THORChain Exploit Halts Trading After ZachXBT $10M Alert

On May 15, ZachXBT flagged a THORChain exploit worth more than $10 million, and the decentralized liquidity protocol halted all trading and signing within minutes after the on-chain investigator spotted suspicious fund movements spanning Bitcoin, Ethereum, BNB Chain, and Base. It was the kind of multi-chain drain that tends to mean one thing: someone found a hole and moved fast.

ZachXBT Flags $10 Million THORChain Exploit Across Four Chains

Blockchain investigator ZachXBT was first to raise the alarm, saying THORChain had likely been exploited across four separate chains, Bitcoin, Ethereum, BNB Chain, and Base. The alert landed hard. Within minutes, THORChain’s official alerts Telegram channel confirmed what traders feared: all trading and signing were suspended, with a global node pause locked in until block 26191149, roughly 12 hours and 42 minutes from the moment of the halt.

Arkham Intelligence data filled in the details. According to THORChain exploit ZachXBT $10 million, a wallet labeled as the THORChain exploiter held $10.8 million at the time of detection. That money moved out in several smaller transactions, a deliberate splitting pattern, all within the 30 minutes before 10:11 am UTC. Whoever did this knew what they were doing.

The protocol had not publicly confirmed the exploit at the time of writing. PeckShield, another on-chain security firm, independently flagged suspicious activity alongside ZachXBT’s alert, reinforcing the picture that something went badly wrong on the protocol side.

RUNE Price Crashes 13% as Traders React

Markets did not wait for an official statement. RUNE, THORChain’s native token, fell roughly 13% in the wake of the incident and was changing hands near $0.51 at the time of writing. That number is painful enough on its own, but it lands harder when you consider that RUNE is already down 72% over the past year.

According to RUNE token price drop 13 percent exploit, the price slide puts additional pressure on a token that has struggled to find stable ground through months of security concerns and protocol controversies. A 13% single-session drop after a suspected hack is bad. A 72% annual decline that gets a 13% kick downward is a different kind of bad entirely.

For holders who have stayed long on RUNE through its turbulent period, May 15 was another gut-punch entry in what has become a long ledger of rough days. The question now is whether the damage is only market sentiment, or whether the exploit represents structural risk that the protocol needs to address before trading resumes.

How Does This Fit the Broader DeFi Security Picture?

This is not happening in isolation. April 2026 was the worst month for DeFi security since February 2025. According to April 2026 DeFi hacks $634 million record, hackers stole over $634 million across DeFi protocols in April alone, the highest monthly total since the $1.4 billion Bybit catastrophe. May is not off to a cleaner start.

THORChain sits at an uncomfortable intersection in these statistics. As a non-custodial, cross-chain protocol, it is not a mixer, the team has been clear on that distinction. But it is a useful tool for anyone who needs to swap stolen assets across chains quickly and without a central party to block the transaction. That utility cuts both ways.

In April 2026, the attacker behind the $293 million Kelp DAO exploit used THORChain to swap 75,700 ETH across chains, generating around $910,000 in fee revenue for the protocol in the process. Before that, the majority of the $1.4 billion stolen during the Bybit hack moved through THORChain, roughly $1.2 billion converted from Ether to Bitcoin, according to Bybit co-founder and CEO Ben Zhou. THORChain did not authorize those transactions. It could not. That is the design. But it means the protocol’s name appears on every major DeFi theft post-mortem, which does nothing for community confidence.

The Kelp DAO incident had already prompted conversations about oracle security and DeFi protocol design across the space. Now THORChain is facing its own suspected breach on top of the reputational overhang from being a laundering route for other people’s hacks. The timing could not be worse.

What Happens Now for THORChain?

The immediate task is simple to describe and hard to execute: figure out exactly what happened, patch it, and convince the node operators and liquidity providers that it is safe to resume. The node pause runs until block 26191149. That buys roughly 12 hours and 42 minutes, enough time for the dev team to investigate, but not much margin for a complex multi-chain vulnerability that touched Bitcoin, Ethereum, BNB Chain, and Base simultaneously.

THORChain did not respond to requests for comment before the time of writing, so the community is operating on the information ZachXBT and PeckShield have shared and whatever the alerts channel drops. That information vacuum is itself a problem. In DeFi, silence after a suspected exploit tends to accelerate the narrative in the worst possible direction.

The deeper issue is structural. THORChain has been here before, not as the exploited party, but as the transit layer for other protocols’ stolen funds. Each time that happens, questions resurface about whether the protocol’s governance structure allows for any emergency intervention. The answer is: barely, by design. Cross-chain swaps work precisely because no single entity can block them. That freedom comes with a cost, and right now, THORChain’s users are paying it.

Whether the $10.8 million figure holds or grows as investigators dig deeper remains to be seen. What is already clear is that RUNE holders are down another 13% on a token that was already testing multi-year lows, and DeFi’s record-pace 2026 theft numbers just got another entry added to the tally.

This article is for informational purposes only and does not constitute investment advice. Every investment and trading decision involves risk. Readers should conduct their own research before making any financial decisions.