Verify a decision

{"actor":"system:backfill","investigation_id":"a6babef8-9ac8-4d4f-a604-63d5d1c488a5","kind":"publish","page_slug":"thorchain","published_at":"2026-06-04T03:15:00.974Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"THORChain","sections":[{"content":"THORChain is a Layer 1 decentralized exchange protocol built on the Cosmos SDK and CometBFT consensus, designed to enable trustless, non-custodial swaps between native assets across disparate blockchains without the use of wrapped tokens. It was conceptualized in 2018 during a Binance Dexathon competition. The RUNE token launched on June 19, 2019, followed by an initial DEX offering on July 20, 2019. A public testnet launched in June 2020, Single Chain Chaos Net in August 2020, and Multi-Chain Chaos Net in April 2021. Mainnet was declared on June 22, 2022. The protocol uses a threshold signature scheme (GG20 TSS) to manage cross-chain vaults, requiring a quorum of validator nodes to authorize outbound transactions. The RUNE token serves as the settlement asset in all liquidity pools; every pool is paired with RUNE. Validators must bond a minimum of 300,000 RUNE to participate and earn a share of protocol fees. As of June 2026, RUNE trades at approximately $0.39–$0.44 per token with a market capitalization of roughly $138–$151 million and a circulating supply of approximately 350 million tokens.","heading":"Protocol Overview","severity":"low","sources":[{"credibility":2,"name":"What Is THORChain (RUNE)? CoinMarketCap overview","type":"other","url":"https://coinmarketcap.com/cmc-ai/thorchain/what-is/"},{"credibility":2,"name":"THORChain price today, RUNE to USD — CoinGecko","type":"other","url":"https://www.coingecko.com/en/coins/thorchain"},{"credibility":2,"name":"THORChain price today, RUNE to USD live price — CoinMarketCap","type":"other","url":"https://coinmarketcap.com/currencies/thorchain/"}]},{"content":"On May 15, 2026, THORChain suffered a significant security breach when a malicious validator node exploited a cryptographic vulnerability in the protocol's GG20 threshold signature scheme (TSS) implementation. The node, identified at address thor16ucjv3v695mq283me7esh0wdhajjalengcn84q, joined the network on May 13, 2026 — approximately two days before the attack. According to THORChain's post-incident report published May 21, 2026, the attacker exploited gradual information leakage inside the GG20 implementation to reconstruct the private key for one of the protocol's Asgard vaults over time during routine signing ceremonies. With the vault key reconstructed, the attacker authorized unauthorized outbound transactions without triggering the normal quorum checks. Total funds drained are reported at approximately $10.7–$10.8 million across nine chains, with attacker wallets identified by TRM Labs holding approximately 3,443 ETH, 36.85 BTC, and 96.6 BNB, among assets on other chains. The affected assets were spread across Bitcoin (BTC address: bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37), Ethereum (0x82fc0d5150f3548027e971ec04c065f3c93154eb and 0xd477b69551f49c0519f9b18c55030676138890bd), Bitcoin Cash, Dogecoin, Litecoin, and XRP. The exploit impacted approximately 20% of protocol-owned funds in active vaults; user deposits and LP positions outside active vaults were reported as unaffected. The automated solvency detection system flagged abnormal vault balances within approximately 52 minutes, at which point node operators executed the 'make pause' command via the Mimir governance module, halting all trading, swaps, LP actions, and signing at block 26190429. The network remained paused for approximately 12–13 hours. THORChain released patch v3.18.1 and launched a refund portal for affected users. The submission claims 12,847 wallets were impacted, though this specific figure could not be independently corroborated from primary sources accessed at the time of this investigation.","heading":"May 2026 GG20 TSS Exploit","severity":"critical","sources":[{"credibility":1,"name":"Thorchain halts trading after $10 million cross-chain exploit, RUNE token drops 12% — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/05/15/thorchain-halts-trading-after-usd10-million-cross-chain-exploit-rune-token-drops-12"},{"credibility":2,"name":"$10.8 Million Drained: Inside the THORChain Exploit That Froze Cross-Chain DeFi for 13 Hours — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/17/10-8-million-drained-inside-the-thorchain-exploit-that-froze-cross-chain-defi-for-13-hours/"},{"credibility":2,"name":"THORChain Exploit Drains USD 11M+ Across at Least Nine Chains: What TRM Knows Now — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/thorchain-exploit-drains-usd-11m-across-at-least-nine-chains-what-trm-knows-now"},{"credibility":2,"name":"THORChain