THORChain Opens Recovery Portal After $10 Million Cross-Chain Hack

Highlights:

• THORChain opened a recovery portal after a $10 million exploit hit 12,847 wallets.
• Affected users have until June 4 to submit compensation claims.
• Investigators linked the attack to vault key exposure and cross-chain laundering activity.

Decentralized cross-chain liquidity protocol THORChain has confirmed a $10 million exploit and opened a recovery portal for users who lost funds during the breach. According to a post on X on May 16, THORChain Foundation said affected users can now check estimated payouts, revoke harmful token approvals, and submit refund claims through a self-custodial process.

The incident started at 2:14 a.m. UTC on May 11, after node operators noticed unusual outbound transactions. As a result, transaction activity and withdrawal signing stopped within eight minutes, limiting further damage while the team reviewed the breach.

Attackers drained 36.75 Bitcoin, valued at nearly $3 million, alongside about $7 million in assets on Ethereum, BNB Chain, and Base. In total, the breach affected 12,847 wallets across four chains.

THORChain community just delivered a solution in coordination!

Additionally, Affected users are now able to check what they will be paid as compensation following the exploit!

More info: https://t.co/f1CPcdWlNB

— THORChain Foundation (@thorchnfnd) May 15, 2026

Users Must File Claims Before June Deadline

Affected users have 21 days to submit compensation claims through the recovery portal. The claim period closes on June 4, and any unclaimed funds will move into the protocol’s insurance fund after that date.

The refund program relies on a treasury-backed pool equal to the reported losses. Therefore, users can follow the portal instructions to review their allocation and begin the repayment process without giving up wallet custody. The platform also urged users to revoke malicious approvals tied to the attack. This step helps stop further wallet exposure, especially for users who interacted with affected contracts before the breach.

THORChain Introduces Supervision After Vault Key Breach

In its incident update, the protocol said investigators currently believe the attacker abused a weakness in the GG20 threshold signature scheme implementation. This weakness may have allowed vault key material to leak gradually before the attacker gathered enough data to rebuild the vault private key.

With that key, the attacker could authorize unauthorized outbound transfers from protocol-controlled vaults. Moreover, the team said a newly churned node joined the network several days before the theft and may be linked to the incident.

THORChain incident update #1
THORChain contributors shared a new update in the dev discord regarding the ongoing incident.

TLDR
– Current evidence points toward a newly churned node linked to the attack, likely operated by a single malicious actor

– The leading theory is an…

— THORChain (@THORChain) May 15, 2026

Investigators have also found on-chain connections between the node’s bonding addresses and wallets that received stolen funds. Hence, the treasury has started collecting forensic evidence while working with Outrider Analytics and law enforcement.

On-chain Trail Points to Earlier Laundering Activity

Blockchain analytics firm Chainalysis traced related activity across Monero, Hyperliquid, and Arbitrum on Friday. According to the findings, wallets likely tied to the attacker moved funds through privacy-focused routes for weeks before the exploit happened.

Moreover, the breach highlights the pressure on cross-chain systems that manage liquidity across several networks. As users move assets between chains, attackers often target signing flows, validator access, and approval permissions. As a result, stronger monitoring, faster pausing tools, and clearer user recovery steps are more important across decentralized finance following large security events and refunds.

The wider crypto market has also faced a sharp rise in security losses. April alone recorded about $629.7 million in crypto hack losses, driven mainly by major incidents involving KelpDAO and Drift Protocol.