THORChain Suffers Third Major Breach: Malicious Node Impersonates Vault, Exploits Key Management Vulnerability to Steal $10.7 Million Over Three Weeks
TechFlow Selected TechFlow Selected
THORChain Suffers Third Major Breach: Malicious Node Impersonates Vault, Exploits Key Management Vulnerability to Steal $10.7 Million Over Three Weeks
When delayed maintenance becomes the norm, who should be held accountable?
Navigating Web3 tides with focused insightsAuthor: Rekt
Translated and compiled by TechFlow
TechFlow Intro: Hacked three times in five years. $200 million insolvent. Laundered $1.2 billion for North Korea. Even the personal wallet of co-founder jpthor was tricked out of $1.2 million via a fake conference call by North Korean hackers. This isn’t bad luck—it’s a known vulnerability whose patch sat un-deployed in the codebase for nine days. When delayed maintenance becomes routine, who bears responsibility?
Hacked three times in five years. One $200 million insolvency crisis. Plus $1.2 billion laundered for North Korea.
THORChain’s relationship with North Korea runs deeper than most protocols care to admit.
North Korea even returned the favor—on September 2025, it drained $1.2 million from co-founder jpthor’s personal wallet using a fake conference scam.
This doesn’t look like a recipe for success—it looks like a prelude to disaster.
Then, on May 15, another $10.7 million was stolen.
At some point, the question ceases to be “How did this happen?” and becomes “Why does anyone still expect it to be different?”
On May 15, 2026, THORChain’s Asgard vaults were rapidly drained across multiple chains.
THORChain’s own automated solvency checker triggered a pause—the only security upgrade born from the July 2021 catastrophe—and froze the network for 12 hours and 42 minutes.
The vault design was sound. Yet the funds were gone.
RUNE dropped 15% before most of the world had finished reading ZachXBT’s Telegram post.
Market cap evaporated by $27 million in minutes.
This is a protocol that once stared into the abyss—and kept building. But there’s a limit to how many times you can call the same wound a “learning experience.”
When the vulnerability class is documented, the patch exists—and yet funds are still lost—when does postponed maintenance cross from negligence into recklessness?
ZachXBT saw it first.
Earlier on May 15, his Telegram channel issued a community alert: THORChain was likely under attack on Bitcoin, Ethereum, BSC, and Base—with losses exceeding $10.7 million.
TRM Labs later expanded confirmed impact to at least nine chains—adding Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP to the original four—and raised total losses to over $11 million.
Arkham tagged the attacker’s wallet.
But the drain was already complete.
PeckShield publicly confirmed approximately $10 million drained—including 36.75 BTC and roughly $7 million in assets distributed across BNB Chain, Ethereum, and Base.
THORChain’s own infrastructure moved before its team did.
THORChain’s Mimir governance module flipped transaction pause and signature pause parameters to active, suspending nodes starting at block 26190429 for ~12 hours and 42 minutes.
No human decision required.
Over five hours after ZachXBT’s announcement, THORChain issued an official statement confirming what on-chain data had already revealed: one of six Asgard vaults had been compromised. $10.7 million was gone.
Node operators protecting the affected vault were slashed—losing staked RUNE due to unauthorized outbound transfers. Rotation was suspended. On-chain upgrades indefinitely postponed. Preliminary indications suggest no individual user transactions were impacted.
THORSwap and Metro.exchange immediately halted THORChain routing.
Maya Protocol paused out of caution.
ATOM trading plunged into darkness.
Alternative providers—Chainflip, NEAR Intents, Harbor, Flashnet, Garden, and 1inch—continued operating, unaffected.
As the ecosystem scrambled, on-chain records were already telling a different story.
Among the earliest signals pointing to root cause: banteg flagged a GitLab commit to THORNode dated May 6—nine days before the attack—titled “Sign full ObservedTx wrapper to prevent proposer forgery.”
The patch existed. It had a name and timestamp. It was never deployed.
This commit would prove to be one thread in a larger fabric—not the root cause, but an early indicator of the gap between known and done.
Nine days separated a committed patch and $10.7 million in loss—so who, exactly, is responsible for what lived in that gap?
One Node, One Key, One Sweep
THORChain’s vaults are protected by a Threshold Signature Scheme (TSS), a form of multi-party computation where a quorum of nodes jointly generates cryptographic signatures—no single node ever holds the full private key.
In theory: distributed trust. In practice: only as strong as every co-signer in the quorum.