Shares Exploit Report Revealing $10.7M Vault Breach by New Node — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/21/thorchain-shares-exploit-report-revealing-10-7m-vault-breach-by-new-node/"},{"credibility":2,"name":"THORChain Publishes Exploit Report, Points to GG20 Flaw — CoinNewSpan","type":"news_article","url":"https://www.coinnewsspan.com/thorchain-publishes-exploit-report-gg20-flaw/"}]},{"content":"Chainalysis published findings tracing the attacker's pre-exploit funding through a sophisticated cross-chain obfuscation route. According to Chainalysis, the operation began in late April 2026 when an attacker-linked wallet funded a position on Hyperliquid by depositing Monero (XMR) through a Hyperliquid-Monero privacy bridge. These funds were converted to USDC, withdrawn to Arbitrum, bridged to Ethereum, and ultimately routed into THORChain to bond RUNE for the malicious validator node. Approximately 43 minutes before the exploit, 8 ETH was forwarded into the wallet that would receive the stolen funds. Chainalysis uses cautious language — 'likely connected' and 'believed to be' — and does not definitively attribute the attack to any named threat actor. The submission references Chainalysis attributing the funding pattern to DPRK Lazarus Group tradecraft; the Chainalysis reporting as reflected in secondary coverage identifies funding route patterns consistent with Lazarus Group operational behavior, but does not constitute a definitive attribution. In a separate and earlier incident, THORChain was already documented as a central money laundering channel for North Korea's Lazarus Group following the February 2025 Bybit hack ($1.4 billion stolen), with approximately $1.2 billion — 85% of stolen Bybit funds — traced through THORChain according to Chainalysis. CoinDesk reported that THORChain node operators earned at least $12 million in fees from Bybit heist-related transactions, and founder JP Thor/Thorbjornsen confirmed publicly that THORChain earned between $5 and $10 million from processing those funds. THORChain declined to permanently block heist-linked transactions despite requests from the FBI, with Thorbjornsen arguing there is no proof any transaction originates from a specific geographic location.","heading":"Pre-Attack Funding Trail and Alleged Lazarus Group Nexus","severity":"critical","sources":[{"credibility":2,"name":"Chainalysis Traces THORChain Hacker's Pre-Attack Monero-Hyperliquid Trail — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/16/chainalysis-traces-thorchain-hackers-pre-attack-monero-hyperliquid-trail/"},{"credibility":1,"name":"Inside North Korea's Favorite Crypto Laundering Tool: THORChain — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2025/04/07/the-blockchain-fueling-north-korea-s-massive-crypto-laundering-operation"},{"credibility":2,"name":"Chainalysis: THORChain Attack Tied to Weeks of Sophisticated Cross-Chain Funding Activity — BingX Flash News","type":"news_article","url":"https://bingx.com/en/flash-news/post/chainalysis-says-thorchain-attacker-moved-funds-via-monero-and-hyperliquid-weeks-before-hack-including-eth-sent-minutes-prior"},{"credibility":2,"name":"Inside DeFi exchanges caught in North Korea's $1.4bn laundering spree — DL News","type":"news_article","url":"https://www.dlnews.com/articles/defi/lazarus-laundering-spree-threatens-chainflip-and-thorchain/"}]},{"content":"THORChain has a documented history of security incidents predating the May 2026 exploit. In July 2021, the protocol was exploited twice. The first incident, approximately July 15, 2021, involved a logical flaw in the Ethereum router wherein an attacker used ERC-20 token deposits labelled as ETH to trick the protocol into releasing real ETH, resulting in approximately $4.9 million in losses. A second exploit approximately July 23, 2021 involved a custom contract that tricked the Bifrost Protocol into receiving a fake asset deposit and refunding real assets, resulting in approximately $8 million in losses. Combined 2021 direct losses were approximately $15.5 million across multiple incidents per SlowMist's analysis. THORChain used community treasury funds to cover losses in both instances. In 2022, a validator software bug caused nodes to behave non-deterministically, disrupting consensus for approximately 20 hours, though no direct fund losses were reported. In 2023, a vulnerability in the TSS key generation process was identified and the network was halted before funds were stolen. In January 2025, THORChain suspended its THORFi Lending and Savers features on January 23, 2025, after determining the product contained a fundamental economic design flaw. Total liabilities from the suspended programs were