THORChain halted all trading and signing operations on May 15 after ZachXBT flagged suspicious transfers across Bitcoin, Ethereum, BNB Smart Chain, and Base. Wallets linked to the attacker held roughly 3,443 ETH, 36.85 BTC, and 96.6 BNB. Total confirmed losses: $10.8 million in protocol-owned funds. RUNE dropped 21%.
THORChain said user funds appear unaffected. The losses came from one of six Asgard vaults. The network remains partially paused.
Chainalysis Traced the Setup. It Started Weeks Before the Theft.
Chainalysis published a five-part thread on May 16 showing the attacker moved funds through Monero, Hyperliquid, and Arbitrum before the exploit. The sequence: ETH was bridged into THORChain, used to bond RUNE for a newly churned validator node, then partially bridged back. Some of that ETH went to Arbitrum, then Hyperliquid, then back through a Monero privacy bridge. The last preparatory transaction landed five hours before the attack began.
One branch connected directly to the attacker. Eight ETH moved through an intermediary wallet and arrived at the theft address 43 minutes before the exploit fired. That level of pre-planning across five protocols and two privacy layers is not casual. It is infrastructure.
The GG20 Signature Scheme Is the Leading Theory
THORChain contributors pointed to the GG20 threshold signature scheme as the likely vulnerability. The protocol uses TSS to let multiple nodes jointly sign transactions without reconstructing the full private key. The theory: a compromised validator node exploited a weakness in GG20 that allowed key material to leak over time. With enough fragments, the attacker could reconstruct a vault private key and authorize outbound transactions.
The node in question joined the active validator set days before the incident. Ethereum addresses used to bond RUNE for that node match addresses that later received stolen funds. Ledger security CTO Charles Guillemet warned that advances in LLM-assisted vulnerability discovery may be lowering the difficulty of attacking validator infrastructure. This is not the first time THORChain's cross-chain architecture has been used to move stolen funds. The Kelp exploiter laundered $175 million through THORChain in April, spiking daily volume to $394 million.
Fake Recovery Scams Appeared Within Hours
THORChain posted a warning on May 16: fake accounts were circulating claims about "refunds," "airdrops," and "compensation claims" that do not exist. No recovery plan has been announced. All decisions will require node governance votes. Resolv's $80 million exploit in April showed how recovery scams can extract more money from victims than the original hack. THORChain is trying to shut that down early.
Cross-Chain Bridges: $2.8 Billion Lost Since 2021
Chainalysis data puts cumulative bridge-related theft above $2.8 billion since 2021. This month alone, Rhea Finance lost $18.4 million, Transit Finance lost $1.88 million, and now THORChain lost $10.8 million. KelpDAO and Drift Protocol added over $600 million in April. The pattern is clear and the number is accelerating.
THORChain's treasury team is working with THORSec, Outrider Analytics, and law enforcement to identify the attacker. RUNE was trading near $0.42 as of May 16. The network that lets you swap BTC for ETH without a centralized exchange just proved why centralized exchanges still exist: someone has to be accountable when $10.8 million disappears across four chains in a single afternoon.
