In the latest post shared on X, THORChain shared a major update regarding the hacking incident that allowed hackers to steal approximately $10 million from the platform.
On May 15, THORChain suffered a major security breach on the platform, leading to a loss of approximately $10 million across multiple blockchains, including Bitcoin, Ethereum, BNB Chain, Base, and many others like Avalanche.
THORChain incident update #1
THORChain contributors shared a new update in the dev discord regarding the ongoing incident.TLDR
– Current evidence points toward a newly churned node linked to the attack, likely operated by a single malicious actor– The leading theory is an…
— THORChain (@THORChain) May 15, 2026
This attack was first identified by on-chain sleuth, ZachXBT, who noted suspicious transactions such as approximately 36 Bitcoins and thousands of ETH tokens.
THORChain Shares First Update On Hacking Incident
In the first and latest update shared on X (formerly Twitter) and the Discord server, the official team has shared details regarding the incident. According to the post, a newly integrated node was behind this attack, which had joined the network a few days before the attack.
Ethereum addresses that were used to buy RUNE tokens and bond them to this node have received stolen tokens from the cyberattack. According to the official post, there is a single malicious actor behind this attack.
THORChian is using Asgard vaults, which are controlled by multiple validator nodes. These vaults are relying on the system known as GG20 Threshold Signature Scheme (TSS), which is a cryptographic method where no single node holds a private key. Instead of that, all the nodes that participate in the network come together when they sign transactions.
According to the popular theory about the hack, a hacker has found and exploited a loophole present in the way the GG20 TSS system was introduced. This loophole allowed the hacker to access sensitive information from the participating nodes. After gaining access to the all-important leaked pieces of information, the hacker was able to form the full private key for the vault.
By using the private key, the hacker has issued unauthorized outbound transactions from the vault. This was not a direct or sudden attack on THORChain; instead, the hacker executed a patient operation that took advantage of the node churn process. This is when nodes join the active set of validators on the network.
THORChain has shared more updates regarding the platform, stating that, “The Treasury is actively collecting forensic data and coordinating with Outrider Analytics and relevant law enforcement agencies in an effort to identify the attacker and pursue recovery of stolen funds where possible.”
“Due to multiple node operators executing make pause, the network is currently paused. Unless further action is taken, the pause state will automatically expire in approximately 12 hours. At this time, the development team is comfortable allowing the pause to expire in order to restore RUNE transfers and chain observation activity,” stated in the post.
The node operators and the entire community are taking many actions in order to avoid further damage to the network. These actions include cutting down the bond of affected nodes, which will punish those nodes that were involved in a compromised vault. Apart from this, there are other proposals under discussion, which involve using Protocol Owned Liquidity (POL) in order to absorb some of the losses.
At the same time, the Treasury is collecting forensic data by collaborating with security teams, including THORSec and Outrider Analytics.
“The team is continuing to work on a complete recovery and restart plan for the network. Bringing trading and full functionality back online will likely take several days, and potentially longer depending on the complexity of the chosen remediation path,” stated in the post on X.
As of now, there is no sign of smart contract hacking in this hack.
Also Read: AAVE and Kelp DAO Complete Major Steps in rsETH Recovery
