THORChain Halts Trading After Suspected $10 Million Multi-Chain Exploit

Trading Suspended Following Security Alert

THORChain has suspended all trading operations after prominent blockchain security researchers identified a suspected exploit affecting multiple blockchain networks. Security analysts ZachXBT and PeckShield flagged suspicious activity spanning Bitcoin, Ethereum, BNB Smart Chain, and Base, with preliminary estimates placing losses at over $10 million.

Both security firms independently identified two addresses allegedly connected to the theft across Bitcoin and EVM-compatible networks. The cross-chain liquidity protocol has confirmed the breach and paused operations while investigating the incident.

Protocol Confirms Vault Compromise

In an official statement, THORChain acknowledged that one of its six Asgard vaults was compromised, resulting in the loss of approximately $10.7 million in protocol-owned funds. The team emphasized that initial analysis suggests no individual user swaps were directly affected by the security breach.

The market responded swiftly to the news, with RUNE, THORChain's native token, dropping as much as 11% following the announcement. At the time of reporting, RUNE was trading around $0.52, according to data from CoinGecko.

Pattern of Security Incidents

This latest exploit represents another chapter in an ongoing series of security and operational challenges facing the cross-chain liquidity protocol. The platform has experienced multiple disruptions over recent months that have raised concerns about its security infrastructure.

In January 2025, THORChain suspended its ThorFi lending operations following insolvency allegations. The protocol was forced to implement a 90-day restructuring process managed through its validator network. The situation escalated into a significant $200 million debt crisis, which the protocol ultimately resolved by converting defaulted obligations into a new equity-style token structure.

September 2025 brought another security incident when THORSwap issued a bounty following an exploit that drained approximately $1.2 million from the personal wallet of THORChain founder John-Paul Thorbjornsen. Security researcher ZachXBT subsequently linked that attack to North Korean hackers.

Cross-Chain Laundering Concerns

Beyond direct attacks on the protocol itself, THORChain has repeatedly emerged as a preferred route for laundering funds stolen in unrelated cryptocurrency exploits. The protocol's cross-chain capabilities make it an attractive tool for bad actors seeking to move stolen assets across different blockchain networks.

A recent example occurred when funds stolen in the Kelp DAO hack were transferred from ETH to BTC using THORChain's infrastructure. That single incident caused the protocol's daily volume to surge to $394 million, as reported by The Block.

Developing Situation

The current investigation into the multi-chain exploit remains ongoing, and THORChain has not announced a timeline for resuming normal trading operations. The protocol team is working to assess the full extent of the breach and implement additional security measures before restoring service.

This incident highlights the persistent security challenges facing cross-chain protocols in the decentralized finance ecosystem, where complex architecture spanning multiple blockchains creates expanded attack surfaces for malicious actors.