After being wiped out three times: THORChain loses another $10.7 million due to an unapplied patch
- Core Thesis: On May 15, 2026, THORChain suffered a breach of its Asgard vault by a malicious node, resulting in losses exceeding $10.7 million, due to a failure to deploy a patch for a known vulnerability. The incident exposes the protocol's chronic neglect of security updates, misaligned audit scopes, and its contradictory stance when facing the North Korean hacker group.
- Key Elements:
- The attacker, through a newly joined malicious node, exploited a vulnerability in the outdated GG20 TSS cryptographic library running on THORChain. By accumulating key material, they reconstructed the full private key and executed unauthorized outgoing transactions.
- A patch for this vulnerability had been submitted to GitLab 9 days before the attack (May 6), but was not deployed to the production environment, allowing the attack to succeed.
- Losses spanned at least 9 chains, including Bitcoin, Ethereum, BSC, etc., totaling approximately $10.7 million. The price of the RUNE token dropped 15% rapidly following the announcement, with its market cap evaporating by about $27 million.
- The protocol had not conducted a formal audit of its core TSS cryptographic library since 2021. All 8 audits in 2025 focused on the application layer (Rujira), neglecting the security posture of the core infrastructure.
- THORChain had previously processed over $1.2 billion in funds for the North Korean Lazarus hacker group and refused to suspend related transactions. However, following this attack, it proactively paused the network for 12 hours and 42 minutes.
Original Author: Rekt
Original Translation: TechFlow
Foreword: Robbed three times in five years, $200 million in insolvency, laundering $1.2 billion for North Korea—and even founder jpthor's personal wallet was drained of $1.2 million by North Korean hackers using a fake meeting scam. This time it wasn't bad luck, but a patch for a known vulnerability sitting in the code repository for nine days without being deployed. When maintenance delays become the norm, where does the blame lie?
Robbed three times in five years. A $200 million insolvency crisis. Plus $1.2 billion laundered for North Korea.
THORChain's relationship with North Korea runs deeper than most protocols are willing to admit.
North Korea even repaid the favor in September 2025, siphoning $1.2 million from co-founder jpthor's personal wallet via a fake meeting scam.
This doesn't look like a recipe for success. It looks more like an omen of disaster.
Then on the morning of May 15, another $10.7 million was stolen.
At some point, the question is no longer "how did this happen," but "why is anyone still expecting something different?"
On May 15, 2026, THORChain's Asgard vault was quickly drained across multiple chains.
THORChain's own automated solvency checker triggered a pause—the only security upgrade born from the July 2021 disaster—and froze the network for 12 hours and 42 minutes.
The vault design was sound. The funds were still gone.
RUNE fell 15% before most of the world had even finished reading ZachXBT's Telegram post.
Market cap evaporated by $27 million in minutes.
This is a protocol that stared into the abyss and kept building. But there is a limit to calling the same wound a "learning experience" time and again.
When the vulnerability type has been documented, a patch exists, and the funds still disappear—at what point does deferred maintenance shift from negligence to misfeasance?
ZachXBT saw it first.
Earlier on May 15, his Telegram channel posted a community alert: THORChain was likely being exploited on Bitcoin, Ethereum, BSC, and Base, with losses exceeding $10.7 million.
TRM Labs later expanded the confirmed scope to at least nine chains—adding Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP to the original four—and revised total losses upward to over $11 million.
Arkham flagged the attacker's wallet.
But the drain was already complete.
PeckShield publicly confirmed: approximately $10 million was drained, including 36.75 BTC and roughly $7 million in assets distributed across BNB Chain, Ethereum, and Base.
THORChain's own infrastructure moved before the team did.
THORChain's Mimir governance module flipped transaction pause and signing pause parameters to active, with node pause running from block 26190429 for approximately 12 hours and 42 minutes.
No human decision required.
Over five hours after ZachXBT's announcement, THORChain released an official statement confirming what the on-chain data already showed: one of the six Asgard vaults was breached. $10.7 million was gone.
