As a researcher, I’ve been following the recent THORChain attack, and my team at Chainalysis has uncovered a complex laundering scheme used by the attacker. Our on-chain analysis shows this wasn’t a spontaneous act; the attacker meticulously planned the operation weeks in advance, setting up pathways using Monero, Hyperliquid, and Arbitrum. We’ve been able to map the movement of funds across these chains, revealing a calculated effort to conceal the $10.8 million stolen.
Chainalysis reported on Friday that the wallets believed to be used by the hacker were moving their own money through privacy services for weeks before the attack happened. Blockchain data clearly links those same wallets to the address that ultimately received the stolen funds.
Monero was the starting point
Chainalysis reports the attack started in late April when the hacker used a wallet to deposit Monero (XMR) into Hyperliquid through a privacy feature. They then exchanged this for USDC, moved it to the Arbitrum network, and finally transferred it to Ethereum.
A significant amount of Ethereum (ETH), worth hundreds of thousands of dollars, was transferred to THORChain to secure a new validator node with RUNE tokens. This node is now suspected of being the point of a security breach. Some of the RUNE was later converted back into ETH.
Direct wallet link to the attacker
Chainalysis discovered the stolen Ether was divided into four different pathways. One of these pathways led directly to the hacker. The funds first went through a temporary wallet, and then, just 43 minutes before the theft occurred, 8 Ether was transferred into the wallet that would soon hold the attacker’s stolen millions.
The remaining three accounts moved funds in the reverse order. Between May 14th and 15th, they transferred ETH to Arbitrum, placed it in Hyperliquid, and then sent it back to Monero using the same privacy-focused service originally used. This final transfer happened less than five hours before the attack started.
Stolen funds remain dormant, but the exit path is clear
As of Friday afternoon, the stolen money hasn’t been moved, but experts at Chainalysis say that could change rapidly. The person who stole the funds has already proven they’re skilled at moving money across different cryptocurrency systems, and they might use the same method – transferring from Hyperliquid to Monero – that they used before the theft.
What we know so far about the THORChain exploit
Recent research from Chainalysis provides further insight into an event that began on May 15th. In an update on Friday, THORChain developers stated the most likely cause is a weakness in the protocol’s GG20 threshold signature scheme.
Experts think a recently created validator node took advantage of this flaw, causing confidential encryption keys to slowly become exposed. By collecting enough of these key fragments, the attacker could have rebuilt a critical private key and used it to approve fraudulent transactions.
The validator node, with the ID thor16ucjv3v695mq283me7esh0wdhajjalengcn84q, became active a few days before the security incident. THORChain’s team discovered that the Ethereum addresses used to initially fund and secure this node seem to be linked to addresses that later received the stolen funds.
The network is currently operating with limited functionality. Trading, providing liquidity, and processing transactions are all temporarily stopped while those managing the network explore ways to resolve the issue. These options include penalizing those responsible for the problem and using funds held by the protocol to cover any losses. Experts estimate a complete restoration of service could take several days.
As a researcher, I first became aware of this exploit on May 15th when Cyvers and several on-chain investigators alerted us to unusual transactions happening across multiple blockchains – Bitcoin, Ethereum, BNB Chain, and Base. We initially estimated the losses to be around $10.8 million, and we’ve tracked the stolen funds as they were moved into wallets containing Ethereum, Bitcoin, and BNB.
The team managing THORChain’s funds is collaborating with security experts from THORSec and Outrider Analytics, as well as law enforcement, to track down the person responsible for the attack and attempt to recover the stolen funds.
Read More
- Total Football free codes and how to redeem them (March 2026)
- Pixel Brave: Idle RPG redeem codes and how to use them (May 2026)
- Last Furry: Survival redeem codes and how to use them (April 2026)
- Clash of Clans May 2026: List of Weekly Events, Challenges, and Rewards
- Top 5 Best New Mobile Games to play in May 2026
- Light and Night brings its beloved otome romance experience to SEA region with a closed beta test starting May 20, 2026
- NTE: Neverness to Everness Original Game Soundtracks: Your Ultimate Playlist Guide
- Winnita Casino Guida per vincere in grande nel gioco d’azzardo online
- HoYoverse’s mystery UE5 MMORPG “Nodusfall” surfaces as a new trademark filling alongside “Vassago”
- Painful truth about Alexa Demie after she vanished… then emerged with drastic new look: Insiders spill on Sydney Sweeney feud and Euphoria star’s plan for revenge
2026-05-16 09:43