THORChain Confirms $10 Million Exploit, Opens Recovery Portal After May 11 Attack

THORChain confirmed a $10 million exploit and opened a recovery portal for affected users after the attack was detected at 02:14 UTC on May 11, when node operators flagged anomalous outbound transactions.

“Bitget App Trade smarter amp”

Bitget

The protocol said trading and outbound signing were paused within 8 minutes, and that the attacker drained 36.75 BTC worth about $3 million plus roughly $7 million in tokens across BNB Chain, Ethereum and Base.

bloomingbit

THORChain said the incident affected 12,847 wallets across 4 chains, and it described a leading theory that the attacker exploited a vulnerability in the GG20 threshold signature scheme implementation.

In its incident update, THORChain said the flaw allowed sensitive vault key material to leak gradually, and that the attacker could reconstruct the vault’s private key to authorize unauthorized outbound transactions.

THORChain said affected users have 21 days to submit claims through its recovery portal, with the refund window closing on June 4 and any unclaimed allocation rolling over into the protocol’s insurance fund.

MENAFN reported that THORChain said the attack was detected at 02:14 UTC on May 11 and that trading and outbound signing were paused within eight minutes after node operators flagged unusual outbound transactions.

Cointelegraph

Cointelegraph quoted THORChain saying, "The Treasury is actively collecting forensic data and coordinating with Outrider Analytics and relevant law enforcement agencies in an effort to identify the attacker and pursue recovery of stolen funds where possible," as the protocol sought to trace the stolen assets.

Cointelegraph also said THORChain believed a newly churned node entered the network several days before the attack and that onchain links were identified between the node’s bonding addresses and the wallets that received the stolen funds.

The THORChain exploit landed as crypto hacks reached $629.7 million in April, the worst month for the industry since February 2025 when $1.47 billion was stolen, according to FinanceFeeds.

“THORChain’s recovery portal”

Cointelegraph

FinanceFeeds said KelpDAO’s $293 million exploit and Drift Protocol’s $280 million hack accounted for most of April’s losses, representing 82% of the total, while Cointelegraph said the pattern of attacks points to compromises involving bridges, privileged access and operational failures.

TradingView reported that after the exploit, THORChain’s native token RUNE dropped more than 14% within hours, falling toward the $0.50 level as traders reduced exposure.

ZachXBT flagged suspicious multi-chain activity linked to THORChain’s router infrastructure, and TradingView said attackers moved roughly $7.2 million worth of assets including USDT, USDC, and wrapped Bitcoin across multiple blockchain networks before swapping them into ETH.