Login
Sign Up
THORChain has officially confirmed a $10 million security breach and activated a dedicated recovery portal to facilitate restitution for impacted participants. This initiative provides a self-custodial mechanism for users to revoke malicious token approvals and file claims against a treasury-backed refund pool matching the total loss amount. In a Saturday announcement on X, the THORChain Foundation detailed the portal's functionality, enabling affected individuals to verify their specific compensation eligibility immediately following the incident.
The attack was identified at 02:14 UTC on May 11, when node operators detected irregular outbound transaction patterns. Trading and outbound signing capabilities were suspended within eight minutes of detection to contain the breach. Data compiled by Woofun AI shows that attackers successfully drained 36.75 BTC, valued at approximately $3 million, alongside roughly $7 million in tokens distributed across BNB Chain, Ethereum, and Base. The incident compromised 12,847 wallets spanning four distinct chains.
Affected users are granted a 21-day window to submit their refund claims, with the deadline set for June 4. Any unclaimed funds remaining after this period will be transferred to the protocol's insurance fund. According to Woofun AI, the primary hypothesis suggests the attacker leveraged a vulnerability within the GG20 threshold signature scheme (TSS) implementation. This flaw permitted the gradual leakage of sensitive vault key material, which the adversary accumulated over time to reconstruct the vault's private key and authorize unauthorized outbound transfers.
Investigative findings indicate that a newly churned node joined the network several days prior to the exploit and is currently suspected of involvement. On-chain analysis has established links between the node's bonding addresses and the wallets that received the stolen assets. The Treasury is actively aggregating forensic data and collaborating with Outrider Analytics and relevant law enforcement agencies to identify the perpetrator and pursue the recovery of stolen funds where feasible.
This incident occurs amidst a broader surge in crypto hacks during April, where total losses reached $629.7 million, marking the industry's worst month since February 2025 when $1.47 billion was stolen. Major breaches at KelpDAO and Drift Protocol accounted for $293 million and $280 million respectively, representing 82% of April's total losses and reinforcing DeFi as the primary target sector. Woofun AI analysis suggests that the evolving pattern of attacks signals a strategic shift in compromise methods, with bridges, privileged access, and operational failures increasingly driving major incidents rather than simple smart contract bugs.