THORChain warns users as scammers target victims after $10M exploit

THORChain has released a statement on X on May 16, asking users to disregard information about it conducting a recovery program following the exploit that drained around $10 million in crypto assets.

On the same day that THORChain is clearing the air about misinformation flying around, blockchain analytics firm Chainalysis published on-chain evidence that links the attackers to wallets that were funded weeks before the theft was executed.

THORChain wrote, “We have become aware of multiple fake accounts and false information circulating regarding ‘refunds’, ‘airdrops’, compensation claims, and other alleged initiatives.”

The Bitcoin-focused decentralized exchange stated that, based on their initial findings, no user funds were lost in the exploit. It also stated that they are not currently conducting any refund, airdrop, or compensation programs.

It called on users to disregard any account claiming otherwise or impersonating THORChain.  

The $10M exploit that rocked ThorChain

Security firm PeckShield estimated the funds stolen from ThorChain at roughly $10 million, including 36.75 BTC (about $3 million) and approximately $7 million in assets from Ethereum, BNB Chain, and Base. The Bitcoin was moved to a single wallet, while more than 3,156 ETH landed in a separate address tracked by Arkham Intelligence, according to Cryptopolitan’s earlier reporting.

On May 15, THORChain stated that “Current evidence points toward a newly churned node linked to the attack, likely operated by a single malicious actor.”

It stated that it is still investigating the exploit but added that its leading theory for what caused it is an exploit in the GG20 TSS implementation, allowing vault key material to “leak over time.”

The network is currently paused after multiple node operators executed “make pause” but it stated that it is currently working on a restart plan.

So far, the platform has not committed to a recovery plan; however, it stated that all recovery decisions will likely require node governance decisions regarding how to handle losses.

THORChain’s native token RUNE has since fallen by over 21% in the aftermath, trading near $0.42 as of May 16.

Chainalysis links attacker to pre-staged wallets

Chainalysis published a five-part thread on X on May 16 detailing weeks of preparatory on-chain activity by wallets it connected to the attacker. The firm said attacker-linked wallets moved funds through Monero, Hyperliquid, and THORChain itself before executing the theft.

In late April, one such wallet deposited XMR through a Hyperliquid-Monero privacy bridge, swapped the resulting position for USDC, withdrew to Arbitrum, and bridged to Ethereum, Chainalysis stated.

The bridged ETH was then split into four branches. One branch connected directly to the attacker’s receiving wallet: an intermediary forwarded 8 ETH into it just 43 minutes before the stolen funds arrived, according to the firm’s analysis.

THORChain contributors said in a Discord update that current evidence points to a newly churned node linked to the attack, likely operated by a single malicious actor. The leading theory involves a vulnerability in the GG20 signature scheme, according to the protocol’s incident update posted on X.

The exploit adds to a string of DeFi security incidents in May 2026. Cryptopolitan has previously reported on exploits of Transit Finance (approximately $1.88 million lost) as well as the ones that occurred at Huma Finance (approximately $101,400 lost) and Ink Finance (around $140,000) earlier in the month, both targeting smart contracts on Polygon.

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.