THORChain confirmed the $10 million exploit and launched a recovery portal, providing affected users with a self-custody pass to revoke the authorization of malicious tokens and submit refund requests backed by a similarly sized refund pool provided by the Treasury Department.
In a post to X on Saturday, the THORChain Foundation introduced a recovery portal and said that “affected users can now see the amount they will be paid in compensation after the exploit.”
Citing PeckShield’s postmortem, the portal claims the attack was detected at 2:14 a.m. UTC on May 11, when a node operator flagged an unusual outbound transaction. Transactions and external signatures were suspended within eight minutes. In total, the attackers compromised 12,847 wallets across four chains, exfiltrating 36.75 BTC worth approximately $3 million and approximately $7 million in tokens across the BNB chain, Ethereum, and Base.
THORChain recovery portal. Source: THORChain
Affected users have 21 days to file a claim. The refund period ends on June 4, after which unclaimed allocations will be rolled over to the protocol’s insurance fund.
Related: Russia-linked cryptocurrency exchange Greenex suspends trading after $14 million hack
How THORChain was leaked
In an update on the incident, THORChain said that the leading theory is that an attacker could exploit a vulnerability in the GG20 Threshold Signature Scheme (TSS) implementation, which could lead to the gradual leakage of sensitive vault keying material. By accumulating enough of this leaked data over a long period of time, the attacker was able to reconstruct the vault’s private keys and authorize fraudulent outgoing transactions.
The protocol also noted that a newly churned node entered the network several days before the attack and is now believed to be connected to the attack, and that on-chain links between the node’s bonding address and the wallet that received the stolen funds have been identified.
“Treasury is actively collecting forensic data and working with Outrider Analytics and relevant law enforcement agencies to identify the attackers and, if possible, pursue recovery of the stolen funds,” the protocol reads.
RELATED: Law enforcement freezes $41 million linked to $150 million cryptocurrency Ponzi collapse
Crypto hacking damage in April reached $630 million
Cryptocurrency hacks surged in April, with total losses reaching $629.7 million, making it the worst month since February 2025, when $1.47 billion was stolen. KelpDAO’s $293 million exploit and Drift Protocol’s $280 million hack caused the bulk of the damage, together accounting for 82% of April’s losses and cementing DeFi as the most targeted sector.
The pattern of attacks shows that the way protocols are compromised is changing, with bridging, privileged access, and operational failures increasingly at the root of major incidents, rather than simple smart contract bugs.
Magazine: AI-driven hacks could devastate DeFi — unless projects act now
