THORChain halted trading operations after a suspected multi chain exploit drained more than $10 million across Bitcoin, Ethereum, BNB Chain, and Base, triggering a sharp selloff in the RUNE token.
Key Takeaways
- THORChain paused trading and signing operations after researchers flagged a suspected exploit affecting multiple blockchain networks.
- More than $10 million in crypto assets were reportedly stolen across Bitcoin, Ethereum, BNB Chain, and Base.
- RUNE token fell between 10% and 12% following the incident as investor sentiment weakened.
- Blockchain investigator ZachXBT and PeckShield were among the first to identify the suspicious activity and trace attacker wallets.
What Happened?
Cross chain liquidity protocol THORChain suspended trading activity on Friday after blockchain security researchers detected what appears to be a large scale exploit impacting several major networks. Initial estimates suggest the attacker drained more than $10 million in crypto assets before the protocol halted operations.
The incident was first highlighted by onchain investigator ZachXBT, who shared alerts on Telegram and identified wallets connected to the suspected theft across Bitcoin and EVM compatible chains.
ZachXBT: THORChain Exploit Losses May Exceed $10M
— Wu Blockchain (@WuBlockchain) May 15, 2026
Blockchain investigator ZachXBT issued a community alert stating that THORChain was likely exploited across Bitcoin, Ethereum, BSC, and Base, with losses exceeding $10 million. The protocol subsequently paused trading and… pic.twitter.com/sss1DUfwAA
THORChain Responds to Suspected Exploit
According to reports, the exploit affected THORChain deployments on Bitcoin, Ethereum, BNB Chain, and Base. Soon after the suspicious transactions were identified, the protocol activated emergency measures through its governance system.
THORChain reportedly enabled both its trading halt and signing halt parameters using the Mimir governance module. A node pause was also initiated for more than 12 hours as validators attempted to contain the damage and investigate the incident.
Blockchain security firm PeckShield also tracked the suspicious activity and linked the exploit to multiple wallets operating across different chains.
Researchers identified the following wallets connected to the alleged attack:
- Bitcoin wallet: bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37
- Ethereum wallet: 0x82fc0d5150f3548027e971ec04c065f3c93154eb
- Additional EVM wallet: 0xd477b69551f49c0519f9b18c55030676138890bd
Millions in Crypto Assets Traced
Blockchain analytics data showed the attacker wallets currently holding a large amount of digital assets spread across several networks.
According to Arkham Intelligence data cited in reports, the wallets held:
- 3,443 ETH worth around $7.77 million
- 36.85 BTC worth nearly $2.97 million
- 96.6 BNB worth roughly $66,000
At the time of the exploit, THORChain was reportedly processing nearly $394 million in daily trading volume, highlighting the scale and importance of the protocol within the decentralized finance ecosystem.
The protocol is widely known for allowing users to swap native assets across different blockchains without relying on centralized bridges or wrapped tokens.
RUNE Token Drops Sharply
The exploit quickly impacted market sentiment surrounding THORChain’s native token, RUNE. Following the news, RUNE dropped between 10% and 12% across major exchanges.
Market data showed the token trading near $0.50 to $0.52 after the incident as traders reacted to uncertainty around the protocol’s security.
The latest exploit adds to a difficult period for THORChain. Earlier this year, the protocol suspended its ThorFi lending operations after insolvency concerns surfaced. The team later introduced a 90 day restructuring plan to address approximately $200 million in defaulted obligations.
THORChain has also faced security related incidents in the past. In September last year, hackers stole around $1.2 million from THORChain founder John Paul Thorbjornsen’s personal wallet. ZachXBT later linked that attack to North Korean hackers.
Growing Concerns Around DeFi Security
The latest THORChain exploit once again highlights ongoing security challenges within the decentralized finance sector. Crypto protocols continue to face increasingly sophisticated attacks, especially platforms managing cross chain liquidity and high transaction volumes.
Reports also referenced recent losses involving Drift Protocol and KelpDAO, which together accounted for more than $600 million in exploit related losses earlier this year.
So far, THORChain has not released technical details explaining how the exploit occurred, and the protocol has yet to officially confirm the exact amount stolen.
CoinLaw’s Takeaway
In my experience, attacks involving cross chain infrastructure often create bigger panic because these protocols sit at the center of liquidity movement across multiple ecosystems. I found this incident especially concerning because THORChain was already dealing with financial and operational pressure before the exploit happened. When a protocol handling hundreds of millions in volume suddenly freezes operations, it naturally raises fresh questions about security standards in DeFi.
At the same time, the quick response from validators and researchers shows how important onchain monitoring has become. Without investigators like ZachXBT and firms like PeckShield, these exploits could grow much larger before the community reacts.
