THORChain Halt After Multichain Exploit Drains $11M

On May 15 THORChain activated emergency controls and paused trading, signing and churning after a suspected multichain exploit that initially removed about $10.7 million from protocol vaults. Subsequent analytics expanded the estimated losses to more than $11 million across multiple blockchains and the emergency stop paused the protocol’s native-asset routing.

Node operators stepped through a sequence of halts, including chain-specific stops, a global halt on trading, a halt on signing, a global chain pause and a halt on churning. Repeated global node pauses were posted as teams and observers worked to assess the event and prevent additional outflows.

THORChain’s architecture routes native tokens across networks using Bifrost observers, Asgard vaults and threshold-signature signing rather than wrapped assets. Initial reporting indicated one of six Asgard vaults had been compromised for roughly $10.7 million. Early indications suggested individual swap functionality remained available, though final validations were pending.

Estimates of the losses varied as analytics firms reconciled on-chain flows. An early alert was revised from $7.4 million to $10.7 million. An independent tally cited about 36.75 BTC plus roughly $7 million across BNB Chain, Ethereum and Base. A later assessment expanded the chain list and reported more than $11 million drained across at least nine chains, adding Avalanche, Dogecoin, Litecoin, Bitcoin Cash and XRP to the initial scope. Accounting remains ongoing and totals may change as investigators follow funds and confirm affected addresses.

The emergency controls that node operators used are built to stop signing and movement when funds are at risk. Those controls also stop cross-chain routing and limit liquidity while teams investigate. The sequence of halts and updates was used to contain potential damage while work continued to identify compromised keys, affected vaults and the path of stolen assets.

THORChain has a history of drawing attention in chain-analytic reviews for flows tied to prior thefts. In February 2025 federal investigators publicly linked the $1.5 billion theft from a major exchange to actors associated with North Korean operations and urged private-sector entities to block transactions involving addresses tied to laundering. Past episodes prompted debate within the THORChain community between developers and validators over how to handle flagged flows. No public attribution has been released for the May 15 exploit.

Market response was immediate: RUNE, THORChain’s token, fell about 22% in 24 hours to roughly $0.44 on May 16. THORChain posted updates that accounting and investigations are ongoing as node operators and observers continue to trace funds and reconcile the full list of affected chains and addresses.