Blockchain tracking company Arkham Intelligence classified a group of suspicious wallets as “THORChain Exploiter” addresses, with one bitcoin-linked wallet holding approximately 36.85 bitcoins — worth approximately $3 million — and a separate ethereum wallet holding approximately 216 ether. The money is there, visible on-chain, and linked to two addresses that security researchers have already flagged publicly.
Who found it first?
The person who spotted Attack before anyone else was a detective on the series ZachXBT. It reported suspicious traffic linked to THORChain’s router infrastructure, describing how attackers transferred approximately $7.2 million in assets — including USDT, USDC, and encrypted Bitcoin — across multiple blockchains before converting it to ETH.
His initial estimate of losses of more than $7.4 million was later revised upward. the total Stolenaccording to ZachXBT, may now exceed $10 million.
They can tell because they didn’t check the numbers themselves/the strings listed.
I’ve done the accounting again now and it looks like at least over $10 million was stolen.
– ZackXPT (@ZackXPT) May 15, 2026
THORChain is a cross-chain trading protocol that allows users to swap crypto assets across different blockchains without relying on a central exchange. This design also means that its infrastructure touches multiple networks simultaneously, and in this case, this became a weak point. The attack hit Bitcoin, Ethereum, BNB Chain, and Base simultaneously.
Security company PeckShield independently confirmed the hack. Based on their estimates, attackers He disposed of approximately 36.75 bitcoins worth approximately $3 million, with another approximately $7 million withdrawn from the Ethereum ecosystem, BNB chain, and platforms.
The markets react, the team stays silent
RUNE, THORChain’s native token, fell nearly 14% in the hours following news of the hack, falling towards the $0.50 mark as traders moved to reduce their exposure. The price decline was rapid. It was not an official response.
As of reporting time, THORChain has not issued a public statement clarifying its scope exploited Or what steps have been taken to address it.
This silence increased anxiety in the market. The protocol has weathered previous security incidents by leveraging treasury reserves and recovery mechanisms, but without clarification from the team, it’s difficult to know if a similar path is possible this time.
A pattern that keeps repeating
Cross-chain infrastructure has repeatedly been the site of significant losses in DeFi. Bridges and routing systems that connect different blockchains require complex code – and complex code creates more opportunities for something to go wrong. The THORChain attack fits this pattern.
Stolen assets remain in the reported wallets for the time being. Whether they will stay there is another question.
Featured image from Unsplash, chart from TradingView
Editing process Bitcoinist focuses on providing well-researched, accurate, and unbiased content. We adhere to strict sourcing standards, and every page is carefully reviewed by our team of senior technology experts and experienced editors. This process ensures the integrity, relevance, and value of our content to our readers.
