On May 15, 2026, an attacker exploited THORChain, draining over $11 million in assets across Bitcoin, Ethereum, BSC, Base, Avalanche, DOGE, Litecoin, Bitcoin Cash, and XRP. The protocol, which enables native cross-chain swaps without wrapped assets, has been a recurring target. THORChain's founder was personally targeted in 2025 by suspected North Korean hackers, and cumulative losses from thefts since 2021 now approach $25 million. The attacker deployed a cross-chain strategy, moving funds between chains quickly to complicate tracking. TRM Labs tagged five initial addresses and traced flows across affected chains. The funds were consolidated into a two-address cluster. THORChain has been the preferred laundering route for major hacks, including the $1.5B Bybit hack and the $300M KelpDAO exploit, and has refused to block illicit activity. Compliance teams are advised to act within hours to freeze or quarantine funds. TRM continues to monitor outflows and will update attribution as the investigation progresses.

Key facts

• Attacker drained over $11M from THORChain across nine chains on May 15, 2026
• Cumulative THORChain losses from thefts since 2021 approach $25M
• THORChain has been a key laundering rail for major hacks like Bybit and KelpDAO
• TRM tagged five initial addresses and traced consolidated cluster
• Compliance teams urged to act within hours due to fast cross-chain movement

KeyAudit data perspective