THORChain halted trading and signing across multiple networks on May 15, 2026, after investigators identified a multi-chain exploit that drained more than $10 million in crypto assets. ZachXBT first flagged the incident publicly, and blockchain security firms quickly corroborated the on-chain movements as tracing expanded across Bitcoin, Ethereum, BNB Smart Chain and Base.
The exploit appears to have targeted THORChain’s router and vault-churn infrastructure, with attackers using address-poisoning techniques during a routine migration process. Early loss estimates started above $7.4 million before investigators revised the figure toward roughly $10.8 million as additional assets and consolidations were identified.
Think you meant to say:
Source of intel is ZachXBT’s Telegram Channel https://t.co/aoRDfz2all pic.twitter.com/y2asegkvRI
— ZachXBT (@zachxbt) May 15, 2026
Assets Consolidated Across Bitcoin, Ethereum and BNB
The largest visible movements included 36.854 BTC worth about $2.97 million, 3,443 ETH worth about $7.77 million and 96.588 BNB worth about $66,130. Additional tokens, including USDT, USDC, WBTC, DAI, THOR, LUSD, XRUNE, GUSD, AAVE, LINK and FOX, were reportedly taken and swapped into ETH during the exploit flow.
The main addresses identified in tracing were the Bitcoin consolidation address bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37, the initial ETH-related address 0x82fc0d5150f3548027e971ec04c065f3c93154eb, and the main ETH consolidation address 0xd477b69551f49c0519f9b18c55030676138890bd.
Markets reacted immediately. RUNE dropped roughly 12% to 15%, falling from above $0.58 to around $0.50 as traders priced in fresh uncertainty around THORChain’s cross-chain security model.
Emergency Halts Contain Further Movement
THORChain operators activated emergency controls, pausing trading and signing across networks including Ethereum, Avalanche, BNB Smart Chain, Base, Dogecoin, Gaia, Bitcoin, Litecoin, Solana, Tron and XRP. Mimir, the protocol’s governance parameter system, was used to halt validator churn and freeze operations while the investigation continued.
The incident reinforces the operational risk embedded in cross-chain liquidity systems, where routing, vault migration and signing coordination can become high-value attack surfaces. Even without a finalized post-mortem, the exploit shows how quickly multi-chain infrastructure failures can transmit into token price pressure, liquidity disruption and emergency governance action.
The immediate risk is reduced confidence in THORChain pools and higher execution uncertainty around RUNE. For infrastructure teams, the priority now is tracing attacker wallets, validating vault-churn logic and publishing a clear remediation plan before normal cross-chain operations resume.
