? Approximately 6.5 to 6.9 million BTC have already exposed their public keys, representing about one-third of the total supply, valued at roughly $450 billion. This includes coins in early P2PK addresses and the wallet of Satoshi Nakamoto. Q3: What is a ‘harvest now, decrypt later’ attack? This is a strategy where attackers collect encrypted data or on-chain transaction information today, storing it until quantum computers become powerful enough to decrypt it in the future. This means that even current, secure transactions could become vulnerable later. Q4: When will quantum computers actually threaten Bitcoin? Estimates vary widely, but most experts believe a quantum computer capable of breaking Bitcoin’s cryptography is at least 10 to 20 years away. However, the threat is considered credible enough that the industry should begin preparing now due to the long lead time required for protocol upgrades. Q5: What can Bitcoin holders do to protect themselves? Users should avoid using old addresses that have already spent from them (which exposes the public key). Best practices include using modern wallets that generate new addresses for each transaction and not reusing addresses. Moving funds from legacy P2PK addresses to newer SegWit or Taproot addresses is also recommended. This post Citi Warns Bitcoin Faces Unique Quantum Computing Vulnerability Due to Slow Upgrades first appeared on BitcoinWorld .
18 May 2026, 12:59
Verus-Ethereum bridge drained for $11.5M in forged proof exploit

On May 18, an attacker drained approximately $11.5 million from the Verus-Ethereum bridge using a forged Merkle proof. This event adds to the growing number of cross-chain bridge exploits that have now reached $328.6 million in 2026 alone. The Verus-Ethereum bridge is the latest to suffer an exploit in a month that seems to have picked up from where record-making April left off. How was Verus hacked? Blockchain security firm PeckShieldAlert reported that the attacker extracted 103.6 tBTC, 1,625 ETH, and 147,000 USDC from the bridge contract, then swapped the stolen tokens into 5,402.4 ETH worth roughly $11.4 million. The flow of the Verus-Ethereum bridge exploit. Source: PeckShield According to PeckShieldAlert and Blockaid, both of whom independently flagged the exploit, the converted funds reportedly remain in a single wallet at address 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9. Blockaid also identified the attacker’s externally owned account and published the exploit transaction hash. How did the exploit work? Blockaid shared a thread on X, stating that the attack was of the same vulnerability class behind two of crypto’s most notorious bridge hacks, the $320 million Wormhole breach and the $190 million Nomad drain, both in 2022. Attacker EOA: 0x5aBb91B9c01A5Ed3aE762d32B236595B459D5777 Drainer wallet (still holding the funds): 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9 Exploit tx: https://t.co/OqBh2alXGc Bridge contract: https://t.co/EN3LkDfId9 — Blockaid (@blockaid_) May 18, 2026 According to Blockaid, the Verus bridge correctly verified notarized state roots, including cryptographically valid signatures from 8 of 15 notaries. However, the weakness lay in what the bridge failed to check beyond that verification step. Cos, who is the founder of blockchain security firm SlowMist and known as @evilcos on X, stated , “The cause of the hack might be that the attacker constructed a forged Merkle proof, which passed the verification of the Verus Ethereum bridge (not open-source), allowing them to smoothly withdraw the funds (ETH/tBTC/USDC).” Cos added that “specific details need further verification.” Verus ran an emergency patch just two days before hack According to CoinXtreme , Verus had pushed what it called an “urgent and mandatory” emergency update, version 1.2.14-2, just two days before the exploit occurred. The update was described as a fix for a vulnerability; however, it is not yet clear whether the patched issue and the exploited vulnerability are related, as Verus has not publicly commented on the incident as of the time of reporting. Bridge exploits top $328 million this year Eight major bridge-related exploits have now occurred this year, with the Verus bridge being the latest, per PeckShieldAlert. The cumulative loss is around $328.6 million. Bridge exploits are approaching $329M for the year as of May. Source: PeckShield This adds to what is now seen as a pattern that has afflicted cross-chain infrastructure since bridges like Wormhole and Nomad suffered major exploits four years ago. Critics continue to point out that bridges remain high-value targets because they custody large pools of locked assets, and a single verification flaw can unlock the entire pool. The DeFi space has generally been under attack, with large-scale and small-scale attacks spilling from April into May. Cryptoplitan reported on notable exploits that have occurred in May, including exploits against Ink Finance and Renegade that cost a combined $349,000 and a private key compromise at Syndicate Labs that led to the loss of 18.5 million SYND tokens. VRSC , the native token of the Verus network, was trading at approximately $0.75 with a market capitalization of over $60 million at the time of the exploit, according to CoinMarketCap data. If you're reading this, you’re already ahead. Stay there with our newsletter .
18 May 2026, 11:00
Verus-Ethereum bridge hack drains $11.58M – Why DeFi trust is eroding

