THORChain, a decentralized cross-chain liquidity protocol, halted trading and signing functions after attackers drained an estimated $10.8 million in a multi-chain exploit. The attack affected Bitcoin, Ethereum, BNB Smart Chain, and Base, according to blockchain analytics firm Arkham Intelligence.
Security firms and blockchain investigators quickly traced suspicious cross-chain swaps as THORChain node operators activated emergency solvency measures.
Blockchain security firm Cyvers, a real-time Web3 threat detection platform, flagged the activity on X, reporting approximately $7.2 million initially in suspicious transactions involving the THORChain router across Bitcoin, Ethereum, BSC, and Base networks.
Cyvers said the stolen assets — including USDT, USDC, WBTC, DAI, THOR, LUSD, XRUNE, GUSD, AAVE, LINK, and FOX, were converted into ETH and moved to a single wallet address.
Pseudonymous blockchain investigator ZachXBT confirmed the incident on Telegram and described it as a likely coordinated multi-chain exploit. On-chain analytics platform Lookonchain subsequently shared Arkham Intelligence data on X, revealing the exploiter’s wallets held a combined $10,806,345 — broken down as 3,443 ETH ($7.77M), 36.854 BTC ($2.97M), and 96.588 BNB ($66.13K).The Arkham data indicated the total stolen was significantly higher than Cyvers’ initial estimate, as it included BTC and BNB holdings not captured in the earliest alert.
THORChain halts multiple networks
THORChain node operators moved quickly after automated solvency systems detected unusual activity across the network. The protocol paused trading on Ethereum, Avalanche, BNB Smart Chain, Base, Dogecoin, Gaia, Bitcoin, Litecoin, Solana, Tron, and XRP. The team also activated Mimir, THORChain’s governance parameter system, to halt trading, stop signing functions, and freeze validator churn while investigators reviewed the exploit.
THORChain later widened the restrictions using HALTTRADING, HALTSIGNING, and HALTCHAINGLOBAL commands. A node pause was activated for approximately 12 hours and 42 minutes from block 26190429, according to on-chain data. The move temporarily blocked users from accessing swaps and liquidity services across the platform. As of publication, THORChain has not released a post-mortem identifying the specific attack vector.
THORChain allows users to swap native assets directly between blockchains without centralized exchanges or wrapped tokens. The protocol relies on liquidity pools and its native RUNE token to process transactions and incentivize node operators.
The exploit raised concerns about the security of cross-chain infrastructure — a category that has suffered more than $2.8 billion in cumulative bridge-related theft since 2021, according to blockchain data firm Chainalysis.
DeFi security crisis deepens
RUNE, THORChain’s native token, fell approximately 12% after news of the exploit spread, dropping from above $0.58 to around $0.50, according to CoinGecko data. Daily trading volume surged past $29 million as investors reacted to the incident.
The exploit also reignited scrutiny of THORChain’s role in the broader DeFi security landscape. The protocol has previously been identified as a preferred route for moving illicit funds, with on-chain analysts linking it to the laundering of proceeds from the Bybit hack ($1.2 billion+), the KelpDAO exploit ($292 million), the Balancer exploit ($120 million), and the FTX exploiter ($124 million). THORChain has maintained a stance of neutrality, stating it does not censor or discriminate against transactions.
The THORChain incident follows a recent exploit involving DeFi protocol INK Finance on Polygon, a layer-2 scaling network. Attackers reportedly exploited a controller logic vulnerability and stole about $140,000 in USDT, a dollar-pegged stablecoin. Blockchain security firm Blockaid said weak contract authentication, not compromised private keys, caused the breach.
The latest attacks add to growing security concerns across decentralized finance. More than 40 crypto protocols have shut down in 2026, while hackers have stolen over $770 million during the year, according to data from Immunefi and DefiLlama. In April alone, decentralized perpetual exchange Drift Protocol and liquid restaking protocol KelpDAO together accounted for over $600 million in losses. April 2026 also recorded the highest number of crypto hacking incidents on record.
Also Read: Ranger Finance Winds Down Following Drift Exploit and Funding Crisis
