TAC, a cross-chain protocol that marketed itself as a bridge between TON and Ethereum, has now clarified that its $2.8 million exploit from May 12 is a white hat event, after the hacker apparently took the team’s offer to keep 10% of the “moved” funds in exchange for returning the rest to its multisig wallets.
According to TAC’s disclosures of the event, the exploit targeted the TON side of its cross-chain layer, draining funds across USDT, BLUM, and tsTON. TAC said the vulnerability was isolated to native TON Jettons bridged from the TON network, and that the TAC token itself, TON, and all ERC-20 tokens were unaffected. The TAC token has taken a beating since the exploit, with the price dropping more than 21% over the last week. Market cap is down to $79 million from over $91 million before the May 12 disclosure of the hack.
TAC reclassifies hack incident as white hat incident
TAC first disclosed that it had been hacked on May 12. The message from the team on X claimed that it had paused the bridge after receiving reports from security partners. The team quickly moved to allay fears by insisting that the issue was limited in scope, affecting only a subset of bridged assets rather than the protocol’s broader infrastructure. The TAC team gave an insight into how it would handle the coming days.
The TAC Protocol team said: “Our focus is on making users whole and fully restoring bridge liquidity through a legally structured sale of Foundation’s TAC token treasury reserves.” By May 14, TAC had positive news to share. The team said that after the exploiter took its offer to return funds to the designated multisig wallet on Ethereum and a corresponding address on TON, it came to the decision not to pursue litigation, a decision that it coordinated with its security partners and law enforcement.
With the refunds, the TAC Protocol hack quickly went from exploit to white hat incident, with a 10% bounty offered up as an incentive, which comes to about 13 ETH + 300ZEC. It is standard practice in Web3 to offer hackers a percentage of stolen funds in exchange for returning the majority of the loot. Transit Finance took a page from that book earlier this week after it lost $1.88 million from a deprecated TRON smart contract. The team sent a message to the hacker, offering a percentage of the stolen funds as a bug bounty.
TAC’s exploit adds to a pattern of bridge and cross-chain vulnerabilities in early May 2026. Transit Finance attributed its breach to a contract that had been deprecated since 2022 but still held exploitable code. Security firm GoPlus Security flagged two private key compromises on May 12 totaling $238,000, and blockchain security company Blockaid identified a $456,000 exploit on Aurellion Labs’ uninitialized Diamond proxy contract on Arbitrum, according to a Cryptopolitan report.
The losses follow a rough April. CertiK reported approximately $651 million lost to exploits across the sector that month, the highest since March 2022, when excluding the Bybit incident in February 2025. The KelpDAO bridge exploit ($293 million) and Drift Protocol hack ($285 million) accounted for most of April’s damage. TAC Protocol’s bridge remains paused. The team has not disclosed a timeline for resuming operations, but it said it will direct the remaining balance, minus the white hat bounty, to its multisig wallets.
