PANews reported on May 16 that Chainalysis published an article on the X platform disclosing the source of the THORChain attack. The article stated that wallets associated with the suspected attackers had been transferring funds through Monero, Hyperliquid, and THORChain for several weeks prior to the attack. The attackers' wallets had deposited funds into Hyperliquid positions through the Hyperliquid and Monero privacy bridges as early as the end of April. The funds were subsequently converted to USDC and transferred to Arbitrum, then bridged to Ethereum. Some of the ETH was then transferred to THORChain to stake RUNE for a newly joined node, which is believed to be the source of the attack.

The attackers then bridged some of their RUNE connections back to Ethereum and split them into four links. One link went directly to the attackers, and after passing through an intermediary wallet, transferred 8 ETH to the wallet that would ultimately receive the stolen funds 43 minutes before the attack. The funds flowed in the reverse direction on the other three links. From May 14th to 15th, these wallets again bridged the ETH back to Arbitrum, deposited it into Hyperliquid, and then transferred it to Monero through the same privacy bridge. The last transaction occurred less than five hours before the attack began. As of Friday afternoon, the stolen funds remained untouched, but the attackers demonstrated sophisticated cross-chain money laundering capabilities, and the Hyperliquid-to-Monero path may be their next move.