Blockchain tracking firm Arkham Intelligence has labeled a set of suspicious wallets as “THORChain Exploiter” addresses, with one Bitcoin-linked wallet holding close to 36.85 BTC — worth roughly $3 million — and a separate Ethereum wallet carrying around 216 ETH. The funds are sitting there, visible on-chain, linked to two addresses that security researchers have already flagged publicly.
Who Found It First
The person who spotted the attack before anyone else did was on-chain investigator ZachXBT. He reported suspicious movement tied to THORChain’s router infrastructure, describing how attackers shifted roughly $7.2 million in assets — including USDT, USDC, and wrapped Bitcoin — across several blockchains before converting them into ETH.
His initial estimate of losses above $7.4 million was later revised upward. The total stolen, according to ZachXBT, may now exceed $10 million.
Can tell because they did not check the numbers themselves / chains listed.
I finished accounting again now and it looks to be $10M+ stolen at least.
— ZachXBT (@zachxbt) May 15, 2026
THORChain is a cross-chain trading protocol that lets users swap crypto assets across different blockchains without relying on a centralized exchange. That design also means its infrastructure touches multiple networks at once — and in this case, that became a vulnerability. The attack hit Bitcoin, Ethereum, BNB Chain, and Base simultaneously.
Security firm PeckShield independently confirmed the breach. Based on their estimates, attackers walked away with around 36.75 BTC worth close to $3 million, along with roughly $7 million more pulled from the Ethereum, BNB Chain, and Base ecosystems.
Markets React, Team Goes Quiet
RUNE, THORChain’s native token, dropped close to 14% in the hours following news of the breach, sliding toward the $0.50 mark as traders moved to cut their exposure. The price drop was fast. The official response was not.
As of reporting, THORChain had not issued a public statement explaining the scope of the exploit or what steps were being taken to address it.
That silence has added to the anxiety in the market. The protocol survived earlier security incidents by tapping into treasury reserves and recovery mechanisms, but without clarity from the team, it is difficult to know whether a similar path is possible this time.
A Pattern That Keeps Repeating
Cross-chain infrastructure has repeatedly been the site of major losses in decentralized finance. Bridges and routing systems that connect different blockchains require complex code — and complex code creates more opportunities for something to go wrong. The THORChain attack fits that pattern.
The stolen assets remain in the flagged wallets for now. Whether they stay there is another question.
Featured image from Unsplash, chart from TradingView
