$10.8 Million Drained: Inside the THORChain Exploit That Froze Cross-Chain DeFi for 13 Hours

The first signal that something was off arrived just after 09:45 UTC on Friday, May 15. On-chain investigator ZachXBT, who has built a reputation on being early to almost every major DeFi incident of the past two years, posted a short note flagging unusual outflows from THORChain’s Asgard vaults. His initial estimate was around $7.4 million. Within a couple of hours, that number had climbed to $10.8 million, and the protocol that bills itself as the decentralized exchange for every chain had quietly entered crisis mode.

By the time most of the crypto market in Asia logged on for the day, THORChain had paused trading, swaps, liquidity actions, and signing across the network. RUNE, the protocol’s native token, was already in freefall. And a much harder conversation about the cryptographic plumbing of cross-chain DeFi — the part nobody outside a handful of researchers really wants to think about — was being forced into the open.

What looked at first like an opportunistic strike now appears to have been something else entirely. New forensic findings from Chainalysis, published the day after the exploit, suggest the attacker was preparing this operation for weeks: moving personal funds through Monero, Hyperliquid, and Arbitrum well before a single dollar was stolen. This was not a smash-and-grab. It was a planned operation, and it deserves to be understood properly.

The Protocol: Why THORChain Matters in the First Place

For those who have not paid close attention to THORChain since its 2021 launch, let’s first quickly dive into a short orientation.

THORChain is the closest thing the industry has to a working answer to a question that has haunted DeFi from the beginning: how do you swap native Bitcoin (BTC) for native Ethereum (ETH) without trusting a custodian, without wrapping the asset, and without relying on a centralized bridge? Its answer is the Asgard vault system: pools of real, native assets held collectively by a rotating set of node operators. When a swap happens, a quorum of those operators must cooperate to sign the outgoing transaction. No single node ever holds the full private key. The protocol uses a cryptographic scheme called GG20, a fork of Binance’s tss-lib, to make this possible.

That is the theory, at least. And on paper, it is one of the more elegant designs in the space. THORChain has processed billions in volume, survived several earlier exploits, and become the default rail for moving large amounts of native crypto across chains without an intermediary.

It has also become something else: a laundering venue. Because it enables seamless conversion between, say, stolen ETH and native BTC, it has been heavily used by sophisticated threat actors. The protocol was used to launder a significant portion of the $1.5 billion Bybit hack proceeds in February 2025, and again to move funds from the $300 million KelpDAO hack in April 2026 — where the Lazarus Group reportedly pushed roughly $175 million in stolen ETH through THORChain in a 36-hour window. Leadership has historically declined to censor transactions at the protocol level, citing a commitment to permissionless infrastructure; a stance that has earned both ideological respect and regulatory scrutiny.

So when an attack came, it landed on a piece of infrastructure that is genuinely important to the industry, with a complicated history.

The Attack: A Newly Churned Node and a Known Cryptographic Weakness

What the on-chain forensics suggests happened on May 15 is, in retrospect, almost clinical in its design.

Investigators have flagged a single recently churned validator — referenced in THORChain’s incident update as thor16ucjv3v695mq283me7esh0wdhajjalengcn84q — as the likely entry point. “Churning” in THORChain terms is the regular process by which the active validator set rotates; the node in question had joined the active set only days before the exploit. That timing is not incidental.

The working theory, supported by analysis from PeckShield, Cyvers, and security teams now collaborating with the THORChain core developers, is that the operator (or a compromised machine acting as the operator) exploited a vulnerability in the GG20 Threshold Signature Scheme implementation. Rather than a single dramatic key compromise, the attack appears to have involved the gradual leakage of vault key material during keygen or signing rounds — the kind of malformed-proof exploitation that the TSSHOCK class of CVEs first put on the industry’s radar a few years ago.

Once enough shards of the key material had been reconstructed offline, the attacker could effectively forge outbound signatures from an Asgard vault without triggering normal quorum checks. From the network’s perspective, the transactions looked legitimate. They were not.