The setup began weeks before the drain. A newly created Discord account—“Dinosauruss”—joined the THORChain developer Discord on May 1, asking how to get a node onto the network as quickly as possible.
Due to unrelated reasons, the normal three-day rotation window was delayed—forcing attackers to wait. On May 13—two days before the attack—a brand-new node operator holding ~635,000 RUNE across two staking addresses rotated into the active validator set and was randomly assigned to one of five vaults.
Over the next two days, that node participated in routine GG20 signature ceremonies—acquiring everything it needed.
THORChain’s confirmation found: attackers exploited a vulnerability in the GG20 TSS implementation that allowed sensitive key material of vault participants to leak over time.
By accumulating enough leaked material across signature rounds, attackers reconstructed the vault’s full TSS private key—and executed unauthorized outbound transfers directly.
The active solvency checker verifies insolvency *before* signing. No signature could capture it. When the vault went insolvent, the passive checker activated—but the funds were already gone.
The solvency checker operated as designed. The attack simply bypassed the layer it monitored.
To understand why attackers could reconstruct the key in the first place, you must understand what THORChain runs.
GG20 is a widely used threshold ECDSA protocol, commonly employed in systems interacting with Bitcoin and Ethereum.
It also has a documented history of critical vulnerabilities.
CVE-2023-33241 and TSSHOCK—both disclosed in 2023—are key-extraction attacks requiring only *one* compromised co-signer to reconstruct the full private key—silently, without triggering aborts, and leaving no trace within normal protocol operations.
The specific mechanism used by THORChain hasn’t been publicly confirmed to match either CVE—but both illustrate the class of attack the library is vulnerable to.
THORChain’s TSS runs on a fork of Binance’s tss-lib implementing GG20.
As Taylor Monahan noted shortly after the attack was flagged: “Oh my god, looks like THORChain’s tss-lib is ~3 years and >2 major security versions behind.”
banteg published the most detailed technical analysis the day after the attack—directly inspecting THORChain’s deployed fork, tss-lib v0.1.6 (commit 287e1e2), used in thornode v3.18.0.
His finding: the key-generation path accepts and persists peer Paillier material without establishing a MOD/FAC proof family for well-formed two-prime Paillier moduli.
Thus, a malicious node can register a 2048-bit Paillier modulus that passes every check performed by the library—yet contains factors known to the attacker.
Once an honest node persists this malformed key, each subsequent signature round touching it exposes an oracle shape in the checked code—leaking residuals of other participants’ long-term signing shares, which attackers can accumulate and combine offline.
His harness test confirmed the oracle shape in the checked code.
jpthor had already seen this—in the hours after the pause, he flagged GG20 as the most likely explanation.
Charles Guillemet elaborated on broader structural issues: in every published GG18 and GG20 attack, *one* malicious or compromised co-signer is sufficient.
Not majority. Not quorum. Just one.
If a single participant is malicious, the entire premise of distributed key security collapses at the co-signer layer.
jpthor subsequently laid out a three-step roadmap: patch GG20 to restore THORChain; migrate all ECDSA protocols to DKLS; then migrate Bitcoin signing to FROST.
He described GG20 as a “black box” with “many fragile assumptions”—a “black box forever”—the closest thing to an internal admission in public record.
THORChain partnered with Silence Labs in November 2025 to build a custom DKLS implementation, targeting delivery in Q1/Q2 2026—that’s why GG20 remained in production during the attack. That work remains incomplete.
THORChain’s rotation mechanism—the process by which validators rotate in and out of active Asgard vaults—made this possible.
Without it, a malicious operator would have no path to join a vault, participate in signature ceremonies, and accumulate key material. Attackers didn’t need to break cryptography. They just needed to get into the room.
Investigation continues with THORSec and Outrider Analytics.
Law enforcement has been contacted. Attacker identity remains unknown.
An attack report was released on May 20. A follow-up will be published once investigation concludes and recovery plans are finalized.
What’s known: on-chain links between node address, staking wallet, and receiving wallet—and the confirmed mechanism—a crypto library years behind, running on a fork containing an implementation flaw capable of leaking vault key material to a patient malicious operator.
Malicious node:
thor16ucjv3v695mq283me7esh0wdhajjalengcn84q
THORChain’s rotation mechanism exists to rotate trust—someone used it to buy time.
So how many other GG20-based vaults across DeFi sit atop the same unpatched library, awaiting their next patient operator?
