On May 15, 2026, decentralized liquidity protocol THORChain halted all trading and transaction signing after blockchain investigator ZachXBT reported a suspected attack of over $10 million across four networks at once. The RUNE token dropped 13% within hours and trades below $0.51. THORChain has not officially confirmed the exploit, but validator nodes voted to pause operations for at least 12 hours.
What happened on May 15
At 10:11 UTC, THORChain's alerts Telegram channel showed a global node pause extended to block 26191149, roughly 12 hours and 42 minutes from publication time. ZachXBT wrote that the protocol had likely been attacked across four networks at once: Bitcoin, Ethereum, BNB Chain and Base.
Analytics platform Arkham flagged the suspected exploiter's wallet, which held $10.8 million accumulated through a series of small transactions in the 30 minutes before the halt. PeckShield confirmed suspicious activity independently. At press time the THORChain team had not responded, though trading had already stopped through a node-level vote.
How THORChain works and why attackers keep using it
THORChain lets users swap crypto across different blockchains without a middleman. These are called cross-chain swaps. You send one asset and receive a different one on a completely separate network. Liquidity pools are funded by participants, and the protocol sets exchange rates automatically based on their deposits.
Unlike Tornado Cash, THORChain is not a mixer and does not hide transactions intentionally. Yet criminals use it repeatedly, because blocking specific fund flows without shutting down the entire protocol is nearly impossible. There is no KYC and no central operator that anyone can order to freeze a wallet.
- Bybit (February 2025): hackers moved roughly $1.2 billion through THORChain, converting Ethereum into Bitcoin.
- Kelp DAO (April 2026): 75,700 ETH passed through the protocol, generating ~$910,000 in fees for THORChain.
- Current incident: $10.8 million across Bitcoin, Ethereum, BNB Chain and Base in parallel.
All three cases share the same pattern: attackers chose THORChain not because of a specific code bug, but because of how the protocol is built. The openness that makes it useful for honest traders works just as well for criminals.
What investigators found
Transactions were routed across multiple networks in parallel rather than as a single operation. ZachXBT said this approach makes tracing harder and likely points to a premeditated plan. Small transaction amounts are typical of attempts to avoid triggering large thresholds in automated monitoring systems.
It is not yet clear whether liquidity providers suffered losses or whether the attack touched only a specific protocol component. The team has gone quiet. The halt came from the validator nodes themselves, not from any external authority.
The broader DeFi picture looks rough. According to DefiLlama, protocols lost more than $634 million to hacks in April 2026. That is the highest monthly total since February 2025, when the Bybit exploit set an all-time record of $1.4 billion.
RUNE market reaction
The token moved fast. Following ZachXBT's posts, RUNE dropped 13% and traded near $0.51 according to CoinGecko. RUNE had already lost 72% over the past year, so this new hit landed on an already beaten-down asset.
What comes next for THORChain
The protocol will resume after the pause ends at block 26191149, unless validators vote to extend it. The team needs to answer three questions: did liquidity providers lose funds, which specific vulnerability was used, and will it be patched before trading restarts.
After the Bybit fallout, THORChain discussed new mechanisms for node accountability. No public confirmation of actual security improvements ever followed. This is the third high-profile incident in the past 15 months, and each one raises fresh doubts about whether the protocol can protect its participants' liquidity.
Comments
Your email address will not be published. Required fields are marked *