THORChain: The $10.8M Key Leak That Broke the Vault

A freshly churned validator node exploited a flaw in THORChain’s GG20 threshold signature scheme, reconstructing a vault private key and draining $10.8M across Bitcoin, Ethereum, BNB Chain, and Base. 12,847 wallets got hit.

THORChain halted trading for nearly 13 hours as a single malicious node exploited a GG20 signature flaw to drain one Asgard vault.

At 09:45 UTC on May 15, 2026, on-chain investigator ZachXBT fired off a Telegram alert. Unusual outflows from THORChain’s Asgard vaults. First estimate: $7.4 million gone. Within two hours the number hit $10.8 million. By the time most of Asia woke up, the protocol was in emergency freeze - trading, swaps, signing, all stopped. The cross-chain DeFi backbone had just snapped.

THORChain is the answer to a stubborn problem: how to swap native Bitcoin for native Ethereum without a custodian, wrapped tokens, or bridges. Its solution is Asgard vaults - pools of real assets held collectively by a rotating set of node operators who use a cryptographic ceremony called GG20 to co-sign every outgoing transaction. No single node holds a full private key. Or at least they’re not supposed to.

Early forensics pointed to a single newly churned validator node - flagged in the incident update as thor16ucjv3v695mq283me7esh0wdhajjalengcn84q. This node joined the active set days before the attack. The timing was not an accident. Investigators from PeckShield and Cyvers believe the attacker exploited a known weakness in the GG20 threshold signature scheme. By participating in multiple signing sessions, the malicious node gradually leaked enough key material from the other co-signers to reconstruct a complete vault private key.

Once in control, the attacker swept roughly 20% of protocol-owned funds from one of THORChain’s six Asgard vaults. Stolen assets included WBTC, USDT, USDC, DAI, AAVE, and LINK. Bitcoin, Ethereum, BNB Chain, and Base all got hit in the same attack. The funds were quickly swapped to ETH and funneled into a single address - a textbook laundering pattern.

Chainalysis traced the attacker’s movements from weeks before the exploit. Personal funds had been cycled through Monero, Hyperliquid, and Arbitrum, establishing a clean on-chain identity for the strike. This was not a smash-and-grab. It was a planned operation.

THORChain’s native token, RUNE, collapsed 15% in minutes, falling from $0.58 to $0.50. The protocol paused all trading and signing for 12 hours and 42 minutes. A day later, the foundation opened a $10 million compensation portal for the 12,847 affected wallets, using protocol-owned liquidity reserves. An $800,000 gap remains unaddressed.

The attack resurrects THORChain’s 2021 ghosts. That summer, two separate exploits extracted $5 million and $8 million through flaws in the Bifrost module. Both times, the team halted the network and compensated users. The architecture was supposed to be stronger after audits and a vault revamp. Yet here we are again, a single rogue node ripping open a vault with a cryptographic flaw that researchers had been warning about for years.

The protocol that moves billions in native crypto across chains just learned the hard way: your cross-chain security is only as strong as the validator you let in the door.