THORChain Verifies $10M Security Breach, Launches Compensation Portal for Victims
Following a security breach resulting in $10 million in losses, THORChain has introduced a recovery platform enabling impacted users on four different blockchains to withdraw malicious permissions and receive compensation.
THORChain has verified that a $10 million security breach occurred and has deployed a recovery platform, providing impacted users with a self-custodial method to withdraw malicious token permissions and file compensation claims supported by a refund pool of equivalent value provisioned from the treasury.
Through a Saturday announcement on X, the THORChain Foundation unveiled the recovery platform, stating that "affected users are now able to check what they will be paid as compensation following the exploit."
According to the portal, which references a post-mortem analysis by PeckShield, the breach was identified at 02:14 UTC on May 11, at which time node operators observed unusual outbound transactions. Within an eight-minute window, trading operations and outbound signing capabilities were suspended. The attackers successfully extracted 36.75 BTC, valued at approximately $3 million, along with roughly $7 million worth of tokens spanning BNB Chain, Ethereum and Base, impacting 12,847 wallets distributed across four blockchain networks.
Impacted users are granted a 21-day period to file their claims. The compensation window will conclude on June 4, at which point any remaining unclaimed funds will be transferred to the protocol's insurance fund.
How THORChain was drained
According to an incident update released by THORChain, the prevailing hypothesis suggests that the attacker took advantage of a security flaw in the GG20 threshold signature scheme (TSS) implementation, which enabled the gradual leakage of sensitive vault key material. Through the collection of sufficient leaked data over an extended period, the attacker successfully reconstructed the private key of the vault and gained the ability to authorize outbound transactions without proper authorization.
The protocol has additionally observed that a recently churned node joined the network in the days leading up to the breach and is presently suspected of being connected to the attack, with blockchain evidence revealing connections between the node's bonding addresses and the destination wallets for the misappropriated funds.
The Treasury is actively collecting forensic data and coordinating with Outrider Analytics and relevant law enforcement agencies in an effort to identify the attacker and pursue recovery of stolen funds where possible.
THORChain protocol statement
Crypto hack losses hit $630 million in April
The cryptocurrency sector experienced a significant spike in hacking incidents during April, with aggregate losses totaling $629.7 million, marking the industry's most devastating month since February 2025, during which $1.47 billion was misappropriated. The exploitation of KelpDAO resulting in $293 million in losses and Drift Protocol's $280 million security breach accounted for the majority of the financial damage, collectively comprising 82% of April's total losses and reinforcing DeFi's position as the most frequently targeted sector.
The emerging pattern of security incidents indicates a transformation in the methods through which protocols are being exploited, with bridges, elevated access privileges and operational vulnerabilities becoming increasingly prevalent as the underlying causes of significant breaches, rather than conventional smart contract vulnerabilities.