THORChain has confirmed a $10 million exploit and launched a recovery portal, allowing affected users to revoke malicious token approvals and submit refund claims backed by a treasury-provisioned pool. The attack was detected on May 11, 2025, when node operators flagged anomalous outbound transactions. Trading and outbound signing were paused within eight minutes. Attackers drained 36.75 BTC (~$3 million) and ~$7 million in tokens across BNB Chain, Ethereum, and Base, affecting 12,847 wallets. The leading theory suggests the attacker exploited a vulnerability in the GG20 threshold signature scheme (TSS) implementation, leaking vault key material over time to reconstruct the private key. A recently churned node is suspected to be associated with the attack. Affected users have 21 days to submit claims, with the refund window closing on June 4; unclaimed funds roll over to the insurance fund. THORChain is coordinating with Outrider Analytics and law enforcement for recovery. This incident adds to a surge in crypto hacks, with April 2025 losses reaching $629.7 million, driven by exploits on KelpDAO and Drift Protocol. The trend highlights a shift towards exploiting operational failures and privileged access rather than simple smart contract bugs.

Key facts

• THORChain suffered a $10M exploit via a GG20 TSS vulnerability, affecting 12,847 wallets.
• Attackers drained 36.75 BTC and ~$7M in tokens across BNB Chain, Ethereum, and Base.
• THORChain launched a recovery portal with a 21-day claim window and a treasury-funded pool.
• A recently churned node is suspected to be linked to the attack, with onchain evidence.
• April 2025 crypto hack losses hit $629.7M, with DeFi as the primary target.
• THORChain is working with law enforcement and Outrider Analytics for fund recovery.

KeyAudit data perspective