USDTHORChain Pauses Trading After Suspected Exploit
Investigators Flag Multi-Chain Losses and Vault Withdrawal Bug
TL;DR
- THORChain paused trading and signing after suspicious multi-chain wallet activity.
- ZachXBT and PeckShieldAlert estimated losses above $10 million.
- Blockaid linked the suspected issue to a Bifrost Attestation Gossip bug.
Trade smarter on Jupiter, Solana’s leading DEX built for fast execution and deep liquidity.
Swap tokens at competitive rates, route across multiple liquidity sources automatically, and access perpetuals, DCA, and advanced trading tools — all in one place!
THORChain paused trading and signing on May 15, 2026, after investigators flagged a suspected multi-chain exploit that may have drained more than $10 million from the protocol’s vaults across Bitcoin, Ethereum, BNB Chain/BSC, and Base.
The incident was reported through several updates published on May 15, 2026, with timestamps at 12:30 UTC, 13:51 UTC, and 17:45 UTC. The later information gave the clearest available picture: THORChain had activated a networkwide emergency halt while investigators tracked stolen assets and reviewed whether a vault withdrawal flaw had been exploited.
THORChain is described as a cross-chain liquidity protocol that lets users swap crypto directly across blockchains without centralized intermediaries. The suspected exploit targeted the same cross-chain architecture that supports its core function, with suspicious wallets tied to alleged theft addresses and multiple chains involved in the reported fund movement.
ZachXBT warned that THORChain may have suffered a multi-chain exploit affecting Bitcoin, Ethereum, BSC, and Base. After reviewing the numbers again, ZachXBT wrote: “I finished accounting again now and it looks to be $10M+ stolen.” ZachXBT also criticized early accounting, writing: “Can tell because they did not check the numbers themselves / chains listed.”
PeckShieldAlert said THORChain had been exploited for roughly $10 million, including 36.75 BTC valued at about $3 million and roughly $7 million in assets from BNB Chain, Ethereum, and Base. PeckShieldAlert said the stolen funds mainly sat in a Bitcoin address beginning with bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37.
Arkham Intelligence data showed the attacker’s address holding the listed BTC and ETH balances, along with smaller amounts of THOR, XRUNE, and DAI. The Bitcoin portion was reportedly transferred in one large transaction, while the other tokens moved through dozens of smaller transactions.
We’ve launched the all-new COIN360 Perp DEX, built for traders who move fast!
Trade 130+ assets with up to 100× leverage, enjoy instant order placement and low-slippage swaps, and earn USDC passive yield while climbing the leaderboard. Your trades deserve more than speed — they deserve mastery.
THORChain Halted Activity During Review
THORChain paused all activity, including trading and signing, after the suspected exploit was detected. A global pause on all nodes was activated and set to last nearly 13 hours, or until block 26,191,149.
The halt gave THORChain’s team, developers, and node operators time to review wallets, transactions, and the reported issue. The pause also stopped user activity across the network while the investigation continued.
Blockaid said the attackers targeted THORChain’s vault withdrawal process by intercepting inbound deposit observations and modifying them into fake outbound payment requests. Blockaid described the suspected root cause as “a proposer-forgery bug in THORChain’s Bifrost Attestation Gossip.”
Blockaid said validator signatures “didn’t cover the inbound/outbound bit,” allowing a proposer to flip a real inbound observation into a fake outbound request. Blockaid also said THORChain developers had already developed a fix that would have blocked the attack, but the automated system responsible for testing and distributing software updates failed.
RUNE fell after the attack became public, dropping 14% in about two hours from $0.585 to $0.501. RUNE was later cited as trading around $0.514 at press time.
The incident added to prior operational and security issues around THORChain. ThorFi lending operations were halted in January 2025 after insolvency concerns emerged, and validators later implemented a 90-day restructuring plan.
That restructuring addressed a reported $200 million debt crisis by converting defaulted liabilities into a newly created equity-style token structure. Separately, THORSwap announced a bounty in September 2025 after approximately $1.2 million was stolen from the personal wallet of THORChain founder John-Paul Thorbjornsen.
ZachXBT later linked activity from that founder-wallet theft to suspected North Korean hacking groups. The uploaded information also connected THORChain to the aftermath of the Kelp DAO hack, where stolen ETH was reportedly bridged into Bitcoin through THORChain.
The Kelp DAO-related activity reportedly helped push THORChain’s daily transaction volume to approximately $394 million in a single day. Another cited incident involving KelpDAO and Drift Protocol involved more than $550 million in losses, with Kelp losing funds through a breach tied to LayerZero bridge infrastructure.
During the KelpDAO-related laundering flow, the hacker reportedly used THORChain to launder 75,700 ETH, worth $175 million at the time. THORChain reportedly generated nearly $1 million in fees from that hacker’s laundering activity.
Bybit CEO Ben Zhou said at least $1.2 billion of stolen Bybit funds were laundered through THORChain after Bybit’s $1.4 billion exploit, described in the provided information as the largest hack in crypto history.
THORChain had not published final loss details, a final confirmed affected-asset list, a complete postmortem, patch confirmation, recovery plan, or attacker identity in the provided information. The clearest available framing remained a suspected multi-chain exploit with loss estimates ranging from more than $10 million to $10.7 million.
FAQ
What did THORChain pause?
THORChain paused trading and signing across the network.
Which chains were named?
Bitcoin, Ethereum, BNB Chain/BSC, and Base were named.
Who described the suspected technical flaw?
Blockaid described the suspected Bifrost Attestation Gossip proposer-forgery bug.
Was the final loss confirmed by THORChain?
No final THORChain loss figure was included in the provided information.
This article has been refined and enhanced by ChatGPT.