Clean Sweep
Multiple chains. Dozens of tokens. One address.
Whoever did it knew exactly where everything was—and moved with precision that implies no improvisation.
Before the network pause fully propagated, every ERC-20 token on Ethereum, BNB Chain, and Base was aggregated into the attacker’s controlled address. Bitcoin moved in parallel.
By the time ZachXBT posted his alert, consolidation was complete.
QuillAudits published a full chain-by-chain breakdown on May 19.
The drain unfolded as follows...
Malicious Activity on Ethereum
Stablecoins, blue-chip DeFi tokens, and protocol-native assets drained from vaults:
1,756,756.02 USDT · 1,261,986.53 USDC · 73,768,463.86 XRUNE · 3,349,323.54 THOR · 5.206 WBTC · 64,138.47 LUSD · 61,074.86 GUSD · 38,762.45 USDP · 1,044.06 LINK · 4,567.54 DAI · 78.10 AAVE · 1,514.92 SNX · 481,996.68 FOX · 1.057 YFI · 11.43 DPI
Attacker address:
0x82fc0d5150f3548027e971ec04c065f3c93154eb
THORChain vault:
0x82a5CF67F3e6970C0529122178075C0a94878bDA
Outbound transactions:
View all on Etherscan
Funds sent here (~$6.77M):
0xd477b69551f49C0519F9B18c55030676138890Bd
Malicious Activity on BNB Chain
Diversified token basket drained—including stablecoins, wrapped BTC, and ETH equivalents:
274,256.09 USDC · 125,117.17 BSC-USD · 32,144.23 BUSD · 32,980.44 TWT · 15.615 ETH · 0.509 BTCB
Attacker address:
0x82fc0d5150f3548027e971ec04c065f3c93154eb
THORChain vault:
0x82a5cf67f3e6970c0529122178075c0a94878bda
Outbound transactions:
View all on BSCscan
Malicious Activity on Bitcoin
Two outbound transactions totaling over 40 BTC (~$3.26M):
36.85351435 BTC · 3.87429558 BTC
Attacker address:
bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37
THORChain vault:
bc1qt8f467qdkpmuflgwvgvvlr86r0kldnnvm7zhyv
Outbound transactions:
View all on mempool.space (scroll down to transactions)
Malicious Activity on Avalanche
Avalanche stablecoins and SOL-equivalent assets drained:
238,325.94 USDC · 43,041.25 USDT · 388.94 SOL
Attacker address:
0xd477b69551f49C0519F9B18c55030676138890Bd
THORChain vault:
0x82A3580296b014c27cFe6be23Ed471c30D878Bda
Outbound transactions:
0xd477b69551f49C0519F9B18c55030676138890Bd
Malicious Activity on Base
USDC drained in a single outbound transaction:
55,912.41 USDC
Attacker address:
0xd477b69551f49C0519F9B18c55030676138890Bd
THORChain vault:
0x82a5cf67f3e6970c0529122178075c0a94878bda
Single drain transaction:
0x4370739cf3f443fe129727ea1a9e215783d881c643f3ea1d12ce822aeb3e6af8
Malicious Activity on Dogecoin
Nearly 7.82 million DOGE (~$900K) drained across two nearly identical outbound transactions:
3,911,749.91 DOGE · 3,911,751.03 DOGE
Attacker address:
DBLJWFemMHbduKofBRg6TJ9XFAgWdvFCjS
THORChain vault:
DDL3tEh5P5vjSCNyU7t7sz9DQykRnr97d2
Outbound transactions:
View on BlockChair
Malicious Activity on Litecoin
LTC drained from vault:
6,866.74772083 LTC
Attacker address:
ltc1qg0h4rz5kf27fkr99gamw4heg20rfz5epd7m7wh
THORChain vault:
ltc1qt8f467qdkpmuflgwvgvvlr86r0kldnnvlzcnuu
Single drain transaction:
F5985741ef6d7418cd2f0f4e909b6f0d525f18c6010cca48d846731f23972bd4
Malicious Activity on Bitcoin Cash
BCH transferred from vault in a single transaction:
638.52948245 BCH
Attacker address:
qpp775v2je9texcv54rhd6kl9pfudy2nyyz4df2uvc
THORChain vault:
qpvaxhtcpkc8038ape3p3nuvlgd7makwds74qyng5p
Outbound transaction:
View on Blockchain
Malicious Activity on XRP
XRP drained across two transactions:
25,404.922305 XRP · 16.999982 XRP
Attacker address:
rwoGBrYEJ28jhBjchrTyCGXd1Pt4pobFBz
THORChain vault:
r9BxLykSngpSuUU4jXtZLDycXip3Suo7Rf
Outbound transactions:
View on XRPScan
Malicious Activity on TRON
89,172 TRX swapped for 31,215 USDT via SunSwap, bridged to Ethereum—13.9 ETH delivered to a known Ethereum money laundering hub.
