--- title: "THORChain Exploit Drains Over $10 Million as RUNE Price Sinks" date: 2026-05-15 author: "Kelvin Scott" featured_image: "https://coinlaw.io/wp-content/uploads/2026/05/thorchain-exploit-drains-over-10-million.jpg" categories: - name: "Cryptocurrency" url: "/crypto.md" tags: - name: "News" url: "/tag/news.md" --- # THORChain Exploit Drains Over $10 Million as RUNE Price Sinks THORChain halted trading operations after a suspected multi chain exploit drained more than $10 million across Bitcoin, Ethereum, BNB Chain, and Base, triggering a sharp selloff in the RUNE token. ## Key Takeaways - THORChain paused trading and signing operations after researchers flagged a suspected exploit affecting multiple blockchain networks. - More than $10 million in crypto assets were reportedly stolen across Bitcoin, Ethereum, BNB Chain, and Base. - RUNE token fell between 10% and 12% following the incident as investor sentiment weakened. - Blockchain investigator ZachXBT and PeckShield were among the first to identify the suspicious activity and trace attacker wallets. ## What Happened? Cross chain liquidity protocol **THORChain** suspended trading activity on Friday after blockchain security researchers detected what appears to be a large scale exploit impacting several major networks. Initial estimates suggest the attacker drained more than **$10 million** in crypto assets before the protocol halted operations. The incident was first highlighted by onchain investigator **ZachXBT**, who shared alerts on Telegram and identified wallets connected to the suspected theft across Bitcoin and EVM compatible chains. > ZachXBT: THORChain Exploit Losses May Exceed $10M > > Blockchain investigator ZachXBT issued a community alert stating that THORChain was likely exploited across Bitcoin, Ethereum, BSC, and Base, with losses exceeding $10 million. The protocol subsequently paused trading and… [pic.twitter.com/sss1DUfwAA](https://t.co/sss1DUfwAA) > > — Wu Blockchain (@WuBlockchain) [May 15, 2026](https://twitter.com/WuBlockchain/status/2055229381816041861?ref_src=twsrc%5Etfw) ## THORChain Responds to Suspected Exploit According to reports, the exploit affected [THORChain](https://coinlaw.io/thorswap-bounty-thorchain-wallet-hack/) deployments on **Bitcoin, [Ethereum](https://coinlaw.io/ethereum-statistics/), BNB Chain, and Base**. Soon after the suspicious transactions were identified, the protocol activated emergency measures through its governance system. THORChain reportedly enabled both its **trading halt** and **signing halt** parameters using the Mimir governance module. A node pause was also initiated for more than 12 hours as validators attempted to contain the damage and investigate the incident. Blockchain security firm **PeckShield** also tracked the suspicious activity and linked the exploit to multiple wallets operating across different chains. Researchers identified the following wallets connected to the alleged attack: - **Bitcoin wallet: bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37** - **Ethereum wallet: 0x82fc0d5150f3548027e971ec04c065f3c93154eb** - **Additional EVM wallet: 0xd477b69551f49c0519f9b18c55030676138890bd** ## Millions in Crypto Assets Traced Blockchain analytics data showed the attacker wallets currently holding a large amount of digital assets spread across several networks. According to Arkham Intelligence data cited in reports, the wallets held: - **3,443 ETH worth around $7.77 million** - **36.85 BTC worth nearly $2.97 million** - **96.6 [BNB](https://coinlaw.io/bnb-statistics/) worth roughly $66,000** At the time of the exploit, THORChain was reportedly processing nearly **$394 million in daily trading volume**, highlighting the scale and importance of the protocol within the decentralized finance ecosystem. The protocol is widely known for allowing users to swap native assets across different blockchains without relying on centralized bridges or wrapped tokens. ## RUNE Token Drops Sharply The exploit quickly impacted market sentiment surrounding THORChain’s native token, **RUNE**. Following the news, RUNE dropped between **10% and 12%** across major exchanges. ![Rune Token Price 15th May](https://coinlaw.io/wp-content/uploads/2026/05/rune-token-price-15th-may.jpeg)Image Credit – [CoinGecko.com](http://coingecko.com/en/coins/thorchain) Market data showed the token trading near **$0.50 to $0.52** after the incident as traders reacted to uncertainty around the protocol’s security. The latest exploit adds to a difficult period for THORChain. Earlier this year, the protocol suspended its **ThorFi lending operations** after insolvency concerns surfaced. The team later introduced a 90 day restructuring plan to address approximately **$200 million in defaulted obligations**. THORChain has also faced security related incidents in the past. In September last year, hackers stole around **$1.2 million** from THORChain founder **John Paul Thorbjornsen’s** personal wallet. ZachXBT later linked that attack to North Korean hackers. ## Growing Concerns Around DeFi Security The latest THORChain exploit once again highlights ongoing security challenges within the [decentralized finance sector](https://coinlaw.io/decentralized-finance-market-statistics/). Crypto protocols continue to face increasingly sophisticated attacks, especially platforms managing cross chain liquidity and high transaction volumes. Reports also referenced recent losses involving **Drift Protocol** and **[KelpDAO](https://coinlaw.io/kelp-dao-292m-exploit-lazarus-layerzero/)**, which together accounted for more than **$600 million in exploit related losses** earlier this year. So far, THORChain has not released technical details explaining how the exploit occurred, and the protocol has yet to officially confirm the exact amount stolen. ## CoinLaw’s Takeaway In my experience, attacks involving cross chain infrastructure often create bigger panic because these protocols sit at the center of liquidity movement across multiple ecosystems. I found this incident especially concerning because THORChain was already dealing with financial and operational pressure before the exploit happened. When a protocol handling hundreds of millions in volume suddenly freezes operations, it naturally raises fresh questions about security standards in DeFi. At the same time, the quick response from validators and researchers shows how important onchain monitoring has become. Without investigators like ZachXBT and firms like PeckShield, these exploits could grow much larger before the community reacts. Definition of Blockchain. Link to full glossary entry follows the description.**Blockchain**A distributed digital ledger that records transactions across a network, with each block cryptographically linked to the previous one for security. [Read more](https://coinlaw.io/glossary/blockchain/) Definition of EVM. Link to full glossary entry follows the description.**EVM**The Ethereum Virtual Machine is the runtime environment that executes smart-contract bytecode across every Ethereum node, using a 256-bit stack architecture and [gas](https://coinlaw.io/glossary/gas-fee/)-metered computation. [Read more](https://coinlaw.io/glossary/evm/) Definition of DeFi. Link to full glossary entry follows the description.**DeFi**Decentralized finance leverages blockchain protocols and [smart contracts](https://coinlaw.io/glossary/smart-contract/) to enable lending, trading, and borrowing without banks or traditional intermediaries. [Read more](https://coinlaw.io/glossary/defi/) Definition of Cross-Chain. Link to full glossary entry follows the description.**Cross-Chain**Cross-chain is the ability to move data or assets between separate blockchains via bridges, messaging protocols, or interoperability networks. [Read more](https://coinlaw.io/glossary/cross-chain/)