THORChain lost over $10.7M in a cross-chain exploit on May 15, 2026, triggered by a GG20 TSS vulnerability. RUNE dropped 15% in 24 hours. Here's what happened, what it means for DeFi security, and whaTHORChain lost over $10.7M in a cross-chain exploit on May 15, 2026, triggered by a GG20 TSS vulnerability. RUNE dropped 15% in 24 hours. Here's what happened, what it means for DeFi security, and wha
THORChain lost over $10.7M in a cross-chain exploit on May 15, 2026, triggered by a GG20 TSS vulnerability. RUNE dropped 15% in 24 hours. Here's what happened, what it means for DeFi security, and what investors should do now.
Overview
On May 15, 2026, cross-chain liquidity protocol THORChain confirmed that approximately $10.7 to $10.8 million in protocol-owned assets were drained in a sophisticated multi-chain exploit. As The Block reported, one of THORChain's six Asgard vaults was compromised across at least four blockchains — Bitcoin, Ethereum, BNB Chain, and Base — while the protocol maintained that no individual user swap funds were affected.
The attack was first flagged by on-chain investigator ZachXBT and blockchain security firm PeckShield. Within eight minutes, THORChain's automated systems detected abnormal behavior and halted all trading, signing, and liquidity operations. The protocol's native token RUNE fell between 12% and 15% in the first 24 hours, erasing more than $27 million in market capitalization.
For investors tracking RUNE or monitoring the broader DeFi security landscape on MEXC, this event carries implications well beyond a single protocol's balance sheet.
Key Takeaways
On May 15, 2026, THORChain's Asgard vault was compromised for approximately $10.7–$10.8M in protocol-owned funds; user assets were not directly impacted
The attack exploited a vulnerability in the GG20 Threshold Signature Scheme (TSS), allowing gradual leakage of vault key material over multiple signing rounds
RUNE fell 12%–15% in the 24 hours following the exploit, with market cap dropping by over $27 million
ZachXBT and PeckShield identified the breach; THORChain's automated network halted operations within 8 minutes
The exploit spanned at least 9 blockchains, making it the broadest attack in the protocol's history
A $10M compensation portal launched on May 16; affected users must submit claims before June 4, 2026
Cumulative crypto hack losses in 2026 now exceed $800M, with DeFi cross-chain infrastructure as the primary target
What Is THORChain and Why Does It Keep Getting Targeted?
Founded in 2018 and incorporated in Switzerland, THORChain is one of the largest decentralized cross-chain liquidity protocols in DeFi. It enables native swaps between assets on different blockchains — Bitcoin, Ethereum, BNB Chain, and others — without relying on wrapped tokens or centralized intermediaries.
That design is one of its most compelling features. It is also its core vulnerability. Supporting over ten blockchains simultaneously means each chain requires its own vault logic, Bifrost connector, and cryptographic signing layer. A flaw in any one component can expose vault balances across the entire routing layer.
According to TRM Labs' post-incident analysis, THORChain has also functioned as a primary laundering channel for some of the largest crypto heists on record — including the $1.5 billion Bybit hack in February 2025 and the approximately $300 million KelpDAO attack in April 2026. The protocol's stated policy of resisting "censorship" has made it both a useful tool for legitimate cross-chain users and a default rail for sophisticated threat actors moving stolen funds across chains.
How the Attack Worked: The GG20 TSS Vulnerability Explained
The technical root cause of this exploit lies in THORChain's implementation of GG20, a Threshold Signature Scheme (TSS) that forms the cryptographic backbone of its multi-chain vault architecture.
As Crypto Times detailed in its post-mortem, GG20 works by splitting a private key into fragments distributed across multiple nodes. No single node should be able to produce a valid signature alone. In theory, this is one of the more elegant designs in the space.
In practice, the attacker bonded RUNE, joined the network as a validator node, and then exploited a flaw in the GG20 keygen or signing rounds to gradually extract vault key material from participating nodes — a technique related to the TSSHOCK class of vulnerabilities. Once enough key shards had been reconstructed offline, the attacker could forge outbound signatures from an Asgard vault that appeared entirely legitimate to the network.
PANews reported that preliminary evidence links the exploit to a recently churned validator node, with on-chain data showing connections between that node's bonding addresses and wallets that received stolen funds.
The stolen assets included approximately 36.75 BTC (roughly $3 million) and around $7 million in tokens across Ethereum, BNB Chain, and Base — totaling approximately $10.8 million across at least nine chains.
