THORChain was likely exploited for over $7.4M across multiple chains, forcing a protocol pause as users await an official post-mortem.
Author: Akshat Thakur
15th May 2026 – THORChain was likely exploited for more than $7.4 million across Bitcoin, Ethereum, BNB Smart Chain, and Base, according to on-chain investigator ZachXBT. The protocol has since paused all trading operations.
High Signal Summary For A Quick Glance
CoinDesk
@CoinDesk
ALERT: @zachxbt flags a $10M exploit on @THORChain across Bitcoin, Ethereum, BSC and Base. The protocol has paused trading in response. https://t.co/GjA8Cg7nn3
10:05 AM·May 15, 2026
PeckShieldAlert
@PeckShieldAlert
#PeckShieldAlert @THORChain has been exploited for ~$10M worth of crypto, including 36.75 $BTC ($3M) and ~$7M worth of assets from #BNBChain, #Ethereum, and #Base. The stolen funds mainly sit in: bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37 https://t.co/mhWIWueVPK
09:58 AM·May 15, 2026
Lookonchain
@lookonchain
According to @zachxbt, #THORChain appears to have been exploited across multiple chains, including #Bitcoin, #Ethereum, #BSC, and #Base, with stolen funds already exceeding $10M. https://t.co/Pqj8JwXdAj https://t.co/lYBjuhnKB5
09:56 AM·May 15, 2026
ZachXBT flagged the incident on his Telegram channel around 09:45 UTC on May 15. OnchainLens amplified the alert on X shortly after. Within minutes, community developers confirmed a global pause had been executed.
Arkham Intelligence has labeled the suspected attacker as “Thorchain Exploiter.” At the time of labeling, the entity held approximately $6.57 million in stolen assets. That total breaks down to 36.85 BTC, 1,567 ETH, and 96.59 BNB.
The suspected attacker’s EVM wallet (0x82fc…4eb) shows rapid activity in the last hour. It includes a 1,866 ETH outflow worth roughly $4.2 million. The wallet also shows multiple swaps routed through 1inch and Kyber.
A suspected Bitcoin address, bc1q14u94k1k2651nfur2ujk9p6uh52f2a8jhf6f37, has also been linked to the attacker. No public Dune or DefiLlama dashboards track the THORChain exploit impact yet because the incident is too recent.
As of 10:00 UTC, the THORChain team has not released an official statement or post-mortem.
THORChain enables native cross-chain swaps without wrapped tokens or traditional bridges. It uses liquidity pools and validator-run Asgard vaults. The Bifrost observer module watches deposits across chains, while TSS vaults require 67% node consensus to sign outbound transactions.
This architecture makes cross-chain swaps possible but also creates a broad attack surface. If an attacker can trick Bifrost into processing fake deposits, they can drain vault funds across multiple chains at once.
The suspected exploit likely targeted this mechanism. The full attack vector remains unconfirmed pending the team’s post-mortem.
This is not THORChain’s first security crisis. In July 2021, attackers exploited the ETH Router twice within two weeks. Those incidents cost the protocol roughly $13 million. In both cases, attackers tricked Bifrost into crediting fake deposits.
The protocol also faced scrutiny in 2022 and 2023. North Korea’s Lazarus Group reportedly used THORChain swaps to launder stolen crypto. That controversy raised broader questions about cross-chain protocol accountability.
Today’s incident brings the total number of major THORChain security events to at least three. Each one has involved the core Bifrost and vault infrastructure.
Key milestones in Thorchain’s security history and the May 2026 exploit
An early vulnerability impacts Thorchain infrastructure, marking the beginning of a short period of repeated attacks.
Attackers abuse fake-deposit logic through ETH router infrastructure, causing the protocol to process invalid deposits and release real assets.
A similar fake-deposit vector is exploited again, bringing cumulative July losses above $13M and forcing emergency halts and reimbursements.
No major protocol exploits occur, but Thorchain becomes a frequent route for laundering funds from external hacks due to its permissionless nature.
The Thorchain founder reportedly loses around $1.35M after a personal wallet compromise linked to social-engineering malware, unrelated to protocol security.
Unauthorized withdrawals target vaults across Bitcoin, Ethereum, BNB Chain, and Base, with estimated losses reaching roughly $7.4M.
The team halts inbound APIs and pauses activity globally while investigating the breach. No formal post-mortem or compensation plan is released.
Thorchain remains paused. Users are advised to avoid interactions while attacker funds continue moving and reimbursement expectations remain uncertain.
RUNE, THORChain’s native token, fell 11.3% in 24 hours to $0.5130, according to CoinGecko data. The 24-hour trading range hit a low of $0.5125 and a high of $0.5979. Trading volume spiked to $35.3 million.
THORChain’s total value locked (TVL) stands at $41.95 million, according to DefiLlama. That figure is down 2.73% in the last 24 hours. For context, the protocol’s TVL peaked above $500 million in early 2022.
Social media reaction has been swift. Dominant sentiment on X reflects alarm and frustration. Multiple accounts posted urgent alerts, and the narrative of “THORChain can’t stop getting hacked” quickly resurfaced.
ZachXBT described the incident as a likely exploit. Most community reports align with that assessment. Some early accounts raised the possibility that funds may have been laundered through the protocol from another hack. Arkham’s explicit “Thorchain Exploiter” label points toward a direct protocol-level exploit.
Several critical questions remain unanswered. The exact technical root cause is unknown. The per-chain breakdown of losses has not been disclosed. Whether user deposits beyond vault liquidity are affected remains unclear.
The protocol remains paused as of this writing. The community is waiting for an official post-mortem from the THORChain team. That report should explain the attack vector, confirm total losses, and outline steps to prevent a recurrence.
For now, users should avoid interacting with THORChain until the team confirms the issue is resolved. Cross-chain protocols continue to carry elevated security risks, and this incident reinforces that reality.
This is a developing story. OCT will update this article as more information becomes available.
This article is for informational purposes only and does not constitute financial advice. Always do your own research before making investment decisions.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
THORChain Exploited for $7.4M, Protocol Pauses Trading
ZIGChain Launches ZIG 2.0 With Buybacks of Up to 500M Tokens
ZachXBT Alleges $LAB Insiders Control 95% of Supply
XYO AI SDK Brings Vibe Coding On-Chain for First Time
THORChain Exploited for $7.4M, Protocol Pauses Trading
ZIGChain Launches ZIG 2.0 With Buybacks of Up to 500M Tokens
ZachXBT Alleges $LAB Insiders Control 95% of Supply
XYO AI SDK Brings Vibe Coding On-Chain for First Time
