Back

THORChain Says User Funds Were Unaffected, Warns of Fake Refund and Airdrop Claims

THORChain states an exploit tied to an alleged malicious node operator forced an emergency halt, did not affect user funds, and has become a broader test of confidence in DeFi infrastructure.

BTC
ETH
BNB

Fact Check
The core event — a multi-chain exploit on THORChain affecting Bitcoin and EVM networks on May 15, 2026 — is confirmed by PANews and Odaily, both citing ZachXBT's on-chain investigation. The protocol did pause trading, specific attacker addresses were identified, and RUNE dropped ~10.5% in response. However, the claim's key figure of 'losses exceeding $10 million' is not corroborated: all available sources consistently report losses of approximately $7.4 million (740万 USD), which is materially lower than $10 million. Additionally, the claim attributes the disclosure to PeckShield, while the sources attribute it to ZachXBT. The multi-chain nature (Bitcoin + EVM) is confirmed. The claim is partially true in its description of the event but appears to overstate the loss figure by roughly 35%, and misattributes the primary source of the disclosure.
    Reference123
Summary

THORChain said user funds were not affected by a security incident that forced an emergency halt of network operations and was later linked to an alleged malicious node operator exploiting a GG20 TSS flaw to reconstruct a treasury private key and trigger unauthorized withdrawals. The protocol paused trading and broader activity as a containment measure, with multiple nodes going offline; it said RUNE transfers might resume in about 12 hours and full recovery could take several days. Reported losses remain inconsistent at roughly $10 million, $10.7 million, or $10.8 million, with affected assets variously reported across Bitcoin, Ethereum, BNB Chain, and earlier reporting also citing Base. According to Chainalysis, wallets tied to the theft moved funds across Monero, Hyperliquid, and THORChain for weeks before the attack, with the last transfer occurring less than five hours before the hack, while the stolen funds had not moved as of Friday afternoon. THORChain also warned that social media accounts claiming to offer refunds, compensation, or airdrops are fraudulent, as no such program is underway.

Terms & Concepts
  • GG20 TSS: A threshold signature scheme that lets multiple parties jointly control a key without one party holding the full secret; a flaw can undermine shared-key security.
  • DeFi: DeFi (decentralized finance) refers to blockchain-based financial services that operate through smart contracts rather than banks or other traditional intermediaries.
  • Chain halt: A chain halt is an emergency stop of blockchain activity, usually used to contain a security incident or prevent additional damage while an investigation takes place.