THORChain suffers its third major wipeout: Nodes masquerade to infiltrate the vault, exploiting a key vulnerability over three weeks to steal $10.7 million.

Author: Rekt

Compiled by: Deep Tide TechFlow

Deep Tide Summary: Three thefts in five years, $200 million in liabilities, helping North Korea launder $1.2 billion, and even founder JP Hor's personal wallet being swindled out of $1.2 million by North Korean hackers using a fake meeting. This time it wasn't bad luck; the patch for the known vulnerability had been sitting in the codebase for nine days without being deployed—when maintenance delays become the norm, who should be held responsible?

Three thefts in five years. There was also a $200 million insolvency crisis. Add to that the $1.2 billion laundered for North Korea.

THORChain's relationship with North Korea is deeper than most agreements acknowledge.

North Korea even reciprocated this favor by withdrawing $1.2 million from co-founder JPThor's personal wallet in September 2025 through a fake meeting scam.

This doesn't seem like a recipe for success; it's more like a harbinger of disaster.

Then, on the morning of May 15, another $10.7 million was stolen.

At some point, the question is no longer "how did this happen", but "why do people still expect things to be different?"

On May 15, 2026, THORChain's Asgard vault was rapidly drained across multiple chains.

THORChain’s own autorepayment checker triggered a pause—the only security upgrade born from the July 2021 disaster—and froze the network for 12 hours and 42 minutes.

The vault design was fine. The funds still disappeared.

RUNE dropped 15% before most people in the world had even read ZachXBT's Telegram post.

Its market value evaporated by $27 million in minutes.

This is an agreement that once stared into the abyss and continued to build. But there is a limit to repeatedly calling the same wound a "learning experience".

When the vulnerability type has been recorded, the patch already exists, but the funds are still gone, when does delaying maintenance go from negligence to fault?

ZachXBT was the first to see it.

Earlier on May 15, his Telegram channel posted a community alert: THORChain was likely attacked on Bitcoin, Ethereum, BSC, and Base, resulting in losses exceeding $10.7 million.

TRM Labs later expanded the scope of the confirmed losses to at least nine chains—adding Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP to the initial four—and revised the total losses upward to over $11 million.

Arkham flagged the attacker's wallet.

But the dehydration process is already complete.

PeckShield has publicly confirmed that approximately $10 million was drained, including 36.75 BTC and approximately $7 million in assets, distributed across BNB Chain, Ethereum, and Base.

THORChain's own infrastructure was worked on before the team even started.

THORChain's Mimir governance module flips the transaction pause and signature pause parameters to an active state, and the node pause started running for about 12 hours and 42 minutes from block 26190429.

No human decision-making is required.

More than five hours after ZachXBT's announcement, THORChain released an official statement confirming what the on-chain data had shown: one of the six Asgard vaults had been breached. $10.7 million was gone.

Node operators protecting affected vaults have had their staked RUNE halved due to unauthorized transfers. Rotation is suspended. On-chain listing is postponed indefinitely. Initial indications suggest no individual user transactions have been affected.

THORSwap and Metro.exchange immediately stopped THORChain routing.

Maya Protocol is being paused out of caution.

The ATOM deal has fallen into darkness.

Alternative providers—Chainflip, NEAR Intents, Harbor, Flashnet, Garden, and 1inch—continue to operate unaffected.

While the ecosystem races ahead, on-chain records are already telling a different story.

Among the earliest signals pointing to the cause: banteg flagged a GitLab commit to THORNode, created on May 6—nine days before the attack—titled "Signing a complete ObservedTx wrapper to prevent proposer forgery".

The patch exists. It has a name and a timestamp. It was never released.

This submission will prove to be a line in a larger fabric, not the root cause, but an early indicator of the gap between what is known and what has been done.

Nine days separated a submitted patch from a $10.7 million loss—so, who is responsible for what lies in this gap?

One node, one key, one sweep

THORChain's vault is protected by a threshold signature scheme (TSS), a form of multi-party computation in which a quorum of nodes jointly produce a cryptographic signature, without any single node possessing the complete private key.

In theory, it's a distributed trust. In practice, it's only as strong as each signatory in a quorum.

The setup began several weeks before the drain was initiated. A newly created Discord account—"Dinosauruss"—joined the THORChain developer Discord on May 1st, asking how to get nodes rotated into the network as quickly as possible.

