THORChain Opens Recovery Portal After $10 Million Cross-Chain Hack
Highlights:
- THORChain opened a recovery portal after a $10 million exploit hit 12,847 wallets.
- Affected users have until June 4 to submit compensation claims.
- Investigators linked the attack to vault key exposure and cross-chain laundering activity.
Decentralized cross-chain liquidity protocol THORChain has confirmed a $10 million exploit and opened a recovery portal for users who lost funds during the breach. According to a post on X on May 16, THORChain Foundation said affected users can now check estimated payouts, revoke harmful token approvals, and submit refund claims through a self-custodial process.
Advertisement
The incident started at 2:14 a.m. UTC on May 11, after node operators noticed unusual outbound transactions. As a result, transaction activity and withdrawal signing stopped within eight minutes, limiting further damage while the team reviewed the breach.
Attackers drained 36.75 Bitcoin, valued at nearly $3 million, alongside about $7 million in assets on Ethereum, BNB Chain, and Base. In total, the breach affected 12,847 wallets across four chains.
THORChain community just delivered a solution in coordination!
Additionally, Affected users are now able to check what they will be paid as compensation following the exploit!
More info: https://t.co/f1CPcdWlNB
— THORChain Foundation (@thorchnfnd) May 15, 2026
Users Must File Claims Before June Deadline
Affected users have 21 days to submit compensation claims through the recovery portal. The claim period closes on June 4, and any unclaimed funds will move into the protocol’s insurance fund after that date.
The refund program relies on a treasury-backed pool equal to the reported losses. Therefore, users can follow the portal instructions to review their allocation and begin the repayment process without giving up wallet custody. The platform also urged users to revoke malicious approvals tied to the attack. This step helps stop further wallet exposure, especially for users who interacted with affected contracts before the breach.
THORChain Introduces Supervision After Vault Key Breach
In its incident update, the protocol said investigators currently believe the attacker abused a weakness in the GG20 threshold signature scheme implementation. This weakness may have allowed vault key material to leak gradually before the attacker gathered enough data to rebuild the vault private key.
With that key, the attacker could authorize unauthorized outbound transfers from protocol-controlled vaults. Moreover, the team said a newly churned node joined the network several days before the theft and may be linked to the incident.
THORChain incident update #1
THORChain contributors shared a new update in the dev discord regarding the ongoing incident.TLDR
– Current evidence points toward a newly churned node linked to the attack, likely operated by a single malicious actor– The leading theory is an…
— THORChain (@THORChain) May 15, 2026
Investigators have also found on-chain connections between the node’s bonding addresses and wallets that received stolen funds. Hence, the treasury has started collecting forensic evidence while working with Outrider Analytics and law enforcement.
On-chain Trail Points to Earlier Laundering Activity
Blockchain analytics firm Chainalysis traced related activity across Monero, Hyperliquid, and Arbitrum on Friday. According to the findings, wallets likely tied to the attacker moved funds through privacy-focused routes for weeks before the exploit happened.
Moreover, the breach highlights the pressure on cross-chain systems that manage liquidity across several networks. As users move assets between chains, attackers often target signing flows, validator access, and approval permissions. As a result, stronger monitoring, faster pausing tools, and clearer user recovery steps are more important across decentralized finance following large security events and refunds.
The wider crypto market has also faced a sharp rise in security losses. April alone recorded about $629.7 million in crypto hack losses, driven mainly by major incidents involving KelpDAO and Drift Protocol.
eToro Platform
Best Crypto Exchange
- Over 90 top cryptos to trade
- Regulated by top-tier entities
- User-friendly trading app
- 30+ million users
eToro is a multi-asset investment platform. The value of your investments may go up or down. Your capital is at risk. Don’t invest unless you’re prepared to lose all the money you invest. This is a high-risk investment, and you should not expect to be protected if something goes wrong.
Advertisement
Raymond Munene
Raymond Munene is a crypto content writer who contributes to Crypto2Community. With over three years of experience, he is interested in Bitcoin, Blockchain, and Technical Analysis. Focusing on daily market analysis, his research helps traders and investors alike. His particular interest in cryptocurrency and blockchain aids his audience.
View full profile ›ℹ️About Crypto2Community's Editorial Process
Crypto2Community's editorial policy is centered on delivering thoroughly researched, accurate, and unbiased content. We uphold strict editorial policy and sourcing standards, and each page undergoes diligent review by our team of top crypto industry experts and seasoned editors. This process ensures the integrity, relevance, and value of our content for our readers.