Node operators protecting the affected vault were slashed staked RUNE for unauthorized outflow transactions. Rotations were paused. On-chain listings were postponed indefinitely. Preliminary indications showed no individual user transactions were affected.
THORSwap and Metro.exchange immediately stopped THORChain routing.
Maya Protocol paused out of caution.
ATOM trading went dark.
Alternative providers—Chainflip, NEAR Intents, Harbor, Flashnet, Garden, 1inch—continued running, unaffected.
As the ecosystem scrambled, the on-chain record was already telling a different story.
Among the earliest signals pointing to the cause: banteg flagged a GitLab commit to THORNode, created on May 6—nine days before the exploit—titled "Sign full ObservedTx wrapper to prevent proposer forgery."
The patch existed. It had a name and a timestamp. It was never deployed.
This commit would prove to be one thread in a larger fabric, not the root cause, but an early indicator of the gap between the known and the done.
Nine days separated a committed patch from a $10.7 million loss—so who, exactly, is accountable for what exists in that gap?
One Node, One Key, One Sweep
THORChain's vaults are protected by a Threshold Signature Scheme (TSS), a form of multi-party computation where a quorum of nodes jointly generates a cryptographic signature without any single node possessing the full private key.
Distributed trust in theory. In practice, only as strong as each co-signer in the quorum.
The setup began weeks before the drain. A newly created Discord account—"Dinosauruss"—joined the THORChain developer Discord on May 1, asking how to get a node rotated into the network as quickly as possible.
For unrelated reasons, the normal three-day rotation interval was delayed, forcing the attacker to wait. On May 13, two days before the exploit, a brand new node operator with approximately 635,000 RUNE across two staking addresses rotated into the active validator set and was randomly assigned to one of five vaults.
Over the next two days, the node participated in routine GG20 signing ceremonies, gathering everything it needed.
THORChain's confirmed findings: the attacker exploited a vulnerability in the GG20 TSS implementation that allowed sensitive key material of vault participants to leak over time.
By accumulating enough leaked material across signing rounds, the attacker reconstructed the vault's full TSS private key and executed unauthorized outflow transactions directly.
The proactive solvency checker inspected for insolvency before signing. There was no signature to capture. The passive checker activated when the vault went short, by which time the funds were already gone.
The solvency checker worked as designed. The exploit merely bypassed the layer it monitored.
To understand why the attacker could reconstruct the key in the first place, you must understand what THORChain is running.
GG20 is a widely used threshold ECDSA protocol, typically employed by systems interacting with Bitcoin and Ethereum.
It also has a documented history of critical vulnerabilities.
CVE-2023-33241 and TSSHOCK, both disclosed in 2023, are key extraction attacks requiring only a single compromised co-signer to reconstruct the full private key—silently, without triggering an abort, leaving no trace during normal protocol operation.
The specific mechanism used against THORChain has not been publicly confirmed to match any CVE, but both illustrate the class of attack to which the library is susceptible.
THORChain's TSS runs on a fork of the Binance tss-lib implementation of GG20.
As Taylor Monahan pointed out shortly after the attack was flagged: "Oh wow, looks like THORChain is running a tss-lib about 3 years and 2+ major security versions behind."
banteg published the most detailed technical analysis the day after the attack, directly examining the deployed fork of THORChain, tss-lib v0.1.6, commit 287e1e2, used in thornode v3.18.0.
His findings: The key generation path accepts and persists peer Paillier material without establishing a well-formed two-prime Paillier modulus through MOD/FAC proof families.
Consequently, a malicious node can register a 2048-bit Paillier modulus that passes every check the library performs, while containing factors known to the attacker.
Once an honest node persists this malformed key, every signing round touching it exposes an oracle shape in the checked code, leaking residues of other participants' long-term signing shares, which the attacker can accumulate and combine offline.
His harness test confirmed the oracle shape in the checked code.
jpthor saw this early, flagging GG20 as the most likely explanation within hours of the pause.
Charles Guillemet articulated a broader structural problem: in every published GG18 and GG20 attack, a single malicious or compromised co-signer is sufficient.
Not a majority, not a quorum—one.
