THORChain Confirms Exploit, Opens Claims Portal; Announces ~$10M Treasury Refund

THORChain, a decentralized protocol for swapping crypto assets across blockchains, said Friday that it has confirmed an exploit, opened a recovery portal for affected users and announced a treasury-backed refund plan of about $10 million while investigators continue to sort out the final scale of the loss.

According to Cointelegraph’s report of THORChain’s public announcement, the portal allows users to check their estimated compensation and submit claims. THORChain said 12,847 wallets were affected across Bitcoin, Ethereum, BNB Chain and Base, and users have 21 days to file claims, with the window closing June 4.

The move came a day after THORChain halted trading and outbound signing on May 15, after security researchers and on-chain investigators flagged suspicious activity. The Block reported that the protocol issued an emergency pause while it investigated.

The amount stolen remains approximate and disputed. THORChain described the exploit as roughly $10 million, and multiple outlets cited that figure in coverage of the recovery plan. But early outside estimates were lower and later ones higher: blockchain investigator ZachXBT initially put the loss at about $7.4 million, while blockchain security firm TRM Labs later said the attacker drained more than $11 million across at least nine chains. The Block also reported that THORChain said one Asgard vault — a validator-managed pool used to custody and move assets — was compromised for approximately $10.7 million in protocol-owned funds.

Investigators’ summaries suggest the attacker moved both bitcoin and tokens on Ethereum-compatible networks. Cointelegraph, citing on-chain analysis, reported that about 36.75 BTC and roughly $7 million in tokens were taken on EVM-compatible chains including Ethereum, BNB Chain and Base.

THORChain said its leading hypothesis is that its GG20 threshold signature scheme — the cryptographic system its validators use to jointly control vaults — may have leaked key material over time, allowing reconstruction of private keys for the affected vault. The protocol also said a newly churned node appears suspicious. THORChain presented that as a working theory, not a confirmed explanation for the breach.

The protocol said it is coordinating forensic work with Outrider Analytics and law enforcement, while outside firms including TRM Labs and PeckShield have also published tracking and analysis of the stolen funds. Cointelegraph reported that THORChain said “affected users are now able to check what they will be paid as compensation following the exploit.”

The incident underscores the security risks around cross-chain crypto infrastructure. THORChain lets users swap native assets such as bitcoin and ether between blockchains without relying on a centralized exchange, but systems that move value across chains have long been attractive targets because they depend on complex signing and custody mechanisms. THORChain has faced security incidents before, though the company’s focus now is on recovery and containment.

RUNE, THORChain’s native token, fell sharply after the exploit alerts, with reports putting the drop in the roughly 9% to 15% range in the immediate aftermath. For now, the protocol’s public response has shifted from emergency shutdown to remediation, even as the exact loss total and technical cause remain unresolved.