TRM Labs noted that on May 15, 2026, a sophisticated attacker exploited vulnerabilities in THORChain, siphoning more than $11 million in digital assets from the cross-chain liquidity protocol. The incident impacted at least nine separate networks, marking another significant setback for the platform known for enabling direct, non-wrapped token swaps between blockchains. According to blockchain intelligence firm TRM Labs, the breach unfolded rapidly as the perpetrator simultaneously targeted functions tied to multiple chains.
Assets were withdrawn from Bitcoin, Ethereum, Binance Smart Chain, Base, Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP.
Once extracted, the stolen funds flowed into a compact cluster of just two consolidation addresses, allowing the attacker to pool proceeds efficiently across ecosystems.
TRM Labs investigators acted swiftly, identifying and tagging five key addresses linked to the initial drains within hours.
The firm continues to track outflows from this consolidation cluster and expects to refine attribution as new on-chain patterns emerge.
This latest event pushes THORChain’s total losses from security incidents since 2021 close to $25 million.
The protocol has faced repeated targeting, including two major compromises in July 2021 and a personal wallet drain affecting its founder, JP Thorbjornsen, in 2025—widely attributed to North Korean-linked actors.
Beyond direct thefts, THORChain has increasingly served as a preferred route for laundering proceeds from large-scale hacks, such as the $1.5 billion Bybit breach in February 2025 and the nearly $300 million KelpDAO incident in April 2026.
The platform’s design, which prioritizes native cross-chain transfers without intermediary wrapped tokens, offers genuine utility for legitimate users but also accelerates illicit fund movement.
TRM Labs notes that this same architecture shortens the window for investigators and compliance teams to intervene, often compressing response times from days to mere hours.
Adding to the challenge, THORChain maintains a firm policy against blocking suspicious activity, framing it as a stand against censorship and in support of open financial access.
For exchanges and institutions with exposure to THORChain liquidity pools, the implications are clear: heightened vigilance is essential.
Compliance officers are advised to screen transactions against the newly tagged addresses immediately, quarantine any inbound deposits originating from them, and monitor real-time alerts for further developments.
As TRM Labs continues its forensic analysis, the rapid cross-chain nature of the exploit underscores the evolving risks in decentralized bridging infrastructure.
While no definitive attribution has been announced yet, the blockchain analytics sector remains focused on the consolidation wallets. Updates from TRM Forensics are expected to shed additional light on the attacker’s next moves and potential identity. TRM Labs has concluded that the incident serves as a reminder of the persistent security trade-offs in cross-chain protocols operating in the decentralized finance ecosystem.