THORchain has confirmed the $10 million exploit and launched a recovery portal, giving affected users a self-custodial way to revoke malicious token approvals and submit refund claims through a treasury-provided refund pool of equal size.
X, in a Saturday post on the THORchain Foundation introduced “Affected users are now able to check what they will be paid as compensation after being exploited,” says the recovery portal.
The portal, citing a PackShield post-mortem, claims that the attack was detected on May 11 at 02:14 UTC, when node operators flagged an unusual outbound transaction. Trades and outbound signings were halted within eight minutes. In total, the attackers made off with 36.75 BTC, worth about $3 million, and about $7 million in tokens in BNB Chain, Ethereum and Base, hitting 12,847 wallets across four chains.
THORchain’s recovery portal. Source: THORchain
Affected customers have 21 days to submit claims. The refund window closes on June 4, after which any unclaimed allocations go to the insurance fund of the protocol.
Related: Russian-linked crypto exchange Greenex halts trading after $14M hack
How THORchain was mined
In an event update, THORchain said The main theory is that the attacker exploited a weakness in the GG20 Threshold Signature Scheme (TSS) implementation, allowing sensitive wallet key content to be gradually leaked. By accumulating enough of this leaked data over time, the attacker was able to reconstruct the wallet’s private key and allow unauthorized outbound transactions.
The protocol also noted that a newly spawned node entered the network several days before the attack and is currently believed to be connected to it, indicating on-chain links between the node’s bonding address and the wallet receiving the stolen funds.
“Treasury is actively collecting forensic data and coordinating with Outrider Analytics and relevant law enforcement agencies in an effort to identify the attacker and recover the stolen funds where possible,” the protocol wrote.
Related: Law enforcement freezes $41M tied to $150M crypto Ponzi bust
Crypto hack losses hit $630 million in April.
Crypto hacks surged in April, with total losses reaching $629.7 million, the worst month for the industry since February 2025, when $1.47 billion was stolen. KelpDAO’s $293 million exploit and Drift Protocol’s $280 million hack caused massive losses, together representing 82% of April’s losses and solidifying DeFi as the most targeted sector.
The pattern of attacks points to a shift in how protocols are being compromised, with bridges, privileged access and operational failures increasingly at the root of major incidents involving smart contract bugs.
Magazine: AI-powered hacks could kill DeFi — unless the projects work now.