If you were one of the thousands of wallets caught in THORChain’s May exploit, the clock is now ticking louder. The decentralized cross-chain protocol’s recovery portal — launched to compensate victims of a $10 million hack — closes on June 4, 2026. That’s roughly ten days from now, and blockchain data suggests a significant number of affected wallets haven’t yet filed their claims.
THORChain confirmed the exploit on May 11. Within eight minutes of detection, the protocol paused trading and outbound signing, limiting further damage. But the breach had already drained approximately $10 million across four blockchain networks: Bitcoin, BNB Chain, Ethereum, and Base.
What Happened
Investigators tracking the attack suspect the exploiter found a flaw in THORChain’s GG20 Threshold Signature Scheme implementation. By gradually extracting vault key material over time, the attacker was able to reconstruct a private key and authorize unauthorized transactions — a sophisticated, patient attack rather than a flash exploit.
The protocol’s automated circuit breakers helped, but not before the damage was done. Roughly 12,847 wallets across the four affected chains lost funds in the incident.
The Recovery Portal: How It Works
In the days following the exploit, THORChain’s development team and node operators moved quickly to establish a treasury-backed refund pool of equivalent size — $10 million earmarked specifically for affected users.
The recovery portal gives users a self-custodial path to reclaim their funds:
- Revoke malicious token approvals — Users can identify and remove the exploit-related approvals that were weaponized during the attack
- Submit refund claims — Verified affected wallets can file directly through the portal
- Receive treasury-backed compensation — Claims are processed against the dedicated refund pool
The mechanism was deliberately designed to keep users in control of their own keys throughout the process, consistent with DeFi principles.
“Recovery portal live for claims; treasury-backed refunds available until June 4,” MEXC confirmed in its coverage of the launch.
Why the Deadline Matters
June 4 is a hard stop. Users who fail to submit their claims before that date will not be eligible for compensation from the current refund pool, and there is no guarantee a second program will be established.
Given that only roughly ten days remain, DeFi security researchers have begun amplifying the deadline across social media. On X, several high-profile accounts in the THORChain and broader DeFi community have been tagging affected wallet addresses and urging users to check their eligibility.
CryptoRank confirmed the timeline: applications remain open until June 4, covering wallets on Bitcoin, BNB Chain, Ethereum, and Base.
THORChain’s Recovery Track Record
This isn’t THORChain’s first security incident. The protocol has weathered multiple exploits over its history, and its response framework has generally been viewed as more organized than most DeFi projects. The rapid circuit-breaker activation — pausing within eight minutes — is cited as the primary reason losses were contained to $10 million rather than multiplying.
Node operators approved the refund pool through governance vote within days of the incident, with the decision reflecting the community’s interest in maintaining user trust even at significant treasury cost.
Broader DeFi Security Context
THORChain’s exploit came during a period of elevated DeFi attack activity. According to TRM Labs, North Korea-linked groups stole 76% of all crypto hack losses in 2026 through just two attacks, totaling $577 million. While THORChain’s attacker has not been attributed to any nation-state actor, the sophistication of the GG20 key extraction technique has led some researchers to speculate about advanced persistent threat involvement.
For users who suffered losses, the immediate priority is straightforward: visit the THORChain recovery portal before June 4 and submit your claim.
FAQ
Who is eligible for the THORChain refund? Wallets that lost funds in the May 11, 2026 exploit across Bitcoin, BNB Chain, Ethereum, and Base networks are eligible. Users must submit claims through the official recovery portal before June 4, 2026.
How much was stolen in the THORChain exploit? Approximately $10 million was drained across four blockchain networks. THORChain’s treasury established an equivalent $10 million refund pool to compensate affected users.
What caused the THORChain hack? Investigators suspect a flaw in the protocol’s GG20 Threshold Signature Scheme implementation, which allowed the attacker to gradually extract vault key material and reconstruct a private key over time.
— Sources: MEXC, TradingView/CoinTelegraph, Blockchain.news, CryptoRank, Yellow.com