Repeated bridge exploits continued weakening confidence in multi-chain infrastructure as security risks spread across DeFi ecosystems.
18 May 2026, 10:30
Flagged Live: Attacker Flips $11.5M in Stolen Verus Assets to ETH Following Tornado Cash Setup

A coordinated exploit drained approximately $11.5 million from the Verus-Ethereum bridge on May 18, with security firm Blockaid linking the attacker’s wallet to Tornado Cash. Attacker Converts Loot to ETH and Tornado Cash Trail Emerges The Verus-Ethereum bridge was drained of approximately $11.5 million in a coordinated exploit, with analytics confirming that the attacker extracted
18 May 2026, 09:45
Hacker Drains $11.58 Million From Verus-Ethereum Bridge

A hacker drained approximately $11.58 million in assets from the Verus-Ethereum Bridge in a single transaction on May 17, 2026 — targeting a cross-chain infrastructure project that had explicitly marketed itself as immune to the kind of smart contract exploit that just gutted it. The exploit was flagged in real time by blockchain security firm Blockaid, with details subsequently amplified by on-chain intelligence account @coinxtreme_en on X. According to the post , the drainer wallet — 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9 — received approximately 1,625 ETH worth roughly $3.43 million, 103.57 tBTC worth approximately $7.96 million, and 147,000 USDC in a single outbound transfer. Most of the stolen assets were subsequently converted to ETH through Uniswap, per the X post. The Marketing That Made The Ethereum Attack Worse The attack lands with particular force given how Verus positioned its bridge. The project’s homepage carried language stating the bridge was “validated by protocol rules, not custom code” — a direct appeal to users fatigued by smart contract vulnerabilities that have defined DeFi’s most damaging exploits. The Verus architecture relied on cryptographic proofs, notary witnesses, and protocol-level validation rather than the custom contract logic that attackers have repeatedly targeted across other bridges, per the @coinxtreme_en post. The irony, as the post frames it, is that the “no code to exploit” marketing became the bridge’s most damaging liability once the exploit materialized. A Suspicious Timeline The sequence of events in the 48 hours before the attack raises questions the post describes as smelling like a targeted, sophisticated play rather than opportunistic scanning. Two days prior to the exploit, Verus pushed an emergency update labeled version 1.2.14-2, described by the team as urgent and mandatory, citing an unspecified vulnerability. According to the @coinxtreme_en post, the attacker’s wallet was funded through Tornado Cash approximately 11 to 13 hours after that announcement — a timing pattern consistent with an actor who had prior knowledge of the vulnerability and used the emergency update window to prepare the attack infrastructure before execution. The pattern is not new to DeFi. Emergency patches that reveal the existence of a vulnerability without fully closing it have historically provided sophisticated actors with a narrow window to act before the broader community understands the exposure. Cross-chain bridges remain the most structurally vulnerable layer of decentralized finance, responsible for a disproportionate share of total DeFi losses since 2021. The Verus incident reinforces a principle the nascent sector has paid for repeatedly in nine-figure losses: protocol-level design assumptions, however elegant in theory, are no substitute for formal verification, independent audits, and the operational discipline to pause systems when a credible threat is identified. Another bridge fell. The gap between “unhackable by design” and “unhacked in practice” remains as wide as ever. As of this writing, the Ethereum price shows signs of further downside after a soft weekend. The cryptocurrency is down around 10% over the past week, and around 3% over the past 24 hours. Cover image from ChatGPT, ETHUSD chat from Tradingview
18 May 2026, 08:54
Bitcoin Depot Files for Bankruptcy as Regulatory Pressure and Revenue Collapse Force Shutdown of 9,000 ATMs