For no apparent reason, the normal three-day rotation interval was delayed, forcing the attackers to wait. On May 13, two days before the attack, a new node operator with approximately 635,000 RUNE on two staking addresses rotated into the active validator set and was randomly assigned to one of five vaults.

Over the next two days, the node participated in the regular GG20 signing ceremony and obtained everything it needed.

THORChain confirmed that the attackers exploited a vulnerability in the GG20 TSS implementation that allowed sensitive key materials belonging to vault participants to be leaked over time.

By accumulating enough leaked material during the signing rounds, the attackers reconstructed the vault's complete TSS private key and directly executed unauthorized transfer transactions.

The proactive solvency checker detects insolvency before a signature is signed. No signature can be detected. The passive checker activates when the vault is low on funds, by which time the funds are already gone.

The reimbursement checker was functioning as designed. The attack simply bypassed the layer it was monitoring.

To understand why an attacker can rebuild the key first, you must understand what THORChain is doing.

GG20 is a widely used threshold ECDSA protocol, typically used in systems that interact with Bitcoin and Ethereum.

It also has a documented history of critical vulnerabilities.

CVE-2023-33241 and TSSHOCK, both disclosed in 2023, are key extraction attacks that require only one compromised signatory to reconstruct the complete private key—silently, without triggering termination, and leaving no trace in normal protocol operations.

The specific mechanisms used by THORChain have not been publicly confirmed to match any CVE, but both illustrate the types of attacks the library is vulnerable to.

THORChain's TSS runs on Binance tss-lib, which is a fork of GG20.

As Taylor Monahan pointed out shortly after the attack was flagged: "My God, it looks like the tss-lib that THORChain is running is about 3 years behind and more than 2 major security versions."

Banteg released the most detailed technical analysis the day after the attack, directly examining the fork of the THORChain deployment, tss-lib v0.1.6, commit 287e1e2, for thornode v3.18.0.

His findings: the key generation path accepts and persists peer Paillier material without establishing a well-formed family of MOD/FAC proofs for two prime Paillier moduli.

Therefore, a malicious node can register a 2048-bit Paillier modulus that passes every check performed by the library while containing factors known to the attacker.

Once the honest node persists the malformed key, each signing round that touches it will expose the oracle shape in the inspected code, leaking the residuals of other participants' long-term signature shares, which attackers can accumulate and combine offline.

His wiring harness tests confirmed the oracle shape in the code being examined.

jpthor had already foreseen this, marking GG20 as the most likely explanation within hours of the pause.

Charles Guillemet elaborates on a broader structural problem: in each of the published GG18 and GG20 attacks, one malicious or compromised signatory is sufficient.

Not a majority, not a quorum, just one.

If a single participant is malicious, the entire premise of distributed key security collapses at the signer level.

jpthor then devised a three-step roadmap: patch GG20 to bring THORChain back online; migrate all ECDSA protocols to DKLS; and then migrate Bitcoin signatures to FROST.

He described GG20 as a "black box" with "many fragile assumptions" and "will always be a black box," which is the closest thing to an internal admission in the public record.

THORChain partnered with Silence Labs in November 2025 to build a custom DKLS implementation, with a target delivery time of Q1/Q2 2026. This is why GG20 was still in production at the time of the attack. That work was not yet complete.

THORChain’s rotation mechanism, which involves validators periodically rotating in and out of the active Asgard vault, makes this possible.

Without it, malicious operators have no way to join the vault, participate in the signing ceremony, and accumulate key materials. Attackers don't need to crack the cryptography. They just need to get into the room.

The investigation continues in collaboration with THORSec and Outrider Analytics.

Law enforcement has been contacted. The attacker's identity remains unknown.

An attack report was released on May 20. A follow-up report will be released once the investigation is complete and a recovery plan is finalized.

What is known is the on-chain connection between node addresses, staking wallets, and receiving wallets, as well as the confirmation mechanism—a cryptographic library that is several years behind, running on a fork containing an implementation flaw that could leak vault key materials to a patient malicious operator.

Malicious nodes:

thor16ucjv3v695mq283me7esh0wdhajjalengcn84q

THORChain's rotation mechanism exists to rotate trust; some people use it to buy time.

So how many other GG20-based vaults in DeFi are sitting on the same unpatched vaults, waiting for the next patient operator?

Clean

Multiple chains, dozens of tokens, one address.

Whoever did it knew exactly where everything was and moved it with a precision that didn't imply improvisation.

Before the network halted full propagation, every ERC-20 token on Ethereum, BNB Chain, and Base was aggregated to an address controlled by the attacker. Bitcoin moved in parallel.

