Decentralized cross-chain liquidity protocol THORChain has suffered a significant exploit, with losses estimated at over $10 million. Blockchain security firm PeckShield flagged the incident and provided key details. According to PeckShield, the attacker drained approximately 36.75 BTC (worth around $3 million) along with roughly $7 million in assets from BNB Chain, Ethereum, and Base networks. The total value stolen is estimated at around $10 million.
#PeckShieldAlert @THORChain has been exploited for ~$10M worth of crypto, including 36.75 $BTC ($3M) and ~$7M worth of assets from #BNBChain, #Ethereum, and #Base.
The stolen funds mainly sit in:
bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37… pic.twitter.com/mhWIWueVPK— PeckShieldAlert (@PeckShieldAlert) May 15, 2026
Key Details of the Exploit
The incident affected THORChain’s pooled vaults and router contracts across multiple blockchains. Security researchers identified suspicious transactions involving vault interactions and cross-chain movements.
Stolen funds have been linked to the following addresses:
- Bitcoin: bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37 (holding ~36.75 BTC)
- EVM chains: 0xd477b69551f49C0519F9B18c55030676138890Bd and 0x82fc0d5150f3548027e971ec04c065f3c93154eb
A substantial portion of the stolen assets remains in these wallets. PeckShield and the community continue to monitor for any movement or attempted laundering of the funds.
THORChain node operators acted quickly by halting trading, signing, and certain vault operations. The protocol has implemented a global pause on cross-chain swaps to prevent further losses. Native RUNE transfers and underlying blockchain operations can still continue, but all trading activity has been temporarily suspended. This rapid response helped contain the damage after the suspicious transactions were detected.
Market Reaction
The native token of the protocol, RUNE, saw an immediate and sharp decline following the news. Prior to the exploit reports, RUNE was trading around $0.59. Within minutes of the incident becoming public, the token plummeted by 12-15%, reaching as low as $0.50 before finding some support near $0.52 levels.
Trading volume surged as panic selling took hold across major exchanges. The price drop erased recent gains and pushed RUNE to a two-week low. Market sentiment turned highly negative, with widespread discussion on social media platforms reflecting concerns over the protocol’s security. The token was down around 10-12% on the day amid the broader market reaction.
THORChain has also been utilized by attackers in other major incidents for laundering stolen funds. In the February 2026 IoTeX Bridge hack, which resulted in an initial loss of around $8 million, the attacker swapped stolen assets into ETH and then bridged approximately 2,319 ETH (worth about $3.94 million) into 62.15 BTC through THORChain to obscure the money trail.
Previous Incidents Involving THORChain in 2025
This latest breach adds to a series of security and operational setbacks the protocol faced throughout 2025.
In February 2025, following the massive $1.4 billion hack on Bybit exchange, attackers reportedly routed around $1.2 billion (nearly 85% of the stolen funds) through THORChain to convert them into Bitcoin and obscure their tracks.
In September 2025, THORChain co-founder John-Paul (JP) Thorbjornsen fell victim to a sophisticated scam that resulted in the loss of approximately $1.35 million from his personal wallet. The attack involved a compromised Telegram account and a deepfake video call impersonating a known associate, allegedly linked to North Korean hackers.
Earlier in January 2025, the protocol’s lending arm, ThorFi, faced a major crisis when it suspended operations due to insolvency concerns and a reported $200 million debt burden. This led to a 90-day restructuring process in which defaulted loans were converted into a new equity-style token.
Current Status
As of now, the THORChain team has not issued a detailed official statement on the root cause of the exploit. Investigations are ongoing, with PeckShield closely tracking the stolen funds. Node operators and the broader ecosystem are working to assess the full impact and restore normal operations safely. Users are advised to avoid interacting with the protocol until further official updates are provided.