TRON signing, transactions, and solvency checks were halted and disabled in Mimir, matching the pattern observed on confirmed drain chains.
Attacker address:
TXmo5sdVCvQnJgbvjAUpQJfyNx5EnqtAM3
THORChain vault:
TMt1UgzBNKETQMgGckJDomcMQhvwhGUiXo
TRON drain transaction:
0ee50dd1af24c08a2f73fab18dd96897fcd6c08cfca0a6397b519c8fe1fdf1f4
ETH delivery:
0x09c4bc73fddaac5697a609cb448cefc26e13ccba22ce1b762b309b010e0db5f4
Funds sent to Ethereum address:
0x82fc0d5150f3548027e971ec04c065f3c93154eb
THORChain’s official statement confirmed that node operators protecting the breached vault were slashed—losing staked RUNE due to unauthorized outbound transfers.
Protocol-owned funds were lost. Per the team’s preliminary assessment, no individual user transactions were impacted. The slashing mechanism worked. The vault did not.
The attack appeared sudden—but it wasn’t.
Chainalysis published a five-part thread on May 15 mapping weeks of preparatory activity beginning in late April—attackers funded entry via Monero, staked RUNE to become the attack vector node, and delivered 8 ETH to the final receiving wallet 43 minutes before the drain.
Multiple chains. One patient operator. Three weeks of preparation. The network paused itself the moment it looked problematic. By then, attackers had already finished.
What does it mean when the best thing about your security is how fast it confirms damage?
Audited—Just Not There
THORChain has auditors.
It launched a bug bounty program via ImmuneFi after the 2021 exploit—later controversially exited ImmuneFi to run its own self-hosted program, which itself retired in March 2026—two months before the exploit.
It has a history of taking security seriously—post-2021 catastrophe, it simultaneously hired Halborn and Trail of Bits to execute a five-pronged recovery plan including red teaming, protocol hardening, and formal audit sign-offs before relaunch.
None of that is in question. What’s questionable is where those audits pointed.
After the 2021 exploit, Trail of Bits conducted a full code audit of THORChain’s core protocol—THORNode, Bifrost cross-chain bridge code, and crucially, the tss-lib implementation underpinning the TSS vault system.
Halborn conducted a separate penetration test covering the THORNode stack, Bifrost, and vault security—including review of the threshold multisig implementation.
Both received passing scores. No unresolved critical vulnerabilities at publication.
In December 2021, Trail of Bits went further—disclosing vulnerabilities in tss-lib’s Shamir Secret Sharing, which directly impacted THORChain.
THORChain patched them. Protocol relaunched. Audits aged.
Since then, Halborn has remained active—conducting eight independent security assessments between January and November 2025.
Each scope was Rujira—the smart contract application layer of THORChain: lending contracts, order-book DEX, staking modules, lending pools.
Useful work. Necessary work. But entirely disconnected from the layer that just lost $10.7 million.
2020 – Early Security Work:
CertiK · April 2020 · THORChain Code Review
Kudelski Security · June 2020 · THORChain TSS
IOActive · November 2020 · Penetration Testing
2021 – Core Protocol:
Trail of Bits · August 2021 · THORChain Core + tss-lib
Halborn · September 2021 · TSS Audit
Halborn · September 2021 · State Machine, Router + Bifrost
Trail of Bits · December 2021 · tss-lib Shamir Secret Sharing – Vulnerability Disclosure (patched)
2024/2025 – Bifrost Observation Layer:
Zellic · November 2024 · THORChain Bifrost
Zellic · January 2025 · THORChain Bifrost UTXO Client
2025 – Rujira Application Layer Only:
Halborn · January–February 2025 · Rujira Trade (FIN) Smart Contracts
Halborn · February 2025 · Rujira Pools (BOW) Smart Contracts
Halborn · March–April 2025 · Rujira Staking Smart Contracts
Halborn · May 2025 · NAMI Protocol Rujira Index Products
Halborn · August 2025 · CALC Manager/Scheduler/Strategy Smart Contracts
Halborn · October 2025 · Ghost Vault (RUJI Lending) Smart Contracts
Halborn · October–November 2025 · Ghost Credit (Credit Accounts) Smart Contracts
Halborn · November 2025 · Rujira Trade FIN v1.1 Smart Contracts
The GG20 tss-lib fork—the cryptographic implementation at the heart of this exploit—has had no documented audit since 2021. Broader THORChain codebase has received recent attention—but none touched this layer.