Ledger CTO Charles Guillemet subsequently flagged that GG18/GG20-family protocols have historically carried critical vulnerabilities in which a single compromised co-signer could reconstruct the full signing key. His analysis noted that the exact root cause of this specific exploit had not yet been confirmed at the time of writing, but the broader implication — that MPC and TSS infrastructure across the industry warrants fresh scrutiny — was explicit.
The Emergency Response: What Worked and What Didn't
THORChain's automated response was, by most technical assessments, fast and effective at limiting further losses.
The abnormal behavior was first identified by ZachXBT and PeckShield at approximately 6:00 AM EST on May 15, as The Record documented. The protocol's automated monitoring systems triggered a "make pause" command within eight minutes, freezing all trading, LP activity, and signing operations at block 26190429.
According to Crypto Times' analysis, the pause was scheduled to remain in place for approximately 12 hours and 42 minutes — long enough for the core team and external partners to begin a forensic review without giving the attacker additional room to maneuver.
However, the pause also drew criticism. THORChain had previously declined to use its emergency shutdown capability when the protocol was being used as a laundering rail for hundreds of millions in funds from other exploits — most notably the Lazarus Group's movement of roughly $175 million in KelpDAO proceeds. Deploying that same capability within hours when protocol-owned liquidity was at risk has prompted community debate about how THORChain's "decentralization" principles are applied selectively.
On May 16, THORChain confirmed that user funds were not lost and warned the community against fake compensation links circulating on X, some of which falsely claimed that over 12,847 wallets qualified for immediate refunds and directed users to phishing portals.
The Compensation Portal: What Affected Users Need to Know
On May 16, THORChain launched a treasury-funded compensation portal covering the 12,847 wallets affected across Bitcoin, Ethereum, BNB Chain, and Base.
Key deadlines and details:
Claims must be submitted before June 4, 2026
Unclaimed funds after the deadline roll over to the protocol's insurance fund
Users must verify wallet ownership before claims are processed
THORChain is working with on-chain analytics firm Outrider Analytics and law enforcement to pursue the attacker
As Yellow.com noted, the $10M compensation pool does not fully cover the estimated $10.8M extracted — an $800K gap remains publicly unaddressed, with no confirmed source for the shortfall disclosed by the protocol.
Only use official THORChain communication channels to access the portal. Anyone offering to assist with fund recovery via DMs or third-party links is, with near certainty, running a secondary scam.
RUNE Price Impact: The Market's Immediate Verdict
The market priced in the news quickly.
RUNE dropped between 12% and 15% in the 24 hours following the exploit, with market capitalization falling from approximately $209 million to around $182 million — a loss of over $27 million in a single session. According to CoinMarketCap data, trading volume spiked sharply as panic selling and short positions flooded in.
Traders Union analyst Viktoras Karapetjanc identified $0.420 as a critical support level for RUNE, noting that a breach of that floor could trigger a further breakdown. He maintained a constructively biased medium-term view, contingent on the protocol demonstrating clear progress on security remediation and compensation transparency.
The broader DeFi cross-chain category also took a sympathetic hit. Several mid-cap tokens declined on the reasoning that if THORChain's TSS layer could be compromised, other protocols using similar MPC/TSS architectures might not be far behind.
THORChain's Security History: A Pattern Worth Examining
This is not the first time THORChain has faced a serious security incident, and acknowledging that history matters for investors assessing the protocol's long-term trajectory.
Two separate exploits hit the protocol in July 2021. In early 2025, THORChain halted ThorFi lending operations amid insolvency concerns, eventually resolving a roughly $200 million debt crisis by converting defaulted obligations into a new equity-style token. In September 2025, founder John-Paul Thorbjornsen's personal wallet was drained of approximately $1.3 million in an attack ZachXBT linked to suspected North Korean threat actors.
As Crypto Times' historical review summarizes, cumulative direct losses targeting the protocol and its leadership now sit somewhere around $25 million. The protocol has survived each previous crisis. Whether the combination of an architectural vulnerability, a controversial governance stance on illicit fund flows, and a widening compensation gap represents an inflection point — or another chapter in a protocol that keeps rebuilding — is a question the community has not yet answered.
The 2026 DeFi Security Landscape: A Broader Crisis
THORChain's incident is one node in a larger, deteriorating picture.
