Three DeFi exploits struck in five days during May 2026, draining a combined $23.2 million. THORChain lost $10.8 million on May 15, Verus Bridge $11.58 million on May 18, and Echo Protocol $816,000 on May 19. The month wasn't over yet.
Security Incident Report
- Protocol THORChain
- Amount stolen $10,800,000
- Chains affected BTC · ETH · BNB · Base
- Date May 15, 2026, 09:45 UTC
- RUNE -15% within minutes
- Attack vector Vulnerability in the GG20 TSS protocol. A malicious node extracted cryptographic key fragments during legitimate signing ceremonies, gradually reconstructing the full private key of an Asgard vault and signing unauthorized outbound transactions.
- Protocol response “make pause” command issued at block 26190429. Trading, swaps, LP actions, and signing suspended. User funds not compromised. THORSec, Chainalysis, and law enforcement engaged.
Source: TRM Labs, Chainalysis, ZachXBT, PeckShield · May 15-16, 2026
Source: TRM Labs, Chainalysis, ZachXBT, PeckShield · May 15-16, 2026
On May 15, at 09:45 UTC, ZachXBT posted a Telegram alert flagging anomalous outflows from the Asgard vaults of THORChain, the leading cross-chain decentralized exchange. His initial estimate: $7.4 million. Two hours later the figure had climbed to $10.8 million, the attack had simultaneously hit Bitcoin, Ethereum, BNB Chain, and Base, and the native RUNE token had crashed 15%, dropping from $0.58 to around $0.50 within minutes. An automatic pause mechanism activated in time, containing the damage to just one of the six active Asgard vaults. User funds remained safe.
The attack vector was sophisticated. A validator had operated honestly for days, accumulating fragments of cryptographic material during routine GG20 TSS signing ceremonies. With enough fragments collected over time, it reassembled the full private key of an Asgard vault and began signing outbound transactions as if it held legitimate network-wide consensus. The malicious node, identified as thor16ucjv3v695mq283me7esh0wdhajjalengcn84q, had joined the active set just days before the attack. Textbook pre-positioning.
According to Chainalysis, weeks of preparation preceded the drain: operations on Monero, Hyperliquid, and Arbitrum, ending with a transfer of 8 ETH to the attack wallet exactly 43 minutes before the exploit began. The signature was familiar: Kelp DAO had been drained for $292 million in April following months of identical groundwork. THORChain itself had been used as a laundering rail in that operation, with the Lazarus Group moving roughly $175 million in stolen ETH through the protocol over 36 hours. The Aave crisis that followed the Kelp exploit closed only on May 18, the same day as the second attack covered here.
Security Incident Report
- Protocol Verus-Ethereum Bridge
- Amount stolen $11,580,000
- Assets drained 103.6 tBTC · 1,625 ETH · 147K USDC
- Date May 18, 2026
- Attacker wallet 0x65Cb…C25F9
- Attack vector Technical vector still under analysis as of May 19, 2026. The wallet was pre-funded with 1 ETH via Tornado Cash approximately 14 hours prior. Stolen funds were converted into 5,402.4 ETH and remain in the wallet.
- Protocol response Real-time alert from Blockaid. No complete technical post-mortem from the Verus team as of publication.
Source: Blockaid, PeckShield · May 18, 2026
Source: Blockaid, PeckShield · May 18, 2026
Three days after THORChain. No pause mechanism this time. Blockaid flagged the Verus-Ethereum Bridge exploit while it was still unfolding: the attacker had already drained 103.6 tBTC, 1,625 ETH, and 147,000 USDC before anyone could intervene, converting everything into 5,402.4 ETH. The destination wallet, 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9, remained active as of May 19. Pre-funding via Tornado Cash 14 hours before the attack signals a deliberate, planned operation rather than an opportunistic one. The same pattern appeared with Drift Protocol in April, where attack wallets had been prepared weeks in advance using identical tools. The specific technical vector for Verus remains under analysis.
Security Incident Report
- Protocol Echo Protocol (Monad)
- Amount stolen (actual) $816,000
- eBTC minted (nominal) 1,000 eBTC ($76.7M)
- Date May 18-19, 2026, 22:55 UTC
- ETH sent to Tornado Cash 384 ETH ($821,700)
- Attack vector Compromised admin key: a single EOA with no multisig, no timelock, and no mint cap. The attacker minted 1,000 eBTC, used 45 as collateral on Curvance, borrowed 11.29 WBTC, and routed 384 ETH to Tornado Cash.