If a single participant is malicious, the entire premise of distributed key security collapses at the co-signer layer.
jpthor has since laid out a three-step roadmap: patch GG20 to bring THORChain back online; migrate all ECDSA protocols to DKLS; then migrate Bitcoin signing to FROST.
He described GG20 as a "black box" with "many fragile assumptions" that "will always be a black box"—the closest thing to an internal admission on the public record.
THORChain partnered with Silence Labs in November 2025 to build a custom DKLS implementation, with a target delivery of Q1/Q2 2026. That is why GG20 was still in production at the time of the attack. That work was not yet finished.
THORChain's rotation mechanism—the process by which validators periodically rotate in and out of active Asgard vaults—made this possible.
Without it, a malicious operator would have no path to join a vault, participate in signing ceremonies, and accumulate key material. The attacker did not need to break the cryptography. They only needed to get in the room.
The investigation continues with THORSec and Outrider Analytics.
Law enforcement has been contacted. The attacker's identity remains unknown.
An attack report was published on May 20. A follow-up report will be published once the investigation is complete and a recovery plan is finalized.
What is known are the on-chain links between the node address, staking wallets, and receiving wallets, and the confirmed mechanism—a cryptographic library years behind on security versions, running on a fork containing an implementation flaw capable of leaking vault key material to a patient malicious operator.
Malicious node:
thor16ucjv3v695mq283me7esh0wdhajjalengcn84q
THORChain's rotation mechanism exists to rotate trust. Someone used it to buy time.
How many other GG20-based vaults in DeFi are sitting on the same unpatched library, waiting for the next patient operator?
Swept Clean
Multiple chains, dozens of tokens, one address.
Whoever did it knew exactly where everything was and moved with a precision that suggests no improvisation.
Before the network pause had fully propagated, every ERC-20 token on Ethereum, BNB Chain, and Base was funneled to the attacker's controlled address. Bitcoin moved in parallel.
By the time ZachXBT published his alert, the consolidation was complete.
QuillAudits published a full chain-by-chain breakdown on May 19.
The drain looked like this...
Malicious Activity on Ethereum
Stablecoins, blue-chip DeFi tokens, and protocol-native assets drained from the vault:
1,756,756.02 USDT · 1,261,986.53 USDC · 73,768,463.86 XRUNE · 3,349,323.54 THOR · 5.206 WBTC · 64,138.47 LUSD · 61,074.86 GUSD · 38,762.45 USDP · 1,044.06 LINK · 4,567.54 DAI · 78.10 AAVE · 1,514.92 SNX · 481,996.68 FOX · 1.057 YFI · 11.43 DPI
Attacker Address:
0x82fc0d5150f3548027e971ec04c065f3c93154eb
THORChain Vault:
0x82a5CF67F3e6970C0529122178075C0a94878bDA
Outgoing Transactions:
View All on Etherscan
Funds Sent To (approx. $6.77M):
0xd477b69551f49C0519F9B18c55030676138890Bd
Malicious Activity on BNB
Diverse token basket drained, including stablecoins, wrapped BTC, and ETH equivalents:
274,256.09 USDC · 125,117.17 BSC-USD · 32,144.23 BUSD · 32,980.44 TWT · 15.615 ETH · 0.509 BTCB
Attacker Address:
0x82fc0d5150f3548027e971ec04c065f3c93154eb
THORChain Vault:
0x82a5cf67f3e6970c0529122178075c0a94878bda
Outgoing Transactions:
View All on BSCscan
Malicious Activity on Bitcoin
Two outgoing transactions totaling over 40 BTC (approximately $3.26M):
36.85351435 BTC · 3.87429558 BTC
Attacker Address:
bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37
THORChain Vault:
bc1qt8f467qdkpmuflgwvgvvlr86r0kldnnvm7zhyv
Outgoing Transactions:
View All on mempool.space (Scroll down to transactions)
Malicious Activity on Avalanche
Avalanche stablecoins and SOL equivalent assets drained:
238,325.94 USDC · 43,041.25 USDT · 388.94 SOL
Attacker Address:
