THORChain confirms $10M exploit, launches recovery portal

THORChain confirms a $10 million exploit and has launched a self-custodial recovery portal that lets affected users revoke malicious token approvals and file refund claims. The refunds are backed by a treasury-provisioned pool equal in size to the loss, effectively giving users a path to compensation without needing to rely on exchanges or custodians.

In a Saturday update on X, THORChain Foundation said the recovery portal allows affected users to see how much they will be paid and to submit claims within a 21-day window, with the deadline set for June 4. If any allocation remains unclaimed after that date, it will roll over to the protocol’s insurance fund for potential future use.

The incident timeline described by THORChain shows the attack was detected at 02:14 UTC on May 11 when node operators flagged unusual outbound transactions. Trading and outbound signing were paused within eight minutes. In total, attackers drained 36.75 BTC, worth around $3 million, and approximately $7 million in tokens across BNB Chain, Ethereum and Base, affecting 12,847 wallets across four chains.

A key element of the recovery effort is transparency about the cost and the compensation surface. The portal’s guidance is based on a PeckShield post-mortem cited by THORChain, which frames the attack as arising from a vulnerability in the GG20 threshold signature scheme implementation. This weakness allegedly allowed sensitive vault key material to leak gradually, enabling the attacker to reconstruct the vault’s private key and authorize unauthorized outbound transfers over time.

THORChain also noted that a newly churned node joined the network in the days preceding the attack and is suspected of involvement. On-chain analyses reportedly linked some of the attacker’s fund flows to the node’s bonding addresses and to wallets that received the stolen assets. The treasury is coordinating forensic work with Outrider Analytics and engaging relevant law enforcement agencies to pursue recovery where possible.

The broader sector context remains fraught. April’s crypto-hacking losses reached $629.7 million, marking the worst month for the industry since February 2025, when about $1.47 billion was stolen. Notable incidents, including KelpDAO’s $293 million breach and Drift Protocol’s $280 million attack, together accounted for roughly 82% of April’s losses and underscored how DeFi remains highly targeted, with bridges, privileged access, and operational failures increasingly driving major incidents rather than simple smart-contract bugs. These patterns have spurred ongoing discussion about security models and best practices for cross-chain systems.

The issue has drawn attention to the evolving threat landscape, where sophisticated intrusions exploit multi-party computation or threshold cryptography setups, as well as the governance and security regimes surrounding multi-chain protocols. For readers tracking risk, the THORChain case emphasizes the need for robust key management, continual monitoring of node behavior, and clear, investor-protective recovery mechanisms in the event of a breach.

Key takeaways

• THORChain confirms a $10 million exploit and launches a self-custodial recovery portal funded by an equal-size refund pool.
• Affected users have 21 days to submit refund claims; unclaimed funds roll into the protocol’s insurance fund after June 4.
• The attack is linked to a vulnerability in the GG20 threshold signature scheme, enabling gradual leakage of vault key material and unauthorized outbound transactions.
• Approximate losses include 36.75 BTC (~$3 million) and about $7 million in tokens across four chains, affecting 12,847 wallets.
• Forensic coordination is underway with Outrider Analytics and law enforcement as THORChain seeks to identify the attacker and recover funds where possible.

What happened and how THORChain was drained

In THORChain’s own update, the prevalent theory points to a vulnerability in the GG20 threshold signature scheme implementation. The leak of vault key material over time could have allowed the attacker to reconstruct the vault’s private key and authorize unauthorized outbound transactions. Additionally, a recently churned node is believed to be connected to the breach, with on-chain links tying its bonding activity to wallets that received stolen assets. The recovery effort emphasizes forensic work and cross‑team collaboration to trace and potentially recover funds as investigations progress.

THORChain has stressed that the Treasury is actively collecting forensic data and coordinating with specialized analytics partners and law enforcement agencies to pursue recovery options. While the exact technical path of the breach remains under scrutiny, the protocol’s emphasis on a transparent compensation mechanism represents a notable shift toward user protection in a high-risk cross-chain environment.

Recovery, compensation, and the road ahead

The newly launched recovery portal marks a significant step in offering a self-governed route to restitution. Affected users can review their prospective compensation and file claims directly, with the refunds financed from a treasury-backed pool equal to the loss amount. The 21-day window creates a discrete timeframe for claim submissions, after which unclaimed allocations move to the insurance fund to buttress the protocol’s overall resilience.

From a governance and risk perspective, the incident spotlights the balancing act between enabling rapid cross-chain functionality and enforcing stringent security regimes around key material and node onboarding. The involvement of independent forensic firms and law enforcement signals a pragmatic approach to attributing responsibility and recovering funds where possible, even as complete restitution remains uncertain for a portion of the affected assets.

Broader market implications and what to watch next

The THORChain episode sits within a broader pattern observed in April’s attack surface, where DeFi and cross-chain protocols faced elevated risk. The combination of bridges, privileged access points, and operational weaknesses continues to pose systemic challenges as the sector scales. Investors and builders should watch how THORChain’s recovery framework evolves, whether any successor security measures are adopted, and how the industry refines its approach to incident response and user compensation in the wake of high-profile breaches.

Looking ahead, readers should monitor official statements from THORChain, updates from the treasury and forensic partners, and any law enforcement progress. The outcome could influence how other multi-chain projects design recovery capabilities and insurance-oriented buffers for post-breach scenarios.

For context on the broader security narrative, Cointelegraph coverage noted that April’s losses underscored DeFi’s vulnerability to complex attack vectors beyond simple smart contract bugs, reinforcing the case for robust cross-chain security architectures and proactive incident response planning. A related perspective in Cointelegraph Magazine also cautions about AI-driven exploits in DeFi, urging projects to act now to harden defenses against evolving threat models.

As the investigation unfolds, THORChain users and the wider community will be watching for concrete progress on identifying the attacker, recovering funds, and implementing structural safeguards to prevent a repeat of this incident.

This article was originally published as THORChain confirms $10M exploit, launches recovery portal on Crypto Breaking News – your trusted source for crypto news, Bitcoin news, and blockchain updates.