thorchain

THORChain has released its fourth update regarding the attack incident on May 15, and the proposal ADR028 has been announced, with voting for node operators now open.According to the recovery plan, the protocol will first absorb losses through its own liquidity, with the remaining portion to be shared by synthetic asset holders; the specific distribution ratio of the two is still under evaluation. The protocol's own liquidity will be reduced to zero, and will be gradually replenished through system revenue. This plan will not issue or sell RUNE, nor will it dilute any holders.On the technical side, GG20 will be temporarily retained and has completed patch upgrades. Trading will resume after the vulnerabilities are fixed and node rotation is successfully conducted, with a future release pace that is slower and more security-conscious. Innocent nodes located in the same vault as the attacker will be protected, while the attacker nodes will be fully confiscated. The recovered RUNE will be paired with the recovered assets, and any excess will be destroyed.The protocol also offers a white hat bounty to the attacker to recover funds; if some are returned, the recovery plan will be adjusted proportionally. THORChain remains neutral and permissionless, and there will be no review of the attacker's Swap transactions after trading resumes. Node operators are currently voting on the proposal direction, and the numbers in the ADR are only indicative, with adjustments to be made through Mimir later.

THORChain officials stated that a large number of fake accounts and false information have appeared in the market, involving activities such as "refunds," "airdrops," and "compensations"; preliminary investigations show that user funds were not harmed in the previous security incidents, and no refund, airdrop, or compensation plans are currently underway. Any accounts claiming otherwise are impersonating or spreading false information. Progress on the investigation and more information will be announced later.

THORChain released an update on the hacking incident on platform X. Preliminary evidence suggests that a node that recently joined the network may have been controlled by a malicious operator, who exploited the GG20 TSS vulnerability to obtain key information from vault participants, ultimately reconstructing the vault private key and executing unauthorized withdrawal transactions. Currently, multiple THORChain nodes have been shut down, resulting in the network being in a paused state. RUNE transfers are expected to resume in about 12 hours, but the specific situation will depend on node decisions. Functions such as trading, liquidity provider operations, and signing are still unavailable, and a full restoration of network functionality is expected to take several days. Recovery plans are under discussion and may include reducing the staking of affected nodes, as well as other remedial measures proposed by the community.

Chainalysis posted on the X platform that before the theft of THORChain, wallets suspected to be associated with the attacker had been transferring funds through Monero, Hyperliquid, and THORChain for several weeks. The attacker-associated wallets had already deposited into Hyperliquid positions via the Hyperliquid and Monero privacy bridge as early as the end of April. The funds were then exchanged for USDC and transferred to Arbitrum, and later bridged to Ethereum, with some ETH subsequently transferred to THORChain to become staked RUNE for newly added nodes, which are believed to be the source of the attack.Afterward, the attacker bridged some RUNE back to Ethereum and split it into four pathways, one of which went directly to the attacker. After being transferred through intermediate wallets, 8 ETH was sent to the final wallet receiving the stolen funds 43 minutes before the attack. The funds from the other three pathways flowed in the opposite direction. These wallets bridged ETH back to Arbitrum, deposited it into Hyperliquid, and transferred it into Monero through the same privacy bridge, with the last transaction occurring less than 5 hours before the attack began.As of Friday afternoon, the stolen funds have not yet been used, but the attacker has demonstrated their skilled cross-chain money laundering capabilities, and the Hyperliquid to Monero path may become the next move.

THORChain has announced that one Asgard vault has been attacked, and trading has been suspended. Initial signs indicate that user funds are safe, and only the protocol's own funds are affected. THORChain stated that the network automatically detected abnormal behavior and suspended signing activities to prevent further fund transfers. The estimated loss is currently around $10.7 million.The announcement mentioned that one of the six Asgard vaults is suspected to have been breached, and related nodes have triggered the RUNE staking penalty mechanism due to unauthorized transfers. The current network has suspended Churn activities, and new connections and related operations will also be postponed until the investigation and repairs are completed.THORChain stated that preliminary investigations show that users' personal exchange transactions have not been affected, and all node operators have been asked to immediately check their infrastructure, key management systems, and operating environments for any anomalies.

According to on-chain analyst PeckShield (@PeckShieldAlert), THORChain was hacked, resulting in a loss of approximately $10 million in crypto assets, including 36.75 BTC (about $3 million) and assets worth about $7 million from BNBChain, Ethereum, and Base chains.

According to on-chain detective ZachXBT, THORChain has suffered attacks on multiple chains, resulting in losses exceeding $7.4 million.

According to Onchain Lens monitoring, a certain whale exchanged 40 BTC for 1,384.6 ETH through THORChain, worth 3.23 million USD, and then transferred these funds through Tornado Cash.