According to The Market Periodical's industry data, April 2026 marked the highest monthly crypto hack losses since the $1.5 billion Bybit breach in February 2025, with $635 million stolen across 28 incidents. Cumulative losses from crypto hacks in 2026 have surpassed $800 million.
Cross-chain infrastructure has become the primary attack surface. Each additional blockchain a protocol integrates increases the attack surface. THORChain currently supports over a dozen chains, each requiring a custom vault and Bifrost connector. A flaw in any one connector can expose all connected vault balances if the routing layer fails to isolate the damage.
TRM Labs warned that stolen funds from the May 15 exploit remained dormant as of May 16, but noted this can change quickly — and that the attacker has publicly demonstrated the sophistication to move funds across chains, through perpetuals exchanges, and into privacy protocols. The U.S. Treasury Department has since announced expanded cyber threat intelligence sharing with the cryptocurrency industry following the $280 million Drift hack.
What Investors Should Do: Practical Security Guidance
Against a backdrop of escalating DeFi security risks, here are concrete steps worth taking:
Review protocol audit history — Assess not just whether a protocol has been audited, but the reputation of auditors, frequency of reviews, and the quality of post-incident disclosure and remediation in prior events.
Revoke unused approvals — Anyone with assets linked to THORChain-integrated routers, wallets, or liquidity pools should revoke unnecessary contract approvals while the network remains paused.
Avoid unsolicited recovery offers — Post-exploit secondary scams are now consistent enough to be treated as a rule. Anyone offering to recover lost funds for a fee, via DMs or third-party sites, is running a scam.
Diversify custody — No single cross-chain protocol provides absolute security guarantees. Allocating a portion of assets to regulated, security-audited centralized exchanges like MEXC is an effective hedge against protocol-layer DeFi risks.
Understand the underlying cryptographic architecture — If you hold tokens in protocols relying on GG20 or similar MPC/TSS designs, understand the validator vetting process and hardware isolation assumptions before sizing your position.
MEXC Crypto Pulse Research Team: Exclusive Perspective
The THORChain incident is technically more significant than its dollar figure suggests — and the market may be underpricing the systemic implications.
The GG20 vulnerability exploited here did not require a single dramatic breach. The attacker operated with patience, accumulating key material across normal network operations over an extended period, in a way that bypassed most monitoring models calibrated to detect anomalous transaction volume or velocity. That attack profile is harder to defend against, harder to detect, and potentially portable to other protocols using similar TSS architectures.
Three structural observations deserve attention:
Node admission is the real weak point in cross-chain protocols. THORChain uses economic bonding requirements as a gatekeeping mechanism, but this incident demonstrates the ceiling on incentive-based security when attackers operate with sufficient resources and patience. Validator vetting needs to include hardware attestation and behavioral monitoring, not just bond size.
The "censorship resistance" stance is becoming a governance liability. THORChain's decision to deploy emergency halt capability within hours of its own protocol funds being drained — while consistently refusing to freeze during the laundering of Bybit and KelpDAO proceeds — represents a selective application of decentralization principles that will continue to attract institutional scrutiny and regulatory attention. Community governance will need to address this inconsistency explicitly.
GG20 systemic risk is not yet priced in across the market. The market is currently treating this as a THORChain-specific event. Ledger's CTO treated it as an industry-wide signal. If a second TSS-related exploit emerges at another protocol in the near term, the market's current compartmentalization will break down quickly, and the re-rating will be broader than a single token.
For RUNE holders, the short-term thesis centers on whether the protocol can complete an independent security audit and publish a clear remediation roadmap within 30 days. If it does, the long-term fundamental case remains intact. If the audit timeline extends and the compensation gap remains unaddressed, further downside risk is well within the range of outcomes.
Frequently Asked Questions (FAQ)
Q1: Were user funds stolen in the THORChain hack?
According to THORChain's official statement, only protocol-owned funds were affected. Individual user swap balances were not directly compromised. However, the compensation portal covers 12,847 affected wallets, which suggests some users have indirect exposure. Users should verify their wallet status through official THORChain channels.
Q2: What caused the THORChain exploit technically?
The exploit is attributed to a vulnerability in THORChain's GG20 Threshold Signature Scheme (TSS) implementation. A malicious node operator gradually leaked vault key material across multiple signing rounds, eventually reconstructing enough private key data to forge outbound signatures and authorize unauthorized transactions.
Q3: Is RUNE worth holding after this incident?