estimated at approximately $97 million in loans (ETH and BTC) and $102 million in Savers and synthetic assets, against $107 million in available liquidity, creating an effective insolvency. RUNE dropped over 82% from its December 2024 price in the weeks following the disclosure. In September 2025, an alleged social engineering attack using a deepfake impersonating co-founder JP Thor resulted in approximately $1.35 million in losses from compromised MetaMask keys. NullTX has documented at least six distinct exploits across the five-year period from 2021 to 2026.","heading":"Prior Security Incidents (2021–2025)","severity":"high","sources":[{"credibility":2,"name":"Explained: The THORChain Hack (July 2021) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-thorchain-hack-july-2021"},{"credibility":1,"name":"Blockchain Protocol Thorchain Suffers $8M Hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2021/07/23/blockchain-protocol-thorchain-suffers-8m-hack"},{"credibility":2,"name":"SlowMist: Analysis of Three Consecutive Attacks on THORChain (2021) — Medium","type":"research","url":"https://slowmist.medium.com/slowmist-analysis-of-three-consecutive-attacks-on-thorchain-6223f1c691be"},{"credibility":2,"name":"Post-mortem: ETH Router Exploits 1 & 2 — THORChain Medium","type":"official","url":"https://medium.com/thorchain/post-mortem-eth-router-exploits-1-2-and-premature-return-to-trading-incident-2908928c5fb"},{"credibility":2,"name":"THORChain Faces Growing Questions Over Long-Term Viability After Six Exploits in Five Years — NullTX","type":"news_article","url":"https://nulltx.com/thorchain-faces-growing-questions-over-long-term-viability-after-six-exploits-in-five-years/"},{"credibility":2,"name":"THORChain halts withdrawals amid $200M insolvency — Blockworks","type":"news_article","url":"https://blockworks.co/news/thorchain-halts-withdrawals-insolvency"}]},{"content":"On January 23, 2025, THORChain suspended its THORFi Lending and Savers features after identifying a fundamental economic design flaw in those products. The protocol's lending obligations were denominated in BTC and ETH, while repayments were structured to be minted via RUNE — creating a reflexive dynamic that analysts compared to the Terra/Luna collapse. Total liabilities were estimated at approximately $97 million in outstanding loans and $102 million in Savers and synthetic asset obligations, against available liquidity of approximately $107 million. On February 2, 2025, node operators approved Proposal 6 (TCY restructuring plan). Under the plan, approximately $200 million in unserviceable debt was converted into equity via a new token, THORChain Yield (TCY), at a 1:1 ratio (1 TCY per dollar of defaulted debt). TCY carries a fixed supply of 210 million tokens and entitles holders to 10% of THORChain's protocol revenue indefinitely. The treasury committed $5 million to establish an initial RUNE/TCY liquidity pool at $0.10 per TCY, with further $5 million allocated over ten weeks for buybacks. The debt restructuring resolved the immediate solvency concern but left long-term viability questions open, as future recovery depends on sustained protocol revenue.","heading":"2025 Insolvency and TCY Debt Restructuring","severity":"high","sources":[{"credibility":1,"name":"THORChain to Issue Equity Tokens to Battle $200M Debt After Pausing Bitcoin, Ether Lending — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2025/02/03/thorchain-to-issue-equity-tokens-to-battle-usd200m-debt-after-pausing-bitcoin-ether-lending"},{"credibility":2,"name":"ThorChain restructures with $200M debt-to-equity issue and new TCY token — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/thorchain-restructures-debt-issue-tcy-token/"},{"credibility":2,"name":"THORChain halts withdrawals amid $200M insolvency — Blockworks","type":"news_article","url":"https://blockworks.co/news/thorchain-halts-withdrawals-insolvency"},{"credibility":2,"name":"Thorchain Approves Plan to Restructure $200M Debt — BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2025/02/04/thorchain-approves-plan-to-restructure-200m-debt/"}]},{"content":"Following the May 15, 2026 exploit, THORChain's developers released patch v3.18.1 and opened a refund portal for affected users. The submission states affected users had until June 4, 2026 to submit claims, with unclaimed funds rolling into the protocol's insurance fund. On approximately May 22, 2026, node operators opened a formal vote on ADR-028, a network restart and loss-absorption proposal. ADR-028 proposes that the protocol absorb losses first through Protocol-Owned Liquidity (POL) reserves, with any remaining shortfall distributed across synth holders. The plan explicitly states no new RUNE is minted, no RUNE is sold, and