THORChain, the cross-chain liquidity protocol, suspended all trading operations on Friday morning after blockchain security researchers identified a suspicious breach worth over $10 million, spread simultaneously across four separate networks. The native token RUNE fell roughly 10% within hours, dropping to $0.52, according to CoinGecko data.
Four Blockchains Hit at Once
The first traces of the exploit were flagged by on-chain researcher ZachXBT and security firm PeckShield, as reported by Decrypt on May 15. Funds appear concentrated in two main addresses: one on Bitcoin, where 36.75 BTC (roughly $3 million) were transferred, and one spanning EVM networks with estimated losses of around $7 million split across Ethereum, BNB Smart Chain, and Base. The protocol team halted trading and on-chain signing as an immediate defensive measure, without yet disclosing technical details about the exploited vulnerability.
What stands out isn't just the size of the breach, relatively modest compared to other recent incidents, but the attacker's ability to drain liquidity simultaneously from architecturally distinct chains. Cross-chain bridges remain the most exploited attack vector in DeFi. The complexity of bridging mechanisms creates surfaces that are genuinely difficult to audit fully, and every protocol managing multi-chain liquidity inevitably widens this systemic risk window.
A Protocol Already Under Pressure
Functionally, tHORChain arrives at this exploit with its reputation already strained. In January 2025, the protocol suspended its ThorFi lending operations due to $200 million in unmet obligations, triggering a 90-day restructuring process. Last September, hackers whom ZachXBT later attributed to North Korean operators drained the personal wallet of founder John-Paul Thorbjornsen for $1.2 million, a precedent that sharpens scrutiny on the protocol's structural vulnerabilities.
The broader sector context offers little comfort. According to CertiK data, North Korean hackers stole $2.1 billion in crypto assets during 2025, accounting for 60% of all crypto theft losses recorded that year. In May 2026 alone, DeFi platform TrustedVolumes suffered a separate loss of $6.7 million. The pattern points to cross-chain protocol security remaining structurally fragile, and THORChain, with its high-liquidity pools, is a particularly attractive target.
For the protocol, the path to recovery now hinges on the transparency of its technical post-mortem and its ability to patch the vulnerability before other actors exploit it. Without public clarification on the attack vector, user trust will remain uncertain, and with it, the market fate of RUNE.