By the time ZachXBT posted his alert, the integration was complete.

QuillAudits released a complete chain-by-chain breakdown on May 19.

The results of the dehydration are as follows...

Malicious behavior on Ethereum

Stablecoins, blue-chip DeFi tokens, and protocol-native assets drained from the vault:

1,756,756.02 USDT · 1,261,986.53 USDC · 73,768,463.86 XRUNE · 3,349,323.54 THOR · 5.206 WBTC · 64,138.47 LUSD · 61,074.86 GUSD · 38,762.45 USDP · 1,044.06 LINK · 4,567.54 DAI · 78.10 AAVE · 1,514.92 SNX · 481,996.68 FOX · 1.057 YFI · 11.43 DPI

Attacker's address:

0x82fc0d5150f3548027e971ec04c065f3c93154eb

THORChain Vault:

0x82a5CF67F3e6970C0529122178075C0a94878bDA

Transfer out transaction:

View all on Etherscan

Funds have been sent here (approximately US$6.77 million):

0xd477b69551f49C0519F9B18c55030676138890Bd

Malicious behavior on BNB

A saturated basket of diverse tokens, including stablecoins, wrapped BTC and ETH equivalents:

274,256.09 USDC · 125,117.17 BSC-USD · 32,144.23 BUSD · 32,980.44 TWT · 15.615 ETH · 0.509 BTCB

Attacker's address:

0x82fc0d5150f3548027e971ec04c065f3c93154eb

THORChain Vault:

0x82a5cf67f3e6970c0529122178075c0a94878bda

Transfer out transaction:

View all on BSCscan

Malicious behavior on Bitcoin

Two outgoing transactions totaling over 40 BTC (approximately $3.26 million):

36.85351435 BTC · 3.87429558 BTC

Attacker's address:

bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37

THORChain Vault:

bc1qt8f467qdkpmuflgwvgvvlr86r0kldnnvm7zhyv

Transfer out transaction:

View all on mempool.space (scroll down to transactions)

Malicious behavior on Avalanche

Drained Avalanche stablecoin and SOL equivalent assets:

238,325.94 USDC · 43,041.25 USDT · 388.94 SOL

Attacker's address:

0xd477b69551f49C0519F9B18c55030676138890Bd

THORChain Vault:

0x82A3580296b014c27cFe6be23Ed471c30D878Bda

Transfer out transaction:

0xd477b69551f49C0519F9B18c55030676138890Bd

Malicious behavior on Base

USDC deducted from a single outgoing transaction:

55,912.41 USDC

Attacker's address:

0xd477b69551f49C0519F9B18c55030676138890Bd

THORChain Vault:

0x82a5cf67f3e6970c0529122178075c0a94878bda

Single drain transaction:

0x4370739cf3f443fe129727ea1a9e215783d881c643f3ea1d12ce822aeb3e6af8

Malicious behavior on Dogecoin

Nearly 7.82 million DOGE (approximately $900,000) was drained from two almost identical outflow transactions:

3,911,749.91 DOGE · 3,911,751.03 DOGE

Attacker's address:

DBLJWFemMHbduKofBRg6TJ9XFAgWdvFCjS

THORChain Vault:

DDL3tEh5P5vjSCNyU7t7sz9DQykRnr97d2

Transfer out transaction:

View on BlockChair

Malicious behavior on Litecoin

LTC drained from the vault:

6,866.74772083 LTC

Attacker's address:

ltc1qg0h4rz5kf27fkr99gamw4heg20rfz5epd7m7wh

THORChain Vault:

ltc1qt8f467qdkpmuflgwvgvvlr86r0kldnnvlzcnuu

Single drain transaction:

F5985741ef6d7418cd2f0f4e909b6f0d525f18c6010cca48d846731f23972bd4

Malicious behavior on Bitcoin Cash

BCH transferred from the vault in a single transaction:

638.52948245 BCH

Attacker's address:

qpp775v2je9texcv54rhd6kl9pfudy2nyyz4df2uvc

THORChain Vault:

qpvaxhtcpkc8038ape3p3nuvlgd7makwds74qyng5p

Transfer out transaction:

View on Blockchain

Malicious behavior on XRP

XRP drained in the two transactions:

25,404.922305 XRP · 16.999982 XRP

Attacker's address:

rwoGBrYEJ28jhBjchrTyCGXd1Pt4pobFBz

THORChain Vault:

r9BxLykSngpSuUU4jXtZLDycXip3Suo7Rf

Transfer out transaction:

View on XRPScan

Malicious behavior on TRON

89,172 TRX were exchanged for 31,215 USDT via SunSwap and bridged to Ethereum—13.9 ETH were delivered to a known ETH money laundering hub.

