THORChain has confirmed the $10 million exploit and launched a redemption portal, giving affected users a self-pathway to revoke malicious token approvals and submit redemption claims backed by a redemption pool of equal size provided by the treasury.
In a Saturday post on
The portal claims, citing a PeckShield post-mortem report, that the attack was discovered at 02:14 UTC on May 11, when node operators reported anomalous external transactions. Trading and external signing were paused within eight minutes. In total, the attackers drained 36.75 bitcoins, worth about $3 million, and about $7 million worth of tokens across the BNB, Ethereum, and Base chain, reaching 12,847 wallets across four chains.
THORChain Redemption Gateway. Source: Thorshin
Affected users have 21 days to file claims. The refund window closes on June 4, after which any unclaimed allocation will be transferred to the protocol’s insurance fund.
Related to: Russia-linked cryptocurrency exchange Grinex halts trading after $14 million hack
How THORChain was dried up
In an incident update, THORChain said the leading theory is that the attacker exploited a vulnerability in the implementation of the GG20 Threshold Signing Scheme (TSS), allowing sensitive vault key material to gradually leak. By accumulating enough of this leaked data over time, the attacker was able to reconstruct the vault’s private key and allow unauthorized outgoing transactions.
The protocol also noted that the newly minted node entered the network several days before the attack and is currently believed to be associated with it, with onchain links identified between the node’s binding addresses and the wallets that received the stolen funds.
“Treasury is actively collecting forensic data and coordinating with Outrider Analytics and relevant law enforcement agencies in an effort to identify the attacker and pursue recovery of stolen funds where possible,” the protocol reads.
Related to: Law enforcement freezes $41 million linked to $150 million cryptocurrency Ponzi bust
Cryptocurrency hack losses reached $630 million in April
Cryptocurrency hacks surged in April, with losses totaling $629.7 million, the worst month for the industry since February 2025, when $1.47 billion was stolen. The $293 million KelpDAO exploit and the $280 million Drift Protocol hack did the bulk of the damage, together accounting for 82% of April’s losses and cementing DeFi as the most targeted sector.
The pattern of attacks indicates a shift in how protocols are compromised, with bridges, privileged access, and operational failures increasingly becoming the root cause of major incidents rather than direct errors in smart contracts.
magazine: AI-driven hacks could wipe out decentralized finance – unless projects act now
