Key takeaways
- On-chain firm ZachXBT has identified a breach exceeding $10 million on THORChain, spanning the Bitcoin, Ethereum, BSC and Base networks.
- The protocol activated emergency closure procedures, suspending all swap and trading operations to protect liquidity providers
- The attackers’ addresses identified contained 36.85 BTC, 3,443 ETH, 96.6 BNB as well as additional digital assets.
- RUNE saw a sharp decline of 15%, falling from $0.58 to approximately $0.50 after the hack was disclosed.
- Open interest in RUNE derivatives rose 19% during a four-hour window, indicating increased speculative trading amid the sell-off.
On May 15, 2026, THORChain – a decentralized protocol for facilitating cross-chain liquidity – fell victim to a security breach resulting in losses exceeding $10 million. The incident was first highlighted by popular blockchain investigator ZachXBT, who documented suspicious money movements across multiple blockchain networks.
The hack affected four major networks: BitcoinEthereum, BNB Smart Chain, and Base. The malicious actor extracted the assets by exploiting THORChain’s router smart contracts deployed on each of its blockchains.
Blockchain analytics service Arkham Intelligence tracked addresses controlled by the attacker. Their analysis revealed holdings of 36.85 BTC, 3,443 ETH, and 96.6 BTC, as well as several stablecoins including USDT, USDC, and Wrapped Bitcoin (WBTC).
ZachXBT’s initial assessment estimated the damage at more than $7.4 million. After further forensic investigation and tracing of the transactions, he revised the total upward to at least $10 million.
Emergency shutdown procedures have been activated
After the security incident was revealed, the THORChain team initiated the protocol’s integrated emergency shutdown system. This HaltTrading function immediately suspended all trading and token swap functions across every connected blockchain.
Despite the trading freeze, the underlying THORChain blockchain continues to operate, and the original RUNE token transfers remain effective. This shutdown protocol exists specifically to prevent cascading losses while network node operators investigate the hack.
Several blockchain security monitoring services, including PeckShieldAlert, quickly identified and flagged suspicious wallet addresses after public disclosure. THORChain’s validation nodes automatically entered sandbox mode as programmed into the protocol’s defense architecture.
ZachXBT also criticized an unverified third-party source that reposted the breach information without conducting independent verification. He noted that they failed to confirm actual loss amounts or verify the authenticity of the blockchain that was hacked.
The value of the token is witnessing a sharp decline
Within minutes of ZachXBT’s public reveal gaining traction, RUNE saw a sharp 15% decline. The digital asset fell from over $0.58 to around $0.50 before finding temporary support.
As of this report, Ron Hands changed hands around $0.52. The token’s 24-hour trading range extended from $0.502 to $0.597.
Spot market activity intensified dramatically, with trading volume increasing by nearly 140% over 24 hours as equity holders liquidated their positions. Interestingly, futures markets showed contradictory behavior.
According to CoinGlass metrics, total open interest in THORChain futures expanded more than 6% to $24.80 million in just 60 minutes. RUNE futures saw open interest swell by 19% in four hours, with major exchanges Binance and Bybit recording increases of 17% and 19% respectively.
RUNE’s total market capitalization was approximately $204.88 million before the stock exchanges fully reflected the price correction. The asset has fallen more than 70% from its peak over the past 12 months.
This incident marks the second time in 2026 that THORChain has been linked to major security events. In April, approximately $175 million worth of ETH from the massive $290 million Kelp DAO exploit was laundered through THORChain as attackers distributed the funds across multiple wallet addresses.
This earlier incident highlighted the ongoing challenges in recovering stolen cryptocurrencies, particularly when illicit funds traverse multiple blockchain ecosystems, making forensic tracking significantly more complex.