TRON signature, transaction, and repayment checks are stopped and disabled in Mimir, matching the pattern of confirming the drained chain.

Attacker's address:

TXmo5sdVCvQnJgbvjAUpQJfyNx5EnqtAM3

THORChain Vault:

TMt1UgzBNKETQMgGckJDomcMQhvwhGUiXo

TRON Drain Trading:

0ee50dd1af24c08a2f73fab18dd96897fcd6c08cfca0a6397b519c8fe1fdf1f4

ETH delivery:

0x09c4bc73fddaac5697a609cb448cefc26e13ccba22ce1b762b309b010e0db5f4

Funds sent to Ethereum address:

0x82fc0d5150f3548027e971ec04c065f3c93154eb

THORChain's official statement confirms that it is protecting node operators whose vaults have been compromised due to unauthorized transfer transactions that resulted in the reduction of their staked RUNE.

Funds held by the agreement have been lost. According to the team's initial assessment, no individual users' transactions were affected. The cut-off mechanism was activated. The vault was empty.

The attack appeared sudden, but it wasn't.

On May 15, Chainalysis released a five-part thread mapping out weeks of preparation that began in late April—the attackers entered via Monero funding, staked RUNE for the node that would become the attack vector, and delivered 8 ETH to the final receiving wallet 43 minutes before the drain was complete.

Multiple chains. A patient operator. Three weeks of preparation. The network stopped itself the moment it appeared to be faulty. By then, the attackers had succeeded.

What does it mean when the best thing about your security is how quickly it can identify damage?

It was audited, but not there.

THORChain has an auditor.

It launched a bug bounty program through ImmuneFi after the vulnerability occurred in 2021, but later left ImmuneFi amid controversy to move to a self-hosted program, which itself was retired in March 2026, two months before the vulnerability occurred.

It has a history of taking security seriously, and after the disaster in 2021, it simultaneously hired Halborn and Trail of Bits to complete a five-pronged recovery plan, including red team testing, protocol hardening, and formal audit signing, before restarting.

There's nothing wrong with any of that. The problem is, where is the audit pointing?

Following the vulnerability in 2021, Trail of Bits conducted a full code audit of THORChain's core protocols—THORNode, the Bifrost cross-chain bridge code, and the crucial tss-lib implementation that supports the TSS vault system.

Halborn conducted separate penetration tests covering the THORNode stack, Bifrost, and vault security—including a review of the threshold multisignature implementation.

Both received a passing grade. There were no unresolved critical vulnerabilities at the time of release.

In December 2021, Trail of Bits went a step further, disclosing vulnerabilities in Shamir's secret sharing in tss-lib, which directly affected THORChain.

THORChain patched it. The protocol was restarted. The audit was outdated.

Since then, Halborn has been very active, conducting eight independent security assessments between January and November 2025.

Each instance is within the Rujira, THORChain smart contract application layer: lending contracts, order book DEX, staking module, and lending pool.

Useful work. Necessary work. But it has nothing to do with the layer that just lost $10.7 million.

2020 - Early Safety Work:

CertiK · April 2020 · THORChain Code Review

Kudelski Security · June 2020 · THORChain TSS

IOActive · November 2020 · Penetration Testing

2021 - Core Agreements:

Trail of Bits · August 2021 · THORChain core + tss-lib

Halborn · September 2021 · TSS Audit

Halborn · September 2021 · State Machine, Router + Bifrost

Trail of Bits · December 2021 · tss-lib Shamir Secret Share - Vulnerability Disclosure (Patched)

2024/2025 - Bifrost Observation Layer:

Zellic · November 2024 · THORChain Bifrost

Zellic · January 2025 · THORChain Bifrost UTXO Client

2025 - Rujira application layer only:

Halborn · January-February 2025 · Rujira Trade (FIN) Smart Contract

Halborn · February 2025 · Rujira Pools (BOW) Smart Contract

Halborn · March-April 2025 · Rujira Staking Smart Contract

Halborn · May 2025 · NAMI Protocol Rujira Index Product

Halborn · August 2025 · CALC Manager/Scheduler/Strategy Smart Contracts

Halborn · October 2025 · Ghost Vault (RUJI Lending) Smart Contract

Halborn · October-November 2025 · Ghost Credit (Credit Account) Smart Contract

Halborn · November 2025 · Rujira Trade FIN v1.1 Smart Contract

The GG20 tss-lib fork, which is the core cryptographic implementation of this vulnerability, has not been audited since 2021. The broader THORChain codebase has recently received some attention, but none of it has touched on this layer.

