Thorchain Funds Compromised

Onchain investigator ZachXBT first flagged the incident via his Telegram channel, placing initial losses above $7.4 million before revised estimates pushed the total higher. The breach hit vaults on Bitcoin, Ethereum, BNB Smart Chain, and Base.

The attack method centered on a vault churn, a standard Thorchain process in which node operators rotate in and out while assets are redistributed using threshold signature schemes. Attackers appear to have injected malicious addresses into that process, tricking the system into authorizing transfers it should not have approved.

Stolen assets include roughly 3,443 ETH valued at $7.77 million, 36.85 BTC worth approximately $2.97 million, 96.6 BNB worth around $66,000, and additional tokens, including early reports of 798,000 USDC. Three theft addresses were publicly flagged across Bitcoin and Ethereum for tracking by security firms.

Node operators responded quickly by triggering Thorchain’s decentralized global emergency halt through the protocol’s Mimir governance settings. The halt suspended swaps, vault churning, and signing on affected chains beginning around block 26190429. RUNE transactions on the native chain continued in limited capacity.

RUNE, Thorchain’s native token, fell 12 to 15% within hours of ZachXBT’s alert. The token dropped from around $0.58 to roughly $0.50 across major exchanges. Liquidity providers and users remain on hold while security firms, including Peckshield and Cyvers monitor the flagged addresses.

As of the time of writing, the @Thorchain account on X had not posted publicly about the exploit. No official post-mortem has been released, and the funds at the identified addresses appear largely dormant.

Thorchain has faced protocol-level attacks before. In July 2021, multiple exploits targeting the ETH router drained between $4.9 million and $8 million. The team covered losses from the treasury and paused the protocol for fixes. This current exploit follows a different threat profile but hits a familiar weak point: the vault migration process.

The protocol’s architecture was built to avoid centralized failure points. It runs more than 90 decentralized nodes, holds no single admin key, and avoids wrapped assets. That design has held up against certain attack types, but the churn process has now been identified as an exploitable surface.

Thorchain also drew attention in 2025 and early 2026 as a passage for funds connected to the Bybit hack, attributed to the Lazarus Group with losses near $1.4 billion, and the KelpDAO incident involving more than $175 million in ETH-to- BTC swaps. Those flows generated fees for the protocol but drew criticism from compliance and security researchers.

This is a developing story. Investigations remain active, and liquidity providers should avoid interacting with the protocol until trading resumes and full details are confirmed. A detailed post-mortem from Thorchain’s node operators is expected once the situation stabilizes.

Updates will appear on Thorchain’s documentation pages, the @Thorchain X account, and the Midgard API as they become available.