Cross-chain liquidity protocol THORChain was drained of approximately $10.8 million on Friday after an attacker exploited a flaw across four separate blockchains – Bitcoin, Ethereum, BNB Chain, and Base – forcing the protocol to halt all trading and signing operations.
On-chain investigator ZachXBT first flagged the suspicious activity, identifying coordinated drains that spanned the protocol’s multi-chain liquidity pools. RUNE, THORChain’s native token, shed around 12% of its value within hours of the incident becoming public, as traders rushed to exit exposure.
How the Attack Unfolded
According to researchers familiar with the exploit, the attacker appears to have taken advantage of a flaw in THORChain’s GG20 threshold signature scheme – the cryptographic mechanism the protocol uses to manage cross-chain signing. By manipulating the signing process, the attacker was able to siphon funds across chains without triggering the protocol’s standard multi-party validation.
The exploit didn’t target a single chain. Losses were distributed across Bitcoin, Ethereum, Binance’s BNB Chain, and Coinbase’s Base network, making it one of the more technically complex attacks seen in decentralised finance so far in 2026. The multi-chain nature of the exploit made real-time detection and containment significantly harder.
THORChain’s core team responded by pausing all trading and signing operations shortly after ZachXBT’s public alert, preventing further fund outflows. Liquidity providers were advised to monitor their positions while an investigation got underway.
Chainalysis Links Attacker to Weeks-Long Laundering Setup
In a development that added another layer to the story, blockchain analytics firm Chainalysis on Saturday revealed it had traced the attacker’s pre-attack activity, uncovering a sophisticated preparation trail involving Monero, Hyperliquid, and Arbitrum.
According to Chainalysis, the attacker spent weeks routing funds through Monero – a privacy coin designed to obscure transaction histories – before positioning capital on Hyperliquid and Arbitrum. The setup suggests the attack was premeditated, not opportunistic, and that the attacker had studied the protocol’s mechanics well in advance.
The Monero routing is particularly significant because it creates significant forensic difficulty. Unlike Bitcoin or Ethereum transactions, Monero transfers are private by default, making it extremely difficult to trace the origin of funds or link addresses to known entities.
A Protocol With a Complex History
THORChain isn’t a stranger to controversy. The protocol was previously identified as one of the primary routing tools used by North Korean state-sponsored hacking group Lazarus Group, which allegedly laundered $175 million in stolen crypto through the platform.
Earlier this year, the protocol also faced governance turmoil after liquidity providers and token holders clashed over debt restructuring proposals that threatened to leave some creditors exposed. The platform eventually stabilised, but Friday’s exploit has reopened questions about whether the protocol’s security architecture is strong enough for the scale of value it handles.
The timing is notable: THORChain processes hundreds of millions of dollars in cross-chain swaps and is one of the few truly decentralised protocols enabling native Bitcoin swaps without wrapping.
Market Reaction and Liquidity Provider Fallout
RUNE fell from roughly $1.40 to below $1.24 within the first few hours after the exploit became public, according to CoinGecko data. Trading volume spiked sharply as holders moved to reduce exposure.
Liquidity providers on the affected pools face potential losses depending on how THORChain’s impermanent loss protection and bonding mechanisms respond to the incident. The protocol is designed with bonding requirements that are meant to ensure node operators have “skin in the game” – but the GG20 vulnerability may complicate standard recovery mechanisms.
As of Saturday, THORChain hadn’t published a full post-mortem, though team members indicated on social media that the investigation was ongoing and that resuming trading operations was contingent on identifying and patching the root cause.
What Happens Next
Security researchers have called for THORChain to commission a full audit of its threshold signature scheme implementation before reopening. Several DeFi security firms have indicated they’re watching the situation closely, with at least one preparing a technical breakdown of the GG20 flaw.
For the broader DeFi system, the attack reinforces a persistent challenge: cross-chain protocols, by their nature, introduce compounding attack surfaces. Each additional chain a protocol supports is another vector – and the GG20 signing layer, shared across chains, becomes a single point of failure if compromised.
The exploit also arrives at a difficult moment for decentralised finance broadly, with regulators in multiple jurisdictions watching the sector closely and pointing to security incidents as evidence that DeFi infrastructure requires stronger oversight frameworks.
FAQ
what’s THORChain and how does it work? THORChain is a decentralised liquidity protocol that enables native cross-chain swaps – meaning users can trade Bitcoin for Ethereum, for example, without wrapping or custodial intermediaries. It uses a network of nodes and a threshold signature scheme to manage cross-chain signing.
How much was stolen in the THORChain exploit? Approximately $10.7-$10.8 million was drained across Bitcoin, Ethereum, BNB Chain, and Base. ZachXBT flagged the exploit, and Chainalysis traced the attacker’s pre-attack laundering activity through Monero and Hyperliquid.
Will THORChain users get their funds back? No official recovery plan had been announced as of Saturday. The protocol has impermanent loss protection and bonding mechanisms, but the specifics of how losses will be distributed among liquidity providers depend on the post-mortem findings.
