Decentralized cross-chain exchange THORChain suffered one of its worst security breaches this month when attackers drained approximately $10.8 million across four blockchain networks in a sophisticated exploit tied to a rogue validator node and a flaw in its threshold signature scheme. The protocol has since launched a refund portal for the roughly 12,847 affected wallets — but the road to recovery is proving complicated.
What Happened: A Rogue Node and a TSS Flaw
The exploit unfolded on May 15, 2026, freezing THORChain’s cross-chain DEX operations for more than 13 hours. According to post-mortem reports from THORChain developers and independent analysis by blockchain security firm CryptoTimes, the attacker exploited a weakness in the GG20 threshold signature scheme (TSS) used by THORChain’s validator nodes to control pooled funds across networks.
The attacker reportedly bonded RUNE to operate a rogue validator node. Ethereum addresses used to acquire and bond that RUNE were later linked to wallets that received the stolen funds, according to on-chain tracing shared by THORChain developers. Funds were drained across Bitcoin, Ethereum, BNB Chain, and Base — four of the protocol’s most liquid trading corridors.
Wallets linked to the attacker held approximately 3,443 ETH and equivalent values in other assets at the time of initial reporting. CoinDesk confirmed the protocol halted all trading and signing operations within hours of detecting the anomaly.
Chainalysis Traces Pre-Attack Activity
Blockchain analytics firm Chainalysis identified a pre-attack trail connecting the exploiter to activity involving Monero (XMR) and perpetual futures platform Hyperliquid, suggesting the attacker had been building positions and obfuscating fund origins in the days before the breach. The Monero-Hyperliquid connection has raised fresh questions about privacy coins being used as staging tools in sophisticated DeFi attacks.
“This level of pre-attack preparation indicates a state-level actor or highly organized criminal operation,” one security researcher told CryptoTimes. “The Monero trail is particularly concerning given how difficult it is to trace.”
Refund Portal Goes Live — 12,847 Wallets Affected
By May 16, THORChain had launched a refund portal allowing affected users to verify their status and begin the recovery claim process. The protocol confirmed that 12,847 unique wallets across the four affected chains suffered losses, with individual claims ranging from a few dollars to tens of thousands.
The portal is live at THORChain’s official domain, and the team says claims will be processed in order of submission. However, the protocol has not committed to a full 100% reimbursement, instead pointing to its reserve fund and ongoing governance discussions about compensation ratios.
RUNE Token Takes 12% Hit
RUNE, THORChain’s native token, fell approximately 12% in the immediate aftermath of the exploit and has struggled to recover. The token had been trading near multi-month highs before the breach, supported by a broader altcoin recovery and growing cross-chain DEX volumes.
The price decline reflects not just the direct financial loss but broader confidence concerns around THORChain’s security model. This is not the first time the protocol has faced an exploit — previous incidents in 2021 saw similar cross-chain vulnerabilities drained for millions. Critics argue the protocol’s reliance on bonded validators with access to multi-chain liquidity pools creates structural risks that periodic audits have failed to eliminate.
Protocol Response and What Comes Next
THORChain’s node operators voted to partially pause the network while a security review is conducted. Trading, liquidity provider actions, and signing operations remain suspended pending the outcome of that review. The team has indicated it expects a phased resumption of operations once the TSS flaw is patched and affected nodes are rotated out.
The protocol is also exploring enhanced validator bonding requirements and additional circuit breakers that would automatically halt operations if suspicious signing patterns are detected mid-execution.
For RUNE holders and DeFi users, the situation remains fluid. The refund portal provides at least a partial path to recovery, but the broader question of whether THORChain’s cross-chain architecture can be made reliably secure continues to hang over the project.
What DeFi Users Should Do Now
- Check the THORChain refund portal to verify if your wallet was affected
- Do not interact with unofficial refund sites — phishing attacks have already been reported
- Monitor THORChain’s official X account and Discord for status updates on the network resumption timeline
- RUNE holders should note that the token remains volatile and the full extent of protocol impact is still being assessed
FAQ
How much was stolen in the THORChain exploit?
Approximately $10.8 million was drained across Bitcoin, Ethereum, BNB Chain, and Base on May 15, 2026. A total of 12,847 wallets were affected.
Is the THORChain refund portal legitimate?
Yes. THORChain officially launched the refund portal on May 16, 2026. Users should only access it via THORChain’s verified official channels to avoid phishing scams.
Will RUNE recover after the exploit?
RUNE dropped approximately 12% following the exploit. Recovery depends on the speed of the security patch, the outcome of compensation discussions, and broader market conditions for DeFi tokens.
Sources: CoinDesk, CryptoTimes, MEXC News, Chainalysis, THORChain official communications