Arkham Intelligence and PeckShield have since traced the stolen assets to a small cluster of attacker wallets holding roughly:

The total comes to approximately $10.8 million, drained from one of the protocol’s six Asgard vaults in a coordinated multi-chain sweep designed to maximize speed before detection. Small test transactions preceded the larger movements, which is a common signature of a well-prepared operator who wants to confirm the exploit works before committing.

One detail worth emphasizing: user-controlled funds were not touched. Wallets, personal liquidity positions managed individually, and external assets remained safe throughout. The losses were entirely confined to protocol-owned liquidity inside the vaults, a meaningful distinction that almost certainly prevented a panic-driven bank run.

The Chainalysis Discovery: An Operation Built Weeks in Advance

The most significant update to this story did not come from THORChain. It came from Chainalysis, the blockchain analytics firm, in a thread posted on X a day after the exploit.

Chainalysis mapped out weeks of on-chain activity that ties the attacker to a deliberately constructed laundering route — one that was set up before the theft, not improvised after it. The picture that emerges is of a patient, professional operator who built the exit infrastructure first and then attacked.

According to Chainalysis, the operation began in late April, roughly two to three weeks before the exploit. Here is how the pre-attack setup unfolded:

1. Monero entry. An attacker-linked wallet funded a position on Hyperliquid by depositing XMR through a Hyperliquid-Monero privacy bridge. Monero, with its built-in privacy guarantees, is a natural starting point for anyone trying to obscure the original source of funds.
2. Hyperliquid conversion. The position on Hyperliquid was swapped into USDC.
3. Arbitrum withdrawal. The USDC was withdrawn to Arbitrum, and from there bridged to Ethereum.
4. Bonding the malicious node. Hundreds of thousands of dollars worth of ETH were then bridged into THORChain itself, used to bond RUNE for the newly churned validator node that is now believed to be the source of the compromise.
5. The 43-minute fingerprint. Chainalysis traced the bridged ETH as it was split into four branches. One branch passed through an intermediary wallet and then, just 43 minutes before the theft, forwarded 8 ETH into the same wallet that would shortly receive millions of dollars in stolen funds. That single transfer is the closest thing the investigation has to a smoking gun linking the pre-attack wallets to the actual attacker address.

The other three branches ran in the opposite direction. On May 14 and 15 — in the hours and days leading up to the exploit — those wallets bridged ETH back to Arbitrum, deposited into Hyperliquid, and routed back to Monero using the same privacy bridge from the initial setup. The last of those transactions landed less than five hours before the attack began.

What that tells investigators is uncomfortable: the attacker had not only built a route in, but had already rehearsed the route out. The Hyperliquid-to-Monero path that funded the operation in late April is the same path that may now be used to cash out the stolen $10.8 million.

As of May 16, 2026, Chainalysis confirmed the stolen funds remained dormant. But the firm warned that this can change quickly — and that the attacker has now publicly demonstrated the technical sophistication to move funds across chains, through perpetuals exchanges, and into privacy protocols at will.

The Response: A 13-Hr Pause and the Mimir Module Doing Its Job

To the credit of THORChain’s design, the protocol’s emergency response was fast and almost entirely automated.

Node operators executed the “make pause” command, which the Mimir governance module honored immediately. At block 26190429, all trading, swaps, LP actions, signing, and sensitive operations were frozen. The pause was scheduled to remain in place for roughly 12 hours and 42 minutes, until block 26191149 — long enough for the core team and external partners to begin a proper forensic review without giving the attacker more room to maneuver. As of the most recent update, the network remains partially paused, with contributors cautioning that a full restart may take several more days.

In parallel, the team activated what amounts to an incident response playbook that has been refined across multiple prior incidents:

• Forensics partnerships with THORSec and Outrider Analytics were stood up within hours.
• Real-time monitoring of the attacker wallets began immediately, with alerts shared across centralized exchanges and compliance teams.
• Law enforcement coordination is now active alongside the THORChain treasury team, according to contributors.
• Internal discussions on recovery opened on three fronts at once: slashing the malicious node’s bond (a substantial RUNE collateral penalty that the protocol can impose on misbehaving operators), absorbing losses through Protocol-Owned Liquidity (POL), and exploring community compensation mechanisms.

A recovery portal discussion has already surfaced on swap.thorchain.org for affected liquidity providers. Incident Update #1, released in the early hours of May 16, confirmed the malicious-node vector and committed the team to publishing a full technical post-mortem.

The decision to pause has not been universally welcomed. Critics have pointed out that THORChain has historically declined to use its emergency shutdown capability when the protocol was being exploited as a laundering rail for hundreds of millions in stolen funds from other hacks — most notably the Lazarus Group’s movement of ~$175 million in KelpDAO proceeds — but deployed it within hours when its own protocol-owned liquidity was at risk. Whether that reflects a genuine architectural distinction or a selective application of decentralization principles is a conversation THORChain will need to have publicly.

Additionally, in a second update on the exploit, THORChain said its initial investigation indicates that no user funds were lost and that the incident affected only protocol-owned assets. The team also warned users about fake social media accounts promoting fraudulent “refunds,” “airdrops,” and compensation claims, emphasizing that no such program is underway. THORChain contributors are continuing to investigate the incident with THORSec and external security partners, with further updates expected as the review progresses.

The Market Reaction: RUNE Punished, Cross-Chain DeFi Rattled

The price reaction was, predictably, ugly.

RUNE fell anywhere between 12% and 15% in the first 24 hours after the exploit, with the token’s market capitalization dropping by more than $27 million to around $182 million. Trading volume spiked on panic selling and a wave of short positions. The broader cross-chain DeFi category took a sympathetic hit, with several mid-cap tokens trading down on the assumption that if THORChain’s TSS layer could be compromised, others might not be far behind.

That last fear is the one worth taking seriously. The market is not pricing in just this incident — it is pricing in the possibility that GG20 implementations across the industry share enough common ground that a working exploit on one could inform attacks on others. 

Cross-chain bridges and liquidity protocols have suffered more than $2.8 billion in cumulative thefts since 2021, according to Chainalysis. This incident does not move that needle dramatically. But it adds to a pattern that institutional capital, in particular, has been watching closely.

The Uncomfortable Pattern: Not THORChain’s First Crisis

It would be misleading to write about this incident without acknowledging that THORChain has a longer security history than most protocols of its size.

There were two separate exploits in July 2021, in rapid succession. There was a $200 million debt crisis in early 2025 that nearly broke the protocol’s solvency model, eventually resolved by converting defaulted obligations into a new equity-style token. In September 2025, founder John-Paul “JP” Thorbjornsen was personally targeted in a roughly $1.3 million exploit linked to suspected North Korean threat actors. Add in the May 15 incident, and cumulative direct losses targeting the protocol and its leadership now sit somewhere in the neighborhood of $25 million.

Each previous crisis was survived. The protocol has been rebuilt, patched, and shipped through it. But the cumulative weight of these events is a fair reason for liquidity providers to ask harder questions about validator vetting, hardware isolation, and the assumptions baked into the churn process — particularly the assumption that a node that has just joined the active set deserves the same trust as one that has been running cleanly for months.

The Chainalysis findings sharpen that question considerably. If an attacker can fund the bonding of a malicious validator through a Monero-laundered wallet and then exploit that node days later, the entire concept of permissionless validator entry needs a serious rethink.

If You Have Funds on THORChain, Here’s What to Do Right Now

There is no good reason to panic, and several reasons not to. But there are a handful of practical steps worth taking before the network fully resumes trading.

