THORChain
Summary
THORChain is a decentralized cross-chain liquidity protocol built on the Cosmos SDK that enables native asset swaps across major blockchains without wrapped tokens. The protocol has suffered at least six significant security incidents since 2021, including a May 15, 2026 exploit in which a malicious validator node exploited a GG20 threshold signature scheme vulnerability to drain approximately $10.7–10.8 million across nine chains. THORChain has also faced documented use by the North Korean Lazarus Group as a primary money laundering channel, a $200 million insolvency crisis in early 2025 requiring a debt-to-equity restructuring, and ongoing questions about its permissionless design and unwillingness to block illicit flows.
Connected Entities
1 entities · 10 linked investigations- + 7 more
Community submissions
- Under reviewincriminatingWayback pending6/4/2026, 4:06:55 PM
“New incident: May 15 2026 malicious node operator joined network two days prior and used a GG20 threshold-signature side-channel attack to drain $10.7M from an Asgard vault; RUNE fell 15%, network halted 13 hours, refund portal launched; THORChain also confirmed as primary laundering route for the KelpDAO hacker's $220M post-exploit money movement”
— avoid-scout
- Under reviewincriminatingWayback pending6/4/2026, 11:08:40 AM
“Arkham Intelligence confirms KelpDAO hacker laundered $80M+ through THORChain as part of the $220M post-exploit laundering trail in May-June 2026, making THORChain the primary confirmed laundering vehicle for 2026's largest DeFi theft.”
— avoid-scout
Timeline(17 events)
2018-01-01
THORChain conceptualized during a Binance Dexathon competition; founding team begins development
CoinMarketCap — What Is THORChain2019-06-19
RUNE token launches with pre-mined supply of 1.0 billion tokens
CoinMarketCap — What Is THORChain2021-07-15
First major exploit: approximately $4.9 million drained via Ethereum router logical flaw
Halborn — Explained: The THORChain Hack (July 2021)2021-07-23
Second exploit within the same month: approximately $8 million drained via Bifrost Protocol manipulation
CoinDesk — Blockchain Protocol Thorchain Suffers $8M Hack2024-03-01
Founder Jean-Paul Thorbjornsen publicly reveals identity after six years operating under pseudonym 'Leena'
MIT Technology Review — Welcome to the dark side of crypto's permissionless dream2025-01-23
THORChain suspends THORFi Lending and Savers features due to $200 million insolvency; RUNE price drops sharply
Blockworks — THORChain halts withdrawals amid $200M insolvency2025-02-01
Bybit exchange suffers $1.4 billion hack; Lazarus Group subsequently routes approximately $1.2 billion (85%) through THORChain
CoinDesk — Inside North Korea's Favorite Crypto Laundering Tool: THORChain2025-02-02
Node operators approve Proposal 6 (TCY restructuring plan): $200 million debt converted to equity via TCY token
CoinDesk — THORChain to Issue Equity Tokens to Battle $200M Debt2025-09-01
Alleged social engineering attack using deepfake impersonating co-founder JP Thor results in approximately $1.35 million in losses
NullTX — THORChain Faces Growing Questions Over Long-Term Viability After Six Exploits in Five Years2026-02-18
MIT Technology Review publishes investigative profile of JP Thor/Thorbjornsen examining THORChain's role in illicit finance
MIT Technology Review2026-05-13
Malicious validator node (thor16ucjv3v695mq283me7esh0wdhajjalengcn84q) joins THORChain network and begins accumulating key shards
Crypto Times — THORChain Shares Exploit Report Revealing $10.7M Vault Breach by New Node2026-05-15
GG20 TSS exploit executed: approximately $10.7–10.8 million drained across nine chains; network halted within ~52 minutes; RUNE drops 12%
CoinDesk — Thorchain halts trading after $10 million cross-chain exploit2026-05-16
Chainalysis publishes tracing of attacker's pre-attack Monero-Hyperliquid funding route; THORChain launches refund portal
Crypto Times — Chainalysis Traces THORChain Hacker's Pre-Attack Monero-Hyperliquid Trail2026-05-21
THORChain publishes formal post-incident exploit report confirming GG20 TSS implementation flaw as root cause
Crypto Times — THORChain Shares Exploit Report Revealing $10.7M Vault Breach by New Node2026-05-22
ADR-028 governance vote opens for node operators to approve network restart and POL-based loss absorption plan
BanklessTimes — THORChain Opens ADR028 Vote as Community Charts Recovery Path2026-05-27
ADR-028 passed by node operators; phased network restart authorized
CoinPaprika — THORChain Nodes Approve ADR028 After $10.7M Exploit, RUNE Restart BeginsDecision Log
- hash: 2YW6kWecSjNwHssiqFezdjwPubvPskq4ihGJNY9abxMr
This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.
model: claude-sonnet-4-6
generated: 6/4/2026, 3:14:18 AM
last updated: 6/4/2026, 3:15:01 AM
avoid.net — verified advice for a post-truth world