Loading...

THORChain Loses $10.8M Across Four Chains, RUNE -12%

THORChain Loses $10.8M Across Four Chains, RUNE -12%

THORChain Loses $10.8M Across Four Chains, RUNE -12%

Attacker drained $10.8M from THORChain on May 15 across BTC, ETH, BNB Chain, and Base. Trading halted via Mimir; no attack vector confirmed yet.

A fractured steel chain link on wet concrete surrounded by physical Bitcoin and Ethereum coins, cinematic shadows.

Don't scroll Twitter for crypto news
One email. Five minutes. Everything that matters today

THORChain was exploited for roughly $10.8 million across four blockchains on May 15, 2026, after an attacker drained assets from the protocol's cross-chain swap infrastructure. Node operators activated emergency halt parameters via the Mimir governance module, suspending all trading and signing operations.

DeFi exploits move fast. Web Snack covers every major security incident as it develops - subscribe to get the next breakdown before the market reacts.

THORChain's Security History and the $2.8B Cross-Chain Theft Problem

THORChain is a decentralized liquidity network. Users swap native assets - Bitcoin, Ethereum, and others - across blockchains without wrapping tokens or touching centralized intermediaries. That same design is what keeps drawing attackers back.

The protocol has been hit before. In 2021, two separate incidents - an ETH router hack and a Bifrost bug - cost users more than $10 million combined. The project completed at least two security audits before restoring services.

THORChain has also shown up in post-mortems not as a victim but as a laundering route. In 2025, a hacker behind a $300 million Coinbase theft converted roughly $42.5 million in Bitcoin to Ether through the protocol. In February 2026, an attacker from the IoTeX Bridge incident used THORChain to swap approximately 2,319 ETH - around $3.94 million - into 62.15 BTC to obscure the funds trail.

$10.8M Drained from THORChain Across BTC, ETH, BNB Chain, and Base

Blockchain investigator ZachXBT flagged the attack in a Telegram alert on Friday morning. Security firm PeckShield independently identified suspicious addresses on both the Bitcoin network and EVM-compatible chains. As of Friday afternoon, neither had confirmed the attack vector, and THORChain had not issued an official statement.

According to Arkham Intelligence, wallets linked to the attacker held 3,443 ETH worth $7.77 million, 36.85 BTC worth $2.97 million, and 96.6 BNB worth roughly $66,000 at time of detection. THORChain's Mimir governance module flipped trading halt and signing halt parameters to active, with a node pause running approximately 12 hours and 42 minutes from block 26190429.

No post-mortem has been released. The attack vector remains unconfirmed.

RUNE Down 12% and What It Means for Liquidity Providers

RUNE, THORChain's native token, dropped roughly 12% on the news, from around $0.59 to $0.50. Bonding nodes and providing liquidity both require RUNE, so a protocol halt cuts into buying pressure while stranding existing LPs with no timeline to withdraw.

Cross-chain protocols have suffered more than $2.8 billion in theft since 2021. THORChain's design - settling transactions across multiple independent blockchains simultaneously - makes incident response slower and more complex than single-chain DeFi. Until the protocol publishes a post-mortem identifying the vulnerability, node operators and LPs have no way to assess whether the bug remains exploitable.

No official statement had appeared as of Friday afternoon. LPs have no confirmed timeline for when trading resumes and no clarity on fund exposure.

What Comes Next: Post-Mortem Pending, Trading Halt Still Active

The node pause from block 26190429 was scheduled for approximately 12 hours and 42 minutes. Whether trading resumes on that timeline or the halt extends depends on what investigators find.

After the 2021 incidents, THORChain completed two security audits before restoring services - a process that pushed recovery timelines well past initial estimates. A similar response here would extend the current halt into the weekend or beyond.

Cross-chain bridges and liquidity protocols remain the highest-value attack surface in DeFi. THORChain's liquidity providers and node operators should monitor official channels for updates on fund exposure, patch status, and withdrawal availability.

Every major DeFi exploit forces a rethink on security. Web Snack tracks the aftermath - patch timelines, fund recovery, and market impact - delivered to your inbox.

P.S. This article is for informational purposes only and does not constitute investment advice. Always conduct your own research and make independent decisions.

Like this story? There's more tomorrow

Join Web Snack – no fluff, just value