no holder is diluted. ADR-028 passed on May 27, 2026. The network restart is contingent on completing technical remediation and achieving broad node operator consensus. THORChain also warned users to disregard fake social media accounts promoting unauthorized refunds or airdrops in the aftermath of the exploit.","heading":"May 2026 Exploit: Recovery and Governance Response","severity":"medium","sources":[{"credibility":2,"name":"THORChain Plots Recovery as $10M Hack Spurs Governance Vote — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/19/thorchain-plots-recovery-as-10m-hack-spurs-governance-vote/"},{"credibility":2,"name":"THORChain Opens ADR028 Vote as Community Charts Recovery Path — BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/05/22/thorchain-opens-adr028-vote-as-community-charts-recovery-path/"},{"credibility":2,"name":"THORChain node operators vote on network restart plan after $10.7 million vault exploit — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/thorchain-node-operators-vote-restart-plan/"},{"credibility":2,"name":"THORChain Nodes Approve ADR028 After $10.7M Exploit, RUNE Restart Begins — CoinPaprika","type":"news_article","url":"https://coinpaprika.com/news/thorchain-nodes-approve-adr028-107m-exploit/"},{"credibility":2,"name":"THORChain (RUNE) Launches Refund Portal After $10M Exploit — Blockchain.news","type":"news_article","url":"https://blockchain.news/news/thorchain-refund-portal-10m-exploit"}]},{"content":"THORChain was founded in 2018 by a pseudonymous core team. The principal founder, Jean-Paul Thorbjornsen (publicly known as 'JP Thor'), operated for approximately six years under the pseudonym 'Leena' using an AI-generated female avatar. Thorbjornsen publicly revealed his identity in approximately March 2024. He is described as an Australian man in his mid-30s with a background in aeronautical engineering and military aviation. Chad Barraford has served as Technical Lead on the THORChain protocol. Nine Realms, a development firm led by Gavin McDermott, has taken a significant operational role in THORChain development; the firm contributes approximately nine developers alongside approximately eight core protocol developers. THORChain describes itself as a decentralized network with no centralized governance authority, a design that has been cited by its leadership to justify non-intervention in illicit transaction flows. MIT Technology Review published a February 2026 profile of Thorbjornsen examining this tension between permissionless design philosophy and facilitation of illicit activity. The pseudonymous founding and subsequent deanonymization are notable trust signals; the current team composition is partially public but the broader validator and node operator set remains pseudonymous.","heading":"Team, Governance, and Pseudonymity","severity":"medium","sources":[{"credibility":1,"name":"Welcome to the dark side of crypto's permissionless dream — MIT Technology Review","type":"news_article","url":"https://www.technologyreview.com/2026/02/18/1132587/jean-paul-thorbjornsen-dark-side-crypto-permissionless-dream/"},{"credibility":2,"name":"THORChain founder and his plan to 'vampire attack' all of DeFi — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/magazine/thorchain-founder-jp-thor-vampire-attack-defi/"},{"credibility":2,"name":"THORChain: Hardening the Protocol with Halborn, Immunefi, Nine Realms and Chad Barraford — Delphi Digital","type":"research","url":"https://members.delphidigital.io/media/thorchain-hardening-the-protocol-with-halborn-immunefi-nine-realms-and-chad-barraford"}]},{"content":"THORChain has attracted sustained attention from regulators and law enforcement due to its role as a permissionless cross-chain bridge with no KYC requirements and no blocking mechanisms. Following the February 2025 Bybit hack, the FBI reportedly requested THORChain block transactions linked to the stolen funds; THORChain declined. Chainalysis estimated that THORChain node operators earned at least $12 million in fees from processing Bybit heist-linked transactions, a figure the protocol's own founder corroborated in the $5–10 million range. Former U.S. Treasury officials publicly stated that parties earning fees from known illicit funds 'potentially have an OFAC issue,' drawing comparisons to sanctions imposed on Tornado Cash and the shutdown of Bitzlato. THORChain has repeatedly served as a laundering conduit in high-profile state-sponsored hacks. Lazarus Group used THORChain to move approximately $1.2 billion — 85% of Bybit hack proceeds — through the protocol. A Crypto Briefing report also linked Lazarus Group to approximately $292 million in rsETH laundering through THORChain. DL News documented that THORChain processed roughