THORChain Exploited for $10M

THORChain was exploited today (May 15th, 2026) for ~$10M across 4 chains: Bitcoin, Ethereum, BSC and Base. The details are still developing but I will cover everything that is known along with the timeline of how it all went down.

ZachXBT flagged it first. Cyvers had pinged the initial $7.2M of suspicious activity before that, and KuCoin's flash headline that hour read literally "THORChain Router Suspected of Attack."

THORChain's official X account posted:

"There are claims of a potential vulnerability with a THORChain dependency that may affect THORChain. Out of an abundance of caution, trading has been paused while an investigation is undertaken."

Trading was subsequently halted on "block 26190429". Following all the decentralized protocols in place where nodes and community members can flag suspicious activity on the network.

RUNE is down from roughly $0.58 to $0.50, a 12% dip.

I am a fervent supporter of the crosschain industry. I have long said that the future of crypto is multi-chain. You should be able to move your crypto from any chain, anywhere and at any time. THORChain is a critical piece of infrastructure in this future as it is one of the top decentralized protocols that enables crosschain trading without compromises.

I am therefore a major supporter of THORChain. I will keep this post largely focused on the events of today and leave my personal note on THORChain by saying this: the teams, community and node operators are super talented and have been through trials time and time again. Building financial rails means that you are operating in a space where people are ALWAYS trying to hack you. This is inevitable. How you react to it is what matters.

What Happened

The protocol just shipped v3.18.0 on May 14, the day before. However, it doesn't appear that this is related in any way to today's exploit.

The attacker now controls:

• 3,443 ETH (~$7.77M)
• 36.85 BTC (~$2.97M) bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37
• 96.6 BNB (~$66K) 0xd477b69551f49C0519F9B18c55030676138890Bd

Arkham Intelligence has mapped the holdings and there haven't been any moves yet.

JP (Co-Founder of THORChain) said on X that this was likely a GG20 TSS exploit:

"Malicious node churns in, extracts key material from other nodes, compiles a private key and can sweep the vault."

But Isn't THORChain Decentralized?!

The fight of decentralization in the crypto space is a heated one. A lot of people love to call each other out for not being decentralized. In THORChain's case, the reason this exploit was possible in the first place is because THORChain is so decentralized.

From the current understanding of the hack, the Asgard vault model is what was exploited. THORChain does not run a bridge in the conventional sense. It runs validators that jointly custody real assets on every supported chain, with 2/3 of nodes signing via threshold signature scheme (previously mentioned "TSS" by JP).

Asgard vaults are the big pooled vaults. They hold the majority of TVL. On EVM chains a smart contract called the Router sits in front, accepts inbound deposits, sweeps them to Asgard and processes swaps.

Elegant on paper. In practice it makes Asgard the highest-value target in DeFi that isn't a centralized exchange. The honeypot is permanently on the table. This is EXACTLY how a decentralized protocol operates and it causes a "for better or worse" dynamic. When you are centralized, you can easily obfuscate attack surfaces. When you are decentralized - as THORChain is - you are putting it all out in the open.

The previous 2021 exploits on THORChain found bugs in the Router. This appears to be related to vault signing.

What I Want to See in the Next 72 Hours

Two questions matter and nothing else:

First, what was the actual vector? If this is a fresh class of bug, it patches and the protocol becomes stronger moving forward. It's an expensive way to QA test but when you are building a real decentralized DEX, you get the good and the ugly of being out in the open.

Second, can the treasury absorb $10M without diluting RUNE holders? The protocol is much further along financially than it was four years ago. The vast majority of liquidity in the network is Protocol Owned Liquidity. I also believe that the crosschain space has evolved quite a lot. THORChain has recently released Rapid Swaps which have brought dramatically more efficient liquidity usage to the protocol alongside the previously released Streaming Swaps. These two innovations along with others mean that liquidity goes much further and this means that the protocol can scale + profit with signifcantly less capital.

This hack will likely lead to 0 loss of user funds whether that means capital in the protocol OR RUNE value in your wallet. The treasury will absorb the impact and because of the hyper-efficient use of liquidity, we'll see THORChain recoup the losses very quickly as trades resume and volume flows.

Crosschain liquidity is the most valuable unsolved problem in DeFi and THORChain is one of few ecosystems that has solved it at scale and in a way that is decentralized. It is critical infrastrucutre for our industry and I want to see it succeed. Bumps like these happen all the time for the top protocols like Bitcoin and Ethereum. Taking the QA cost as a lesson to improve and pushing forward is what those protocols and THORChain have done in the past and I'm quite confident it will continue to do so.

Today does not change the value of the crosschain liquidity problem. It changes the discount the market puts on RUNE as an asset that backs a leading protocol in the space.

As for tracking THORChain, you can use the CrossChain Status tool built by my team: https://status.leodex.io which tracks all crosschain protocols we support in real-time. As of this writing, THORChain and Maya Protocol are halted because of this attack. When they are back online, this will be the first place to report it.

---

Trading Crosschain? My team and I built https://leodex.io which is a secure crosschain swapping app with low fees and no account signups. We support 107+ DEXes (THORChain being one of them).

---

Sources

1. CoinDesk, "Thorchain halts trading after $10 million cross-chain exploit, RUNE token drops 12%," May 15, 2026 — https://www.coindesk.com/tech/2026/05/15/thorchain-halts-trading-after-usd10-million-cross-chain-exploit-rune-token-drops-12
2. KuCoin News, "THORChain Router Suspected of Attack, $7.2M Lost" (Cyvers initial alert) — https://www.kucoin.com/news/flash/thorchain-router-suspected-of-attack-7-2m-lost
3. BanklessTimes, "THORChain Likely Exploited for $10.7M Across Four Chains, Says ZachXBT," May 15, 2026 — https://www.banklesstimes.com/articles/2026/05/15/zachxbt-says-thorchain-likely-exploited-across-four-chains-for-10-7m/
4. Wu Blockchain on X relaying ZachXBT alert — https://x.com/WuBlockchain/status/2055229381816041861
5. THORChain official trading-pause statement on X — https://x.com/THORChain/status/1640569760974008320
6. Crypto Briefing, "THORChain loses nearly $11 million in suspected exploit as RUNE tumbles 13%" — https://cryptobriefing.com/thorchain-exploit-bitcoin-ethereum-bsc/
7. CryptoPotato, "RUNE Plunges by 15% as THORChain Falls Victim to New Hack: ZachXBT" — https://cryptopotato.com/rune-plunges-by-15-as-thorchain-falls-victim-to-new-hack-zachxbt/
8. The Block, "THORChain suffers another $8 million loss; hacker wants to 'teach lesson'" — https://www.theblock.co/post/112308/thorchain-suffers-8-million-loss-by-hacker-wanting-to-teach-lesson
9. BeInCrypto, "THORChain Reportedly Hit by Multi-Chain Exploit" — https://beincrypto.com/thorchain-exploit-stolen-funds-10-million/
10. Coinpedia, "Thorchain Exploit Drains $7.4M Across Bitcoin, Ethereum, BSC, and Base" — https://coinpedia.org/crypto-live-news/thorchain-exploit-drains-7-4m-across-bitcoin-ethereum-bsc-and-base/
11. THORChain dev docs, "Bifrost, TSS and Vaults" — https://docs.thorchain.org/technical-documentation/technology/bifrost-tss-and-vaults
12. SlowMist, "Analysis of Three Consecutive Attacks on THORChain" (2021) — https://slowmist.medium.com/slowmist-analysis-of-three-consecutive-attacks-on-thorchain-6223f1c691be
13. THORChain Medium, "Post-mortem: ETH Router Exploits 1 & 2, and premature Return To Trading Incident" — https://medium.com/thorchain/post-mortem-eth-router-exploits-1-2-and-premature-return-to-trading-incident-2908928c5fb
14. Halborn, "Explained: The THORChain Hack (July 2021)" — https://www.halborn.com/blog/post/explained-the-thorchain-hack-july-2021
15. Invezz, "THORChain RUNE protocol passes two security audits," October 29, 2021 — https://invezz.com/news/2021/10/29/thorchain-rune-protocol-passes-two-security-audits/
16. Nine Realms Medium, "60M RUNE Burned, Lending Caps Increased" — https://medium.com/thorchain/60m-rune-burned-lending-caps-increased-b520366e924e
17. I also posted this blog on X