1. Do not act on social media rumors. Phishing attempts and fake “recovery portals” tend to spike in the hours after any major DeFi incident. The only channels worth trusting right now are the official @THORChain account on X, the official Telegram, and announcements on swap.thorchain.org.
2. Check your positions, but do not withdraw in a panic. If you had liquidity in an affected pool, watch for the formal recovery portal announcement. If your position was in an unaffected pool, your funds were never at risk in the first place.
3. Hold off on RUNE trading decisions until the post-mortem. The full technical report will materially affect the market’s read on whether this was a one-off or a class of vulnerabilities. Trading the rumor is rarely the better move when the underlying facts are still being established.
4. Audit your broader cross-chain exposure. This is the right week to look at every TSS-dependent protocol you have funds in and ask whether you are comfortable with the validator set, the audit history, and the bond requirements. If you cannot answer those questions, that is information.
5. Revoke unused wallet approvals. Anyone with assets linked to THORChain-integrated routers, wallets, or liquidity pools should revoke unnecessary approvals as a precaution while the network is paused.
6. Stay off any “recovery agent” offers. Anyone DMing you with an offer to recover lost funds for a fee is, with near certainty, running a secondary scam targeting known victims of the original incident. This pattern is now so consistent it should be treated as a rule.

The Bigger Picture: What This Means for TSS and Cross-Chain DeFi

The genuine lesson here is not “THORChain got hacked again.” It is something more specific and more uncomfortable.

GG20 is a battle-tested cryptographic scheme. It is also not invincible, and the bar for compromising a single high-stakes node in a permissionless system keeps quietly dropping as AI-assisted exploit discovery tools become more capable. The industry has known for years that newer protocols like CGGMP21 and cggmp24 offer stronger guarantees against malformed-proof attacks. Yesterday’s events will almost certainly accelerate migration discussions across multiple protocols, not just THORChain.

A few questions that the next six months will probably answer:

• Will node operators face stricter hardware isolation and audit requirements before joining active validator sets? 

The current churn model treats fresh nodes as functionally equivalent to seasoned ones the moment they go live. The Chainalysis findings, which show an attacker funding a malicious node through laundered Monero weeks before exploiting it, make that assumption look untenable.

• Will liquidity providers demand insurance buffers or larger POL reserves as a precondition for providing depth? 

Protocol-owned liquidity is the cleanest answer to “who absorbs the loss?” but it has limits.

• Will the industry coalesce around a shared standard for TSS implementations, audits, and disclosure? 

Right now, every major cross-chain protocol is essentially running its own homegrown variant. That is not a sustainable security posture.

• What happens when privacy protocols and perpetuals exchanges become the standard exit infrastructure for crypto theft? 

Chainalysis’s Hyperliquid-Monero trail is not a one-off. It is a template, and other attackers are watching.

THORChain’s rapid, decentralized response stands in genuine contrast to how many centralized or semi-centralized protocols have handled similar incidents. If the team slashes the malicious bond cleanly, restores liquidity without forcing haircuts on LPs, and ships a credible patch, the protocol may come out of this with its reputation for resilience reinforced rather than damaged.

That is not the most likely outcome. But it is a possible one, and it is worth watching for.

What Comes Next

The Crypto Times will continue tracking the technical post-mortem, the recovery portal announcement, and the fate of the suspected malicious node operator. The full forensic report is expected within days, and it should answer the open questions about exactly how the GG20 implementation was exploited, whether the vulnerability is unique to THORChain’s fork or shared across other tss-lib derivatives, and what specific hardening measures will follow.

Equally important is what happens to the stolen $10.8 million. With Chainalysis now publicly mapping the attacker’s Hyperliquid-Monero exit infrastructure, every centralized exchange and bridge in that path has been put on notice. Whether the funds move, when they move, and through which routes will tell us a great deal about how prepared the industry is to intercept sophisticated cross-chain laundering in real time.

For now, the network is preparing to resume basic chain observation and RUNE transfers, with full trading expected back once the investigation confirms no ongoing risk. The $10.8 million may already be on the move by the time the next update goes out. The question that matters more is whether the protocol’s cryptographic foundation has been properly understood and patched by the time it comes back online.

Follow The Crypto Times on Google News to Stay Updated!