THORChain Confirms $10M Exploit and Launches Recovery Portal for Users

THORChain has launched a recovery portal following a $10 million exploit, enabling affected users across four blockchains to revoke malicious approvals and request refunds.

THORChain has confirmed a $10 million exploit and introduced a recovery portal that provides affected users with a self-custodial method to revoke malicious token approvals and file refund claims, supported by a treasury-funded refund pool of the same size.

In a Saturday post on X, the THORChain Foundation introduced the recovery portal, stating that “affected users are now able to check what they will be paid as compensation following the exploit.”

The portal, referencing a post-mortem from PeckShield, stated that the attack was identified at 02:14 UTC on May 11 after node operators detected unusual outbound transactions. Trading and outbound signing activity were paused within eight minutes. In total, attackers stole 36.75 BTC, valued at roughly $3 million, along with nearly $7 million in tokens across BNB Chain, Ethereum, and Base, affecting 12,847 wallets on four different chains.

Affected users have 21 days to file their claims. The refund period ends on June 4, after which any unclaimed allocation will be transferred to the protocol’s insurance fund.

How the THORChain Exploit Unfolded

In an incident update, THORChain said the primary theory is that the attacker exploited a weakness in the GG20 threshold signature scheme (TSS) implementation, allowing sensitive vault key material to leak gradually. By collecting enough of the exposed data over time, the attacker was able to reconstruct the vault’s private key and approve unauthorized outbound transactions.

The protocol also noted that a newly churned node joined the network several days before the attack and is currently suspected of being connected to the incident, with onchain links identified between the node’s bonding addresses and the wallets that received the stolen funds.

“The Treasury is actively collecting forensic data and coordinating with Outrider Analytics and relevant law enforcement agencies in an effort to identify the attacker and pursue recovery of stolen funds where possible,” the protocol wrote.

Crypto Hack Losses Reached $630 Million in April

Crypto hacks surged in April, with total losses climbing to $629.7 million, marking the industry’s worst month since February 2025, when $1.47 billion was stolen. Exploits involving KelpDAO and Drift Protocol accounted for most of the damage, as the $293 million KelpDAO exploit and the $280 million Drift Protocol hack together represented 82% of April’s total losses, further establishing DeFi as the sector most heavily targeted by attackers.

The pattern of recent attacks points to a shift in how protocols are being compromised, with bridges, privileged access, and operational failures increasingly emerging as the main causes behind major incidents rather than simple smart contract vulnerabilities.