THORChain, a decentralized protocol that allows users to swap native crypto assets across blockchains without custodians or wrapped tokens, was exploited on May 15, 2026. The attacker drained funds from four separate networks: Bitcoin, Ethereum, BNB Smart Chain, and Base. Confirmed losses sit between approximately $10.7M and $10.84M, making this at least the protocol's fourth major security incident since its launch.

On-chain investigator ZachXBT was first to flag the breach publicly via his Telegram channel. "I finished accounting again now and it looks to be $10M+ stolen at least," he wrote. Blockchain security firm PeckShield and analytics platform Arkham Intelligence both independently corroborated the findings, identifying the attacker wallet cluster. Early estimates from some sources placed losses closer to $7.4M; ZachXBT's revised accounting supersedes those figures.

Fund breakdown at attacker wallets, as of time of reporting:

• Approximately 3,443 ETH, worth roughly $7.77M
• Approximately 36.85 BTC, worth roughly $2.97M
• Approximately 96.6 BNB, worth roughly $66,000

Total: approximately $10.84M

Base-specific losses are not separately itemized in current attacker wallet data; it is unclear whether Base funds are captured within one of the figures above or remain unaccounted for in the current breakdown.

THORChain's node operators responded by triggering an emergency halt through the protocol's Mimir governance module, a system that allows node operators to set operational parameters collectively. The halt, which froze both trading and transaction signing, was recorded beginning at block 26190429. A status update was issued approximately 12 hours and 42 minutes after the halt began; whether the network had fully resumed operations at that point was not confirmed at the time of publication. As of publication, THORChain has not released a formal post-mortem identifying the specific attack vector.

RUNE, the protocol's native token, fell 12 to 13 percent in the hours following the news. Prior to the exploit, RUNE was trading at around $0.40 with a market capitalization of roughly $140.45M.

THORChain held approximately $35.18M in total value locked (TVL) at the time of the incident, according to DefiLlama data.

---

A Protocol With a Security History

This is not THORChain's first breach. In July 2021, two separate exploits within a single week drained a combined $12.8M to $15.6M, both targeting the Ethereum router.

A white-hat hacker intervened in the second incident to cap losses, later demanding a 10% bounty. In 2022, a vulnerability in a threshold signature scheme library maintained by BNB Smart Chain forced additional node suspensions.

More recently, the protocol drew scrutiny as a routing path for illicit funds: the Coinbase hacker converted $42.5M in stolen BTC to ETH via THORChain in 2025, and funds linked to North Korean hacking group Lazarus were traced through the protocol in connection with a separate incident involving Kelp DAO, through which $80M in ETH was laundered and $70M was subsequently frozen by the Arbitrum Security Council. An $8.8M to $9M hack of the IoTeX bridge also saw stolen funds moved through THORChain, further illustrating the protocol's repeated appearance in post-exploit fund flows.

Griff Green, a member of the Arbitrum Security Council and founder of Giveth, noted in an earlier interview on the Unchained podcast (cited here for background context, not in relation to this specific exploit): "Thorchain in general has been seen as a chain of choice especially for North Korean groups."

THORChain's architecture works as follows: all assets are paired against RUNE in internal liquidity pools, so a BTC-to-ETH swap routes internally as BTC to RUNE, then RUNE to ETH. Node operators hold vaults on each supported blockchain and must stake RUNE proportional to pooled assets. A vulnerability at the vault or router level could affect multiple chains simultaneously, a risk this incident may illustrate pending post-mortem confirmation.

---

Why Users in Africa and South Asia Are Watching

Cross-chain protocols like THORChain serve a practical function beyond trading. In Sub-Saharan Africa and South Asia, users in countries with limited access to centralized exchanges rely on non-custodial, non-KYC protocols to move value across networks for remittances, peer-to-peer settlements, and stablecoin acquisition. Sub-Saharan Africa received more than $205B in on-chain value in the 12 months to June 2025, a 52 percent year-on-year increase. Nigeria alone accounted for over $30B in DeFi service inflows. To illustrate what is at stake financially for these users: the average remittance fee in Sub-Saharan Africa runs to 7.9 percent per $200 sent, and crypto-based remittance routes can reduce that cost by as much as 85 percent, according to Transak data.

A 12-plus-hour halt on THORChain directly disrupts active swaps in progress. A user in Lagos or Karachi moving BTC to BNB for remittance purposes during the window would face frozen transactions with no user-level notification from the protocol itself; new swaps attempted during the halt period would similarly be rejected, though the protocol does not surface either condition to end users directly. Downstream applications built on THORChain's SwapKit SDK and front-ends such as THORSwap must monitor chain state independently to catch these events.

Repeated exploits also create a harder regulatory problem. Nigeria's 2025 Investments and Securities Act and Kenya's VASP Bill, signed in October 2025, reflect active regulatory calibration of DeFi infrastructure in both markets. Analysts suggest that a protocol on at least its fourth major security incident may give regulators in these jurisdictions additional grounds to impose restrictive rules on locally integrated products, though no Nigerian or Kenyan regulatory body has cited THORChain specifically in that context.

---

What Comes Next

THORChain has not confirmed whether funds are recoverable or whether a bounty arrangement will be proposed, as occurred in 2021.

The investigation is ongoing. Cross-chain bridge and liquidity protocols have lost a combined $2.8B since 2021, and incidents of this scale consistently reshape how developers assess routing dependencies. Developers and users integrating THORChain-based swaps should verify current protocol status before executing transactions and watch for an official post-mortem that details the specific vulnerability exploited.