For the second time in a short space of time, THORChain has been the victim of another major security incident, moving it from an isolated blunder into what we at least view as consistent systemic weaknesses within their architectural design.
$10M THORChain Exploit Triggers Network-Wide Emergency Security Response to Halt Attacks
In five years this cross-chain liquidity protocol has experienced six separate exploits attacking a totally unique design layer. Now in 2026 the latest assault has ingrained an entirely new layer of a troubling cycle that is drawing increasing attention from both investors and users.
Multi-layer Exploits are the Key Focus
THORChain’s issues aren’t a unique flaw. But it lays bare a wider architectural fragility, in which new attack surfaces have arisen gradually.
Attackers exploited a vulnerability in the smart contract of an Ethereum router in 2021. By manipulating msg. value events, THORChain suffered two separate losses of $13 million and $2.9 million can be attributed to the Bifrost system misinterpreting transaction data.
Thorchain has been hacked six times in five years, and not once the same way. Each one through a different layer of the architecture.
2021 – Smart contract bug in the ETH Router. Attackers tricked Bifrost into reading manipulated msg.value events. ~$15.5M across three exploits.… pic.twitter.com/Ub6AbYRTsN
— Vadim (AI, ⋈) (@zacodil) May 16, 2026
A year later the risk shifted from smart contracts. Controversy erupted when in 2022, a bug involving the validator software led nodes to act non-deterministically, inhibiting consensus throughout part of the network for around 20 hours raising fundamental questions about KSMs ability to achieve consensus.
Fast-forward to 2023, and the threat-landscape was a lot different. In a recent incident, the threshold signature scheme (TSS) key generation process had a weakness that allowed a bad validator to steal vault funds. While developers were quick to pick up on this mistake and halt the network before any funds could be lost, it revealed how fragile important pieces of infrastructure can be.
New Risks From Economic Design And Our Human Weaknesses
Challenges of the protocol are not limited to code. The THORFi lending model of THORChain was found to have a basic economic defect in January 2025. The system was reliant on RUNE to flip all the major assets, including Bitcoin and Ethereum. This assumption broke, however, and around $200 million became effectively trapped within the protocol.
Then, in September 2025 the attack vector turned to human vulnerabilities. A socially engineered Telegram deepfake designed to impersonate co-founder JP73 has been associated with North Korean actors. Using this, the attackers were able to get into his MetaMask keys through iCloud Keychain and make off with $1.35 million.
This evolution highlights a more troubling trend: that system security can break due to human factors and economic assumptions, even when the code itself does not change.
Exploit of 2026: Crypto Vulnerability Exposed
The 2026 exploit has a new failure point within THORChain’s cryptographic implementation as of the latest.
The GG20 TSS protocol had a vulnerability that was exploited by a malicious validator. The attacker then leaked critical pieces of material from over the different signing sessions to piece together the vault’s private key, stealing as much as $10.7 million in the process.
This assault is alarming, above all else, in light of the fact that its refinement. It was not a bug or design flaw elsewhere in the protocol, but rather laid bare an issue at the very cryptographic heart of Bitcoin, an area one might hope would be reasonably secure when correctly implemented.
Chainalysis Traces Complex Activity Before an Attack
The Chainalysis report on the THORChain attack reveals that the activity of the attacker started weeks before the exploit , having been active long before.
The operation began with Monero, one of the best privacy currencies in the ecosystem to hide transaction history. In the last week of April an attacker came in and deposited XMR into a Hyperliquid position through a Monero Bridge. They then swapped these for USDC, withdrew to Arbitrum and bridged further to Ethereum.
The attacker converted the hundred-thousands of dollars worth of ETH into THORChain, bonded RUNE and generated a freshly churned validator node from Ethereum now understood to be the point of entry for this attack. Some RUNE was issued back into ETH to maintain the cycle of cross-chain movement.
This level of preparation points toward a surgically planned attack instead of an impulsive exploit, running through multiple blockchains and liquidity layers to hide their action.
Before stealing $9.8M from #THORChain, likely attacker-connected wallets spent weeks moving its own funds through Monero, Hyperliquid, and THORChain. On-chain activity ties them to the wallet that would later receive millions of stolen funds.
It started with Monero.
1/5— Chainalysis (@chainalysis) May 16, 2026
Final Moves Prior To The Exploit
This attack has an additional layer of precision that is revealed during the execution phase.
This bridged ETH went into four separate transaction paths. One route linked on their end directly to the attackers wallet. It was just 43 minutes prior to the exploit, when that wallet received 8 ETH one step away from receiving millions in stolen assets.
In the meantime, the three other paths seemed to be pulling out funds. From these wallets too, on the 14th and 15th of May ETH were bridged back to Arbitrum again, deposited in Hyperliquid and routed through Monero using the same privacy bridge once more. The last in this chain of trades happened just under five hours before the attack started.
Further, the questions raised by this Detailed attacker breakdown demonstrates that this was a coordinated and well planned operation.
Funds Lie Dormant But Risks Still Linger
The stolen funds remain dormant as of Friday afternoon. Yet this slumber, analysts are quick to caution, might be short-lived.
Plus, the attacker has shown just how complex their cross-chain laundering strategies can be. The Monero–Hyperliquid pathway used prior to the exploit continues to be a possible avenue for moving funds around.
More than the economic costs incurred by this loss, a larger question is whether this incident constitutes a pattern. Combined, these events represent nearly 227 million dollars in direct losses or “trapped money”. Moreover, the protocol is seen as having laundered about $605 million of stolen property including proceeds related to the Lazarus Group fuelling its increasingly contentious image.
Every fresh exploit reinforces the same conclusion: THORChain’s architecture does not fail predictably, it collapses along new and unexpected vectors.
The implication for investors and users is crystal clear. Not only does THORChain have a risk of being hacked again but it could very well be an unexpected layer of the system that leads to its next failure.
Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.
Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news!