← All articles

THORChain drained for ~$10.8M in coordinated multi-chain exploit across BTC, ETH, BNB Chain, and Base

On-chain investigator ZachXBT flagged a coordinated exploit against THORChain's cross-chain liquidity pools on May 15, 2026, with PeckShield confirming losses of approximately $10.8 million across four blockchains - around 36.85 BTC plus $7 million in assets from Ethereum, BNB Chain, and Base. The attacker funneled funds into two main addresses (BTC bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37 and ETH 0xd477b69551f49C0519F9B18c55030676138890Bd). THORChain responded with a global emergency halt of trading and signing - a controversial move given the protocol's permissionless positioning. No official post-mortem has been released. The RUNE token dropped 12-14% on the news; the same protocol was previously used by North Korean operators to launder $175 million.

Check
If your organization custodies or trades THORChain liquidity, RUNE, or assets bridged through THORChain in the May 14-15 window, reconcile on-chain balances against the two known exploiter addresses and check for any user funds in affected pools.
Affected
THORChain liquidity providers, aggregators routing through THORChain, custodians holding RUNE, and wallets that bridged BTC, ETH, BNB Chain, or Base assets through the protocol on May 14-15. DeFi exposure is highest for cross-chain aggregator front-ends.
Fix
Block transfers to the two attacker-controlled addresses (BTC bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37 and ETH 0xd477b69551f49C0519F9B18c55030676138890Bd), monitor RUNE deposits to centralized exchanges for laundering attempts, and pause front-end integrations with THORChain until a post-mortem and patched release are published.