RUNE's near-term outlook depends heavily on the pace and quality of security remediation, audit outcomes, and compensation transparency. $0.420 is the critical near-term support level. Any investment decision should be made in the context of personal risk tolerance. This article does not constitute investment advice.
Q4: How can affected users claim compensation?
THORChain launched a compensation portal on May 16, 2026, covering wallets on Bitcoin, Ethereum, BNB Chain, and Base. Claims must be submitted before June 4, 2026. Unclaimed funds will be transferred to the protocol's insurance fund. Access the portal only through official THORChain channels, not through third-party links.
Q5: Where can I trade RUNE safely?
RUNE is available on MEXC and other major cryptocurrency exchanges, where you can monitor real-time price action, market depth, and the latest developments following this incident.
Q6: How bad is DeFi security in 2026 overall?
According to aggregated industry data, cumulative crypto hack losses in 2026 have already surpassed $800 million, with April 2026 alone reaching $635 million — the highest single-month figure since the $1.5 billion Bybit breach in February 2025. Cross-chain protocols and MPC/TSS infrastructure remain the dominant attack surface.
Disclaimer
This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency investments carry significant risk, including the potential for substantial losses. Assets or projects mentioned herein do not represent endorsements or recommendations by MEXC. Always conduct your own research and consult a qualified financial advisor before making investment decisions.
About the Author
This article was produced by the MEXC Crypto Pulse Team, MEXC's in-house research and content division focused on in-depth cryptocurrency market analysis, blockchain technology research, and emerging industry trends. Our mission is to deliver timely, evidence-based insights for crypto investors worldwide.
Sources
THORChain pauses trading as security researchers flag suspected $10M multi-chain exploit — The Block
Want the fastest access to MEXC's latest updates? Join our official Telegram group now!
Account Verification: Understand KYC | How to Complete KYC
Market Opportunity
MemeCore Price(M)
$3.43299
$3.43299$3.43299
USD
MemeCore (M) Live Price Chart
Description:Crypto Pulse is powered by AI and public sources to bring you the hottest token trends instantly. For expert insights and in-depth analysis, visit MEXC Learn.
The articles shared on this page are sourced from public platforms and are provided for informational purposes only. They do not necessarily represent the views of MEXC. All rights remain with the original authors. If you believe any content infringes upon third-party rights, please contact service@support.mexc.com for prompt removal.
MEXC does not guarantee the accuracy, completeness, or timeliness of any content and is not responsible for any actions taken based on the information provided. The content does not constitute financial, legal, or other professional advice, nor should it be interpreted as a recommendation or endorsement by MEXC.
Learn More About MemeCore
View More
Arkham Maps Iran-Linked Tron Wallets After $344M USDT Freeze
Arkham has published a public map of wallets it says are linked to Iran’s central bank, following U.S. sanctions against Tron addresses and the freezing of about $344 million in USDT. The story sits
2026/05/14
Tether Freezes Over $500M USDT in 30 Days as Stablecoin Blacklist Debate Grows
Key Takeaways Tether froze more than $514 million in USDT over 30 days. The freezes affected 370 addresses across Tron and Ethereum. Most frozen funds were on Tron, according to BlockSec data. The
2026/05/10
Solana Firedancer Explained: Mainnet Launch, 1M TPS Target, and What Comes Next
Solana just crossed one of its biggest technical milestones in years — and if you hold SOL or plan to, this directly affects you. After more than three years of development, the Solana Firedancer
2026/05/04
Latest Updates on MemeCore
View More
P526-M cigarettes seized in Mindanao Navy operations
COTABATO CITY — Navy teams seized a total of P526.2 million worth of imported cigarettes in two separate seaborne operations last week in the territorial seas of
2026/05/18
Palace dares Senator Bato to come out of hiding as counsel rejects ‘fugitive’ label
THE PALACE on Monday told Senator Ronald “Bato” M. dela Rosa, who is wanted by the International Criminal Court (ICC) for alleged crimes against humanity, to come
2026/05/18
85,000 sq.m. of Grade A office space to enter Davao by 2029 — PRIME
DAVAO’S office sector will see an influx of office space with approximately 85,000 square meters (sq.m.) entering the market in three years, according to property
2026/05/19
HOT
Currently trending cryptocurrencies that are gaining significant market attention
Crypto Prices
The cryptocurrencies with the highest trading volume
Newly Added
Recently listed cryptocurrencies that are available for trading