According to on-chain analysts, the Balancer attacker-associated address transferred 5,609 ETH to THORChain in the past, worth 13 million dollars.In November 2025, Balancer was stolen over 116 million dollars, with the same suspects as the Aave attack incident, both pointing to the North Korean hacker organization Lazarus Group, and both have recently been frequently using Tornado Cash for money laundering.

According to on-chain analyst Yu Jin's monitoring, the KelpDAO hacker exchanged all 75,700 ETH for BTC through THORChain yesterday. The hacker who stole $98 million in assets from Balancer last November also exchanged ETH for BTC through THORChain today.Today, the Balancer hacker has already exchanged 7,000 ETH for 204.7 BTC ($15.88 million) and is still continuing. Currently, the Balancer hacker holds 15,000 ETH ($34.65 million) on the ETH chain and 204.7 BTC ($15.88 million) on the BTC chain.

According to on-chain analyst Specter (@SpecterAnalyst), the North Korean hacker group TraderTraitor began laundering stolen funds from KelpDAO early this morning Beijing time, just three hours after the Arbitrum Council froze 30.7 ETH (approximately $71 million).The attackers split the remaining funds into three wallets, holding approximately 25,000 ETH (about $57.6 million), 25,700 ETH (about $59.2 million), and 25,000 ETH (about $57.9 million), with the third wallet immediately starting the laundering process, currently holding about 3,800 ETH (approximately $8 million). The funds are primarily being bridged to the Bitcoin network via THORChain, with about 99% of the funds flowing through this protocol, causing THORChain's trading volume to surge to $211 million that day, more than ten times its 30-day average, generating approximately $189,000 in fees.During this laundering process, the funds were also mixed with illicit proceeds from the BTC Turk (2025) and Bybit (2025) hacking incidents, with related funds currently tracked on the Bitcoin network totaling approximately 442 BTC (about $33 million), and the entire laundering process has utilized over 400 addresses.

According to ZachXBT, an unidentified Kraken user is suspected of losing approximately $18.2 million due to a social engineering scam.The address involved started transferring funds from Ethereum to Bitcoin through the SafePal wallet and THORChain about 45 minutes ago.

According to Onchain Lens monitoring, a certain whale swapped 102 BTC for 3489 ETH through ThorChain.

According to on-chain analyst Onchain Lens (@OnchainLens), a certain whale exchanged 99.5 BTC (worth 6.7 million USD) for 3,347 ETH through ThorChain, with an exchange rate of 0.0297.

According to Onchain Lens monitoring, a whale address exchanged 240.44 Bitcoin (approximately $15.7 million) for 8,152 Ethereum, with an exchange rate of 0.02945.The address deposited these Ethereum into the lending protocol Aave, borrowing $36 million USDT in a loop, and purchased 17,283 Ethereum at a price of $2,083. Currently, the whale holds 25,434.5 Ethereum, with a total value of approximately $52.45 million.

THORChain's official Twitter announced that Solana has gone live on THORChain, currently in a progressive rollout, with the front end gradually enabling Solana support; the liquidity pool is still in the guidance phase, and it is recommended to start with small exchanges and scale up once liquidity deepens, also stating that the "largest Bitcoin DEX" has connected to the Solana chain ecosystem.

According to official news, Binance will support the THORChain (RUNE) network upgrade. Starting from January 23, 2026, at around 4:00 (Beijing Time), Binance will suspend the deposit and withdrawal services for tokens on the THORChain (RUNE) network to support its network upgrade, ensuring users have the best experience.The network upgrade will take place at block height 24,635,898, with an estimated time of around January 23, 2026, at 5:00.

According to Ember Monitoring, the whale/institution that swapped BTC for ETH the day before yesterday continued today by selling 404 BTC ($38.84 million) into 11,533 ETH through the cross-chain exchange tool THORChain.In two days, they have swapped a total of 686.1 BTC ($65.17 million) for 19,631 ETH, with an average exchange price of $3,302 for the ETH.

According to OnchainLens monitoring, in the past 2 days, a giant whale address exchanged 363 BTC (approximately 34 million USD) for 10,390.5 ETH through ThorChain, with a transaction price of about 3,273 USD.2 hours ago, the whale further exchanged 323.26 BTC (approximately 31.15 million USD) for 9,240.6 ETH. As of now, the whale has cumulatively exchanged 686 BTC (approximately 65.16 million USD) for 19,631 ETH through ThorChain, with an average transaction price of about 3,319 USD.

According to Onchain Lens monitoring, a certain whale has again exchanged 323.26 BTC (worth 31.15 million USD) for 9,240.6 ETH.In total, this whale has exchanged 686 BTC (worth 65.16 million USD) for 19,631 ETH through ThorChain, with an average exchange price of 3,319 USD.