Hackers Hit THORChain on 4 Blockchains at Once — $10.8M Gone, Trading Halted, No One Knows How
Four blockchains. One exploit. Zero explanation. While most of crypto was celebrating the Clarity Act and watching bitcoin reclaim $81k, someone quietly drained $10.8 million from THORChain across BTC, ETH, BNB Chain, and Base — all at the same time.
The protocol halted all trading and signing within hours. RUNE crashed 12%. The post-mortem still isn’t out.
What Happened
On May 15, 2026, blockchain researcher ZachXBT and security firm PeckShield simultaneously flagged suspicious activity across THORChain. Two attacker addresses — one on Bitcoin, one shared across EVM chains — began sweeping assets out of the protocol.
The stolen haul: roughly 36.75 BTC (~$3M), plus ~$7.8 million in ERC-20 and cross-chain assets including USDT, USDC, WBTC, DAI, AAVE, LINK, XRUNE, and several smaller tokens. The attacker immediately began swapping everything into ETH — a standard laundering move to cut on-chain tracing threads.
THORChain’s Mimir governance module triggered a halt at block 26190429, freezing both trading and signing. Node operators applied a 12-hour-plus pause. The protocol officially acknowledged the exploit and asked users to stop interacting with the protocol while the investigation runs.
As of publication, no attack vector has been confirmed. THORChain has not released technical details about how the exploit worked, which liquidity pools were targeted, or whether a single vulnerability or chained attack was involved.
Why THORChain?
THORChain is a decentralized cross-chain liquidity protocol — one of the few that lets you swap native BTC for native ETH without wrapped tokens or bridges. It processes billions in cross-chain volume and holds deep liquidity pools funded by node operators and LPs.
That cross-chain architecture is exactly what makes it a high-value target. An exploit that works simultaneously across four chains suggests either a flaw in THORChain’s settlement layer itself, or a coordinated multi-chain replay attack. Neither scenario is good news for the protocol’s long-term reputation — this isn’t THORChain’s first rodeo with exploits.
In 2021, the protocol was hit for $8M and then again for $5M within a month. In 2024, it paused operations voluntarily to avoid processing funds linked to the Bybit hack, drawing criticism from parts of the community. Now in 2026, a third major incident — and still no patch note.
The Numbers
| Asset | Amount Stolen | Approx Value |
|---|---|---|
| BTC | 36.75 BTC | ~$2.97M |
| ETH (converted) | 3,443 ETH | ~$7.77M |
| BNB | 96.6 BNB | ~$66K |
| Total | ~$10.8M |
RUNE, the protocol’s native token, dropped 12% on the news — wiping approximately $80M in market cap in under an hour.
No Post-Mortem. No Clarity. That’s the Problem.
The most concerning part of this incident isn’t the $10.8M. It’s that as of several hours after the exploit, THORChain has not published any technical explanation.
In DeFi, the post-mortem is everything. Projects that survive exploits — Euler Finance, Compound, Aave — do it by moving fast, being radically transparent, and demonstrating they understand exactly what broke. Protocols that go dark lose user trust faster than they lose the funds.
THORChain built its reputation on being the unstoppable, censorship-resistant cross-chain layer. Every halt and every exploit chips away at that narrative. If this turns out to be another smart contract vulnerability, LPs are going to start asking whether the risk-reward still makes sense.
Why This Matters for Crypto Jobs
Exploits like this one have direct ripple effects on hiring:
Security engineers are in extreme demand. THORChain, like every major DeFi protocol, will need post-incident audits, protocol redesigns, and hardened monitoring infrastructure. Security-focused developers with cross-chain expertise are among the highest-paid roles in Web3 right now.
Smart contract auditors are booked solid. With $759M stolen from crypto protocols year-to-date in 2026 — 75% traced to North Korean state actors — every serious protocol is accelerating its audit pipeline. Firms like Trail of Bits, OpenZeppelin, Cyfrin, and Spearbit are hiring and have waitlists.
On-chain investigators are having a moment. ZachXBT was among the first to flag this exploit. The demand for blockchain forensics talent — at firms like Chainalysis, Elliptic, and TRM Labs — has jumped sharply as hack frequency hits record highs in 2026.
Protocol engineers who understand multi-chain architectures are the hardest to find and best compensated. If you can reason about how assets move across settlement layers, liquidity pools, and signing schemes across 4+ chains, you’re in the top 1% of the candidate pool.
Whether this was a targeted state-sponsored attack, an insider job, or a simple logic error in the routing contracts — we don’t know yet. What we do know: $10.8M walked out the door today across four chains at once, and the team is still piecing together how.
Watch for the post-mortem. It will tell you everything about whether THORChain survives this.
Looking for your next role in crypto security, DeFi engineering, or blockchain forensics? Cryptogrind has the most up-to-date job listings across Web3 security, protocol engineering, and on-chain research. Find your next role at cryptogrind.com.
