The decentralized liquidity protocol THORChain has temporarily suspended all operations after security analysts detected a suspected multi-million dollar exploit. Independent blockchain investigator ZachXBT raised the initial alarm on May 15, 2026, revealing that the malicious activity targeted assets across Bitcoin, Ethereum, BNB Chain, and Base ecosystems. The preventative freeze was implemented to protect pool liquidity and mitigate further losses.
Technical validation of the operational halt appeared swiftly across the network’s automated messaging services. The platform’s dedicated Telegram alert system reported that trading and transaction signing were completely disabled by the network’s validation nodes. According to the data broadcasted on the official THORChain alerts Telegram channel, this global pause is scheduled to remain active until block 26191149, representing a complete operational shutdown lasting approximately 12 hours and 42 minutes from the initial disruption.
Blockchain monitoring services independently verified the anomalous capital movements shortly before the network freeze. Investigator ZachXBT documented his findings on his official cryptocurrency investigations channel, noting that the attacker managed to drain funds simultaneously from multiple smart contracts.
#PeckShieldAlert @THORChain has been exploited for ~$10M worth of crypto, including 36.75 $BTC ($3M) and ~$7M worth of assets from #BNBChain, #Ethereum, and #Base.
The stolen funds mainly sit in:
bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37… pic.twitter.com/mhWIWueVPK— PeckShieldAlert (@PeckShieldAlert) May 15, 2026
Concurrently, blockchain security firm PeckShield detected the suspicious wallet activity and issued an emergency public notification via the PeckShieldAlert official X account to notify secondary exchanges and liquidity providers about the active security incident.
On-chain ledger analysis provides a precise metric of the stolen digital assets. Crypto intelligence platform Arkham tracked and tagged the specific address utilized by the perpetrator. The blockchain explorer profile for the THORChain exploiter Arkham entity indicates that the wallet accumulated a balance of 10.8 million dollars.
This total was consolidated through multiple smaller transfers executed within a 30-minute timeframe, concluding at 10:11 UTC on May 15, 2026. At the time of compilation, THORChain developers have not released a comprehensive post-mortem detailing the specific smart contract flaw, though the complete node freeze confirms the severity of the exploit.
The announcement of the security breach triggered an immediate sell-off of the protocol’s native utility token. The price of RUNE experienced a sharp 13% decline within minutes of the public disclosures, dropping to approximately 0.51 dollars per token according to spot market aggregators. This sudden downward movement exacerbates a longer-term depreciation for the digital asset, which has lost 72% of its market value over the past year, reflecting heightened investor anxiety regarding cross-chain security vulnerabilities.
This exploit occurs amidst a noticeable resurgence in malicious cyberactivity targeting decentralized financial protocols throughout 2026. Data compiled in the DefiLlama hacks dashboard indicates that malicious actors successfully stole more than 634 million dollars during April 2026 alone. This figure stands as the highest monthly loss recorded since February 2025, a month that witnessed aggregate losses of 1.46 billion dollars due to the security breach suffered by the Bybit exchange.
Cross-chain protocols as laundering vectors
Although designed as a legitimate, non-custodial protocol for decentralized cross-chain swaps, THORChain’s technical infrastructure has historically made it an attractive mechanism for illicit fund routing. Unlike conventional privacy mixers, the platform allows users to perform native layer-1 asset exchanges without relying on wrapped tokens or centralized intermediaries, which structurally prevents traditional financial gatekeepers from freezing assets in transit.
A notable instance occurred in mid-April 2026, when the attackers behind a major decentralized finance exploit utilized the protocol to launder stolen assets. During that incident, the hackers processed 75,700 Ether through THORChain’s liquidity pools. While the event caused significant distress to the targeted platform, the resulting swap volumes generated roughly 910,000 dollars in transaction fees for the THORChain network.
Reports indicate that the Lazarus Group stole 292 million dollars from the Kelp DAO cross-chain bridge during that specific vulnerability, showing how state-sponsored syndicates leverage permissionless architectures. Furthermore, historical forensic tracking shows that approximately 1.2 billion dollars from the 2025 Bybit breach was similarly channeled through THORChain to covertly transition stolen Ether into native Bitcoin.
This article is for informational purposes only and does not constitute financial advice.
