Thorchain Hacked for $10.7 Million as RUNE Drops 14%

• Thorchain paused trading earlier today after attackers drained $10.7 million in Bitcoin, Ethereum and BNB.
• The attack was first reported by ZachXBT and involved the breach of the vault withdrawal process.

Controversial cross-chain liquidity protocol Thorchain has become the latest victim of a cyberattack, losing over $10 million in an attack earlier today.

The attack was detected quickly, with the protocol pausing all activity, including trading and signing. A global pause on all nodes was activated and is set to last nearly 13 hours, or up until block 26,191,149.

#PeckShieldAlert@THORChain has been exploited for ~$10M worth of crypto, including 36.75 $BTC ($3M) and ~$7M worth of assets from #BNBChain, #Ethereum, and #Base.

The stolen funds mainly sit in:
bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37… pic.twitter.com/mhWIWueVPK

— PeckShield May 15, 2026

Data from Arkham Intelligence shows that the attacker’s address holds 36.8 BTC, valued at $2.96 million at current prices. He also holds 3,191 ETH, valued at $7.2 million, and a small amount of THOR, XRUNE and DAI. While the BTC was transferred in one large transaction, the other tokens were transferred in dozens of smaller transactions.

Thorchain has yet to make any statement on the exploit. The network’s RUNE token took a big hit immediately after the attack was made public, dipping 14% from $0.585 to $0.501 in two hours. It trades at $0.514 at press time.

Attacker Targeted Thorchain’s Vault Transfers

Thorchain is a decentralized network that lets users swap crypto directly across multiple blockchains without relying on centralized platforms. It’s non-custodial and relies on liquidity pools to facilitate the swaps. Essentially, validators on the network observe deposits from the users and then, together, approve withdrawals from shared vaults.

According to security firm Blockaid, it was this process that the attackers targeted to breach the protocol. The attacker reportedly intercepted inbound deposit observations and modified them into fake outbound payment requests. This allowed him to replace legitimate information with fake instructions to withdraw funds from the vaults and send them to his address. This allowed them to drain funds across Ethereum, Bitcoin and BNB.

UPDATE — @THORChain exploit (~$10M+)

Blockaid's analysis identifies the suspected root cause: a proposer-forgery bug in THORChain's Bifrost Attestation Gossip. Validator signatures didn't cover the inbound/outbound bit, letting a proposer flip a real inbound observation into…

— Blockaid (@blockaid_) May 15, 2026

Most notably, Blockaid says Thorchain developers had already developed a fix for this specific vulnerability, which would have thwarted the attack. The fix was meant to be implemented earlier this month, but the automated system that tests and distributes software updates on Thorchain reportedly failed.

It’s not the first time Thorchain has been attacked. Previous attacks saw nearly $15 million stolen, with two attacks in July 2021 happening just days apart. Today’s attack comes just weeks after KelpDAO and Drift Protocol got hit for over $550 million combined. Kelp lost the funds to a breach on its LayerZero bridge infrastructure, as we reported. Ironically, Thorchain was built for users who do not want to use bridges as they are prone to attacks.

The protocol has a controversial reputation. Being non-custodial, it allows users to make swaps virtually unchecked. This has made it a destination for criminals. In the KelpDAO attack, the hacker used Thorchain to launder 75,700 ETH, worth $175 million at the time. Thorchain generated nearly $1 million in fees from that hacker.

The largest hack in crypto history, Bybit’s $1.4 billion exploit, also has links to Thorchain. According to Bybit CEO Ben Zhou, at least $1.2 billion of the stolen funds were laundered through Thorchain.

The post Thorchain Hacked for $10.7 Million as RUNE Drops 14% appeared first on ETHNews.