Bifrost has received more recent scrutiny—Zellic audited the observation layer; the 2024 Code4rena contest covered EVM smart contract parsing logic.
But the cryptographic library at the heart of this exploit—Taylor Monahan noted its multi-year lag on security versions—was last formally reviewed before its severe vulnerabilities went public.
All 2025 assessments missed it.
TSSHOCK and CVE-2023-33241—two major GG20 vulnerabilities—were both disclosed in 2023.
The Trail of Bits audit covering tss-lib predates both disclosures.
The protocol continued running on the same library—through two public critical vulnerabilities—without any documented re-audit of this specific component.
To be clear: audits are point-in-time assessments. They prove, within their defined scope and at the moment they’re conducted, precisely what they’re asked to prove.
Halborn didn’t find GG20 vulnerabilities in 2021—because they hadn’t been disclosed yet.
Harder to explain is why no follow-up audits targeted the core protocol layer *after* those vulnerabilities became public.
Eight audits in 2025—all targeting the application layer—while the cryptographic foundation holding vaults hasn’t undergone formal review since before those vulnerabilities were disclosed.
Who decided this posture was acceptable?
THORChain survived it all.
Two exploits within ten days in 2021. A brief $200 million insolvency crisis that looked like a death spiral. A $1.2 billion North Korean laundering episode that fractured its community and drove core contributors away.
It absorbed every blow, restructured, kept the DEX running—and called it resilience.
Yet it never fully learned the lesson behind each event.
The cryptographic library protecting vaults lags years behind on security versions.
The last audit of the core protocol predates the public disclosure of the vulnerability now under investigation.
Yet eight audits were published in 2025—all pointing elsewhere.
Shortly after the exploit, fake refund portals began circulating—scammers targeting users who’d just watched their funds vanish.
By May 18, THORChain was forced to issue an explicit public warning: “No refund portal exists. Rely only on official channels.”
This warning remains displayed in a banner at the top of THORChain’s official website.
A protocol that lost $10.7 million to a patient, sophisticated attacker spent the next day fighting opportunists harvesting its own victims.
Investigation continues with THORSec and Outrider Analytics. Law enforcement is engaged.
A preliminary exploit report was released on May 20. A follow-up remains pending. No compensation plan has been announced.
Governance vote ADR-028 on handling losses remains open.
No timeline has been given for full network restart.
The protocol that laundered $1.2 billion for North Korea earned at least $12 million in fees—per Chainalysis’s conservative estimate—and called it neutral.
When Lazarus struck, node operators initially voted to halt ETH trading. Minutes later, the vote was overturned.
A core contributor resigned. The network kept running.
Then, on May 15, THORChain’s own vaults were emptied—and the protocol that found philosophical justification not to halt for Lazarus found a technical justification to halt itself—for twelve hours and forty-two minutes.
This contrast was not overlooked.
Does it reflect genuine architectural distinction—or selective application of decentralization principles? It’s a conversation THORChain can no longer postpone.
THORChain will likely survive this too. It has before—under harder circumstances.
But survival and accountability are two different things—and so far, this protocol has excelled far more at the former than the latter.
THORChain halted for North Korea only when it had no choice. It will rebuild from this—because it always has.
But at what point does resilience cease to be a virtue—and begin to serve as an excuse?
REKT, as an anonymous author platform, assumes no responsibility for views or content hosted on REKT.
Donations (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
Disclaimer:
REKT assumes no liability or responsibility of any kind for any content published on or related to our website or services—whether posted or caused by anonymous authors on our site, or posted or caused by REKT itself. Although we provide rules governing the conduct and posting behavior of anonymous authors, we do not control—and are not responsible for—the content posted, transmitted, or shared by anonymous authors on our website or services, nor for any offensive, inappropriate, obscene, unlawful, or otherwise objectionable content you may encounter on our website or services. REKT is not responsible for the online or offline conduct of any user of our website or services.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
@RektHQ
