THORChain paused all trading and signing after blockchain investigator ZachXBT flagged a suspected $10 million exploit affecting Bitcoin, Ethereum, BNB Chain, and Base networks. The halt, triggered shortly after the investigator’s alert, will remain in effect until block 26191149, approximately 12 hours and 42 minutes from when trading was suspended. RUNE, THORChain’s native token, fell 13% on the news and traded at $0.51 at the time of writing.
Exploit Detection and Immediate Response
ZachXBT flagged the suspected exploit after monitoring suspicious wallet activity across THORChain’s supported networks. Security firm PeckShield and blockchain analytics platform Arkham independently corroborated the alert, identifying an Arkham-labeled exploiter wallet holding $10.8 million. Roughly 30 minutes before 10:11 am UTC, the suspected exploiter wallet transferred funds across multiple transactions on different chains. THORChain’s protocol alerts triggered automatically, halting all trading and signing operations to contain the damage and prevent further fund movement through the cross-chain liquidity protocol.
Token Decline and DeFi Security Context
RUNE’s 13% single-day drop reflects broader market concern around THORChain’s repeated use by malicious actors to swap stolen funds. The token has declined 72% over the past year. The suspected exploit occurs amid a surge in DeFi hacks: April 2026 recorded $634 million in stolen funds, the highest monthly total since February 2025’s $1.46 billion record. Notable recent incidents include the $293 million Kelp DAO exploit, where 75,700 ETH was swapped through THORChain, generating $910,000 in protocol revenue, and the $1.4 billion Bybit exchange hack, with $1.2 billion of stolen funds subsequently moved through THORChain.
Protocol Architecture and Vulnerability Questions
THORChain operates as a non-custodial cross-chain protocol, not a mixer, enabling atomic swaps across multiple blockchains without custodial intermediaries. The protocol’s design attracts both legitimate users and threat actors exploiting its liquidity depth. However, THORChain had not publicly confirmed the exploit at publication time, and no official statement detailed the vulnerability mechanism or remediation timeline. This lack of transparency mirrors previous incidents where the protocol continued operating through major exploits.
Unresolved Variables and Recovery Timeline
The 12-hour-plus halt provides developers time to assess the exploit’s scope and implement fixes before resuming trading. No confirmation has emerged on whether the vulnerability affects the protocol’s core logic or user-submitted transactions. THORChain’s track record of absorbing major hacks suggests recovery is likely, but the mounting $634 million April hack total underscores systemic DeFi security fragility that extends beyond any single protocol’s incident response.