- Protocol response Echo recovered the admin keys and burned the remaining 955 eBTC. Cross-chain operations suspended. Curvance paused the eBTC market. Monad co-founder Keone Hon confirmed the network itself was not compromised.
Source: PeckShield, dcfgod, Blockaid, Keone Hon (@keoneHD) · May 18-19, 2026
Source: PeckShield, dcfgod, Blockaid, Keone Hon (@keoneHD on X) · May 18-19, 2026
On the evening of May 18, on-chain analyst dcfgod posted on X: someone had minted 1,000 eBTC on Echo Protocol, running on Monad, out of thin air. Nominal value: $76.7 million. Real damage: $816,000. The gap between those two figures tells the whole story. The attacker held admin keys with unlimited minting authority, no multisig protection, and no timelock. They used 45 eBTC as collateral on Curvance, withdrew 11.29 WBTC, bridged the funds to Ethereum, and sent 384 ETH to Tornado Cash, all within hours. The remaining 955 eBTC sat useless in the attacker's wallet: the Monad network had no liquidity deep enough to convert them into real value. Echo burned them. Monad co-founder Keone Hon confirmed the network itself was untouched.
SlowMist founder Yu Xian put the problem directly: a single control point with absolute minting authority is a vulnerability by design, not an isolated mistake. The pattern appears identically across dozens of prior cross-chain bridge exploits. For a look at how similar architectures are opening attack surfaces in the AI-crypto intersection, our analysis on LLM routers and wallet security documents the same structural failure on a different vector.
Key Data
- THORChain (May 15) $10,800,000
- Verus Bridge (May 18) $11,580,000
- Echo Protocol (May 19) $816,000
- Echo Protocol eBTC minted (nominal) $76,700,000 (illiquid)
- Total across 3 exploits (5 days) $23,196,000
- Total DeFi exploits in May 2026 14 (source: DefiLlama)
Source: TRM Labs, Blockaid, PeckShield, Keone Hon, DefiLlama · May 15-19, 2026
Source: TRM Labs, Blockaid, PeckShield, Keone Hon, DefiLlama · May 15-19, 2026
How Do Hackers Drain DeFi Bridges?
The three attacks share distinct technical vectors yet follow a common structure. A bridge is the entry point, not because it's necessarily the weakest component, but because it concentrates the most value in transit between chains, often with less redundancy than core protocol layers can afford.
With THORChain, the attacker exploited a cryptographic flaw in GG20 TSS: the key wasn't stolen outright, it was rebuilt piece by piece during legitimate network operations. Once reassembled, the attacker signed transactions as an authentic validator. No alert fired until on-chain movements were already visible.
For Verus Bridge, the technical vector remains under analysis, but pre-funding via Tornado Cash 14 hours before the exploit signals careful planning rather than opportunism. For Echo Protocol, the flaw wasn't cryptographic at all: an unprotected admin key with unlimited minting power was the only barrier between the protocol and anyone who could gain access.
The damage amplification mechanism is consistent across all three cases. Synthetic or wrapped tokens minted by a bridge get accepted as collateral by adjacent lending protocols. Value is created from nothing, real value is borrowed against it, and the attacker exits before systems respond. This is the same pattern that destroyed the Kelp DAO bridge for $292 million in April and, earlier, hit Drift Protocol for $285 million. DeFi composability is its greatest strength. In these scenarios, it's also the most efficient destruction lever available. For a practical guide to managing these operational risks, the SpazioCrypto Web3 Guide covers the main threat categories.
May 2026: DeFi Security Scorecard
Functionally, according to DefiLlama, May 2026 has already logged 14 DeFi security incidents, and the 19th of the month had not yet closed entirely. April ended at $651 million in total losses, with Kelp and Drift alone accounting for 91% of the damage. Two open questions are now driving attention across the sector.
First: attribution for the THORChain exploit. As of publication, TRM Labs had not assigned responsibility to any specific actor.
If Lazarus Group involvement is confirmed (as was documented for both Kelp and Drift), North Korea's crypto theft tally for 2026 would exceed any prior year with four months still remaining. Second: the THORChain community vote on remediation, expected before May 22-23, covering potential slashing of the compromised node's bond and coverage via protocol-owned liquidity. RUNE had already shed 15% in hours.
What the THORChain Vote Means for DeFi Governance
What the community decides in the coming days will say something concrete about DeFi's capacity to set its own rules without waiting for external pressure to force the issue. The outcome of the remediation vote, the status of TRM Labs' attribution work on THORChain, and any movement from wallet 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9 are the three signals worth monitoring this week. All May exploit updates are tracked in the SpazioCrypto Hack section.