Bitcoin Depot North America’s biggest Bitcoin ATM firm has reached an important point in its journey by submitting for Chapter 11 bankruptcy. This news represents a sharp decline for a firm that was once at the forefront of retail crypto access, but is now gearing up to methodically turn off more than 9,000 devices globally. The report, courtesy of PANews on the Bitcoin Depot bankruptcy filing via X (Twitter), underscores the rising pressures facing crypto-adjacent businesses as they operate in an increasingly difficult regulatory environment. It had formerly been seen as a high-flying industry, but gaped now at shrinking revenues, rising compliance cost and reputational pressures. 北美最大比特币 ATM 运营商申请破产了 北美最大比特币 ATM 运营商 Bitcoin Depot 已向法院申请第 11 章破产,将逐步关停全球超 9000 台机器。 公司 CEO 称监管环境变化导致商业模式不可持续,各州合规义务趋严,部分司法管辖区已直接限制或禁止比特币 ATM 运营。 一季度营收同比下降… pic.twitter.com/AFvVy3u7mg — PANews丨APP全面升级 (@PANews) May 18, 2026 A Change in Regulation Kills the Bitcoin ATM Business Model The rapid increase in its regulatory landscape is at the core of Bitcoin Depot, which has fundamentally destroyed the feasibility of its operations. The CEO of the company has pointed out that tightening compliance mandates in several U.S. states have led to a sharp increase in operational costs. In some regions, regulators have taken it a step further by banning Bitcoin ATM services or introducing crippling restrictions. Such regulatory interventions have stifled Bitcoin Depot’s ability to grow, turning a simple retail operation into a fragmented and heavily regulated business. Bitcoin ATMs, which allow consumers to buy or sell digital currency for cash, have existed in the compliance twilight between financial services and technology for years. Governments are closing these gaps, especially through improved AML and KYC regulations, but that leaves operators, like Bitcoin Depot, with pressure to continue making a profit. This behavior is indeed part of a larger industry trend, where more well-defined regulatory frameworks are often accompanied by increased enforcement and steadily rising compliance costs. A Collapse in Revenue Suggests a Deeper Financial Hole Such regulatory pressures have had a visible impact on the earnings of Bitcoin Depot which came up as criticism against cryptocurrencies. It reported that its first-quarter revenue fell 49.2% to $136,000 on a year-over-year basis, highlighting the weakening market and pressure on operations. But more notable is the swing in profitability: from a net profit of $12.2 million in the same quarter last year to a net loss of $9.5 million this time around. That reversal shows just how quickly the tides can turn in crypto land. What was once a sustainable business model is proving ever harder to maintain as user behaviour and regulatory expectations change. Security Breach Adds To Mounting Challenges On top of Bitcoin Depot’s economic and regulatory challenges, a security breach that shook faith in the platform even further weighed on its plans. In April, the firm revealed that it lost a total of about $ 3.7 million by means of a hack. The timing around the incident was also particularly poor, with not a lot of details revealed from the full story. The breach came on the heels of revenue declines and a strengthening regulatory scrutiny making their precarious position even riskier. Crypto-Firms suffer from severe fallout after any security breach. They can erode user trust, attract regulatory scrutiny, and expose operational vulnerabilities, all of which are likely contributing to the challenges Bitcoin Depot currently faces. ZachXBT Questions Reporting and Business Practices ZachXBT, a well-known on-chain analyst, has also taken issue with Bitcoin Depot and what it called reaction to the ongoing situation. ZachXBT also referenced a three-day lag between the exploit of $3.6 million in the company, before it was disclosed by way of analysis in the ZachXBT investigation thread. The time lag also poses critical challenges to transparency and incident response protocols, which are crucial to upholding stakeholder trust in the crypto ecosystem. Interesting timing. I recently exposed Bitcoin Depot for a 3 day time gap in reporting a $3.6M exploit and highlighted how its Bitcoin ATM business depends on predatory practices via user fraud. pic.twitter.com/yMR0n8bLHC — ZachXBT (@zachxbt) May 18, 2026 Apart from the delay in reporting, ZachXBT noted deep-seated concerns about how profit is made by Bitcoin ATMs in the first place. According to his report, the industry at times has opened the door for scams and cons by providing a way to vulnerable users. On top of the financial problems and regulatory headaches at Bitcoin Depot, these allegations represent a challenge to its reputation bubble. Global Shutdown Reflects Broader Industry Shift The loss of over 9,000 machines worldwide is among the largest shrinkage events in Bitcoin ATM industry history for Bitcoin Depot. In what was perhaps the peak of their power and influence, at that time a massive proportion of the world’s entire crypto ATM estate (outside traditional exchanges) consisted of this company’s ATMs giving real world access to users. Its fall is an indication of a larger shift in the way users use cryptocurrency markets. The increasing professionalism of mobile applications, centralized exchanges and decentralized finance (DeFi) pave the way for gradually reducing the function of physical ATMs. This trend, in combination with regulatory obstacles, is forcing the Bitcoin ATM model into a question mark in the long term. The Bitcoin Depot episode may, in the end, be the watershed moment, not just for an individual outfit but for an entire swath of the crypto ecosystem. Industry Faces Critical Moment As Pressures Converge At the same time that Bitcoin Depot’s bankruptcy is the story of one company going under, it represents a convergence of forces, increasing regulation, changing user behavior, new risks to security and business conduct being more thoroughly monitored, about altering the path of the future for crypto. The implications for companies in related fields are obvious. Adaptation is imperative. Complex regulatory landscapes need to be navigated, security infrastructures secured and transparency maintained for firms to remain viable. At the same time, the industry has to grapple with the more systemic ramifications of these changes. With cycle weaning physical access centers like BTC ATMs, the methods by which users engage with cryptos are developing permanently, and rethinking the market of a year from now or more down the road. The rise of Bitcoin Depot, long a story of blisteringly fast growth, is now a more cautionary tale. It highlights the speed with which momentum can turn against firms in crypto, and how sensitive proven business models can be to exogenous shocks. Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services. Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news !











































