THORChain drained for ~$10.8M in coordinated multi-chain exploit across BTC, ETH, BNB Chain, and Base
On-chain investigator ZachXBT flagged a coordinated exploit against THORChain's cross-chain liquidity pools on May 15, 2026, with PeckShield confirming losses of approximately $10.8 million across four blockchains - around 36.85 BTC plus $7 million in assets from Ethereum, BNB Chain, and Base. The attacker funneled funds into two main addresses (BTC bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37 and ETH 0xd477b69551f49C0519F9B18c55030676138890Bd). THORChain responded with a global emergency halt of trading and signing - a controversial move given the protocol's permissionless positioning. No official post-mortem has been released. The RUNE token dropped 12-14% on the news; the same protocol was previously used by North Korean operators to launder $175 million.
- Check
- If your organization custodies or trades THORChain liquidity, RUNE, or assets bridged through THORChain in the May 14-15 window, reconcile on-chain balances against the two known exploiter addresses and check for any user funds in affected pools.
- Affected
- THORChain liquidity providers, aggregators routing through THORChain, custodians holding RUNE, and wallets that bridged BTC, ETH, BNB Chain, or Base assets through the protocol on May 14-15. DeFi exposure is highest for cross-chain aggregator front-ends.
- Fix
- Block transfers to the two attacker-controlled addresses (BTC bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37 and ETH 0xd477b69551f49C0519F9B18c55030676138890Bd), monitor RUNE deposits to centralized exchanges for laundering attempts, and pause front-end integrations with THORChain until a post-mortem and patched release are published.