Bifrost has recently gained more attention, with Zellic auditing the observation layer and covering the EVM smart contract parsing logic in the 2024 Code4rena competition.

However, Taylor Monahan pointed out that the core of this vulnerability, the encryption library, is several years behind in terms of security, and the last formal review was before the serious vulnerability in the codebase was made public.

None of the assessments in 2025 touched on it.

TSSHOCK and CVE-2023-33241, two major GG20 vulnerabilities, were both disclosed in 2023.

The Trail of Bits audit, which covers tss-lib, predates these two disclosures.

The protocol continued to run on the same library, experiencing two publicly disclosed critical vulnerabilities, without any documented re-auditing of that specific component.

It needs to be clarified that audits are point-in-time assessments. They are assessments conducted within a given scope, at the moment the audit is performed, to demonstrate what they are required to demonstrate.

Halborn did not discover the GG20 vulnerability in 2021, at which time these vulnerabilities had not yet been publicly disclosed.

What's even harder to explain is why no follow-up audit of the core protocol layer was conducted after these vulnerabilities were made public.

Eight audits were conducted in 2025, all pointing to the application layer, while the cryptographic foundation holding the vault had not been formally reviewed before the vulnerability was made public.

Who decided that this was an acceptable stance?

THORChain survived everything.

Two breaches within ten days in 2021. A brief, seemingly death spiral-like $200 million insolvency crisis. A $1.2 billion North Korean money laundering scandal that split its community, with core contributors leaving.

It absorbs every blow, restructures, keeps the DEX running, and is known as resilience.

But it never fully learns the lessons from each incident.

The encryption library protecting the vault is years behind in terms of security.

The final audit of the core protocol predates the public disclosure of the vulnerabilities currently under investigation.

However, eight audits were released in 2025, and each one pointed to something else.

Shortly after the vulnerability was discovered, fake refund portals began circulating, with scammers targeting users who had just watched their funds disappear.

By May 18, THORChain was forced to issue a clear public warning: there is no refund portal. Please rely solely on official channels.

This warning is still displayed on the top banner of the THORChain website.

A deal that lost $10.7 million to a patient, sophisticated attacker was already battling opportunists who were reaping the benefits of their own victims the very next day.

The investigation continues in conjunction with THORSec and Outrider Analytics, and law enforcement has become involved.

A preliminary vulnerability report was released on May 20th. Further reports are pending. There is currently no compensation plan.

The governance vote ADR-028 on how to handle the loss has not yet concluded.

No timeline has been given for a full network reboot.

The deal to launder $1.2 billion in money for North Korea earned at least $12 million from it, according to Chainalysis’ conservative estimate, which it calls neutral.

When Lazarus struck, node operators initially voted to halt ETH transactions. The vote was overturned within minutes.

A key contributor resigned. The network continues to operate.

Then on May 15, THORChain's own coffers were emptied. The protocol, which had found a philosophical reason not to shut down Lazarus, found a technical reason to shut itself down within twelve hours and forty-two minutes.

This contrast has not been overlooked.

Whether this reflects a genuine architectural difference or a selective application of the principle of decentralization is a question that THORChain can no longer postpone.

THORChain will likely weather this storm as well. It has done so before, even under more challenging circumstances.

But survival and accountability are two different things, and so far this agreement has done a much better job on the former than the latter.

THORChain shut down for North Korea when it had no other choice. It will rebuild from this point on, because it has always done so.

But when did resilience cease to be a virtue and begin to be an excuse?

REKT, as a public platform for anonymous authors, assumes no responsibility for the views or content hosted on REKT.

Donation (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

Disclaimer:

REKT assumes no responsibility or liability whatsoever for any content posted on our website or in connection with our services, whether posted or caused by anonymous authors on our website or by REKT. While we provide rules for the conduct and posting of anonymous authors, we do not control or are responsible for the content posted, transmitted, or shared by anonymous authors on our website or services, nor are we responsible for any offensive, inappropriate, obscene, illegal, or other objectionable content you may encounter on our website or services. REKT is not responsible for the online or offline behavior of any user of our website or services.