Blockchain analytics firm Chainalysis has mapped weeks of on-chain activity linking the THORChain attacker to a calculated cross-chain laundering operation involving Monero, Hyperliquid, and Arbitrum, all set up well before the $10.8 million theft.
Chainalysis shared its findings on X on Friday, revealing that wallets likely connected to the attacker spent weeks moving personal funds through privacy-focused routes before executing the exploit. The on-chain trail ties those wallets directly to the address that later received millions in stolen funds.
Monero was the starting point
According to Chainalysis, the operation began in late April when an attacker-linked wallet funded a position on Hyperliquid by depositing XMR through a Hyperliquid-Monero privacy bridge. That position was then swapped for USDC, withdrawn to Arbitrum, and bridged over to Ethereum.
From Ethereum, hundreds of thousands of dollars worth of ETH were bridged into THORChain to bond RUNE for a newly churned validator node. This node is currently believed to be the source of the compromise. Some of the RUNE was then bridged back into ETH.
Direct wallet link to the attacker
Chainalysis said the bridged ETH was split into four branches. One of those branches connects directly to the attacker. It first passed through an intermediary wallet, and then, just 43 minutes before the theft, it was forwarded 8 ETH into the wallet where the attacker would shortly receive millions of dollars worth of stolen funds.
The other three branches ran funds in the opposite direction. On May 14 and 15, those wallets bridged ETH to Arbitrum, deposited into Hyperliquid, and then routed back to Monero using the same privacy bridge from the initial setup. The last of those transactions landed less than five hours before the attack began.
Stolen funds remain dormant, but the exit path is clear
As of Friday afternoon, the stolen funds are sitting dormant. But Chainalysis warned that this could change quickly. The attacker has already demonstrated the ability to execute a sophisticated cross-chain laundering operation, and the same Hyperliquid-to-Monero path observed in the days leading up to the theft remains one possible next move.
What we know so far about the THORChain exploit
The Chainalysis findings add a new forensic layer to an incident that has been unfolding since May 15. THORChain contributors said in an incident update on Friday that the leading theory points to a vulnerability in the protocol’s GG20 threshold signature scheme (TSS).
Investigators believe a newly churned validator node exploited this weakness, allowing sensitive key material to leak over time. With enough fragments exposed, the attacker could have reconstructed a vault private key and authorized unauthorized outbound transactions.
The node in question, identified as thor16ucjv3v695mq283me7esh0wdhajjalengcn84q, joined the active validator set several days before the incident. Ethereum addresses used to acquire and bond RUNE for that node appear connected to addresses that later received stolen funds, according to THORChain developers.
The network remains partially paused. Trading, liquidity provider actions, and transaction signing are suspended while node operators discuss recovery options, including slashing the bonds of affected vault participants and tapping protocol-owned liquidity (POL) to cover losses. Contributors have cautioned that a full restart may take several days.
The exploit was first reported on May 15 when security firms Cyvers and on-chain investigators flagged suspicious outbound transactions across Bitcoin, Ethereum, BNB Chain, and Base. Initial estimates placed the total loss at approximately $10.8 million, with stolen assets consolidated into wallets holding ETH, BTC, and BNB.
THORChain’s treasury team is working with THORSec, Outrider Analytics, and law enforcement agencies to identify the attacker and recover what it can.
Also Read: How Hackers Drained $132K From ShapeShift FOX Colony in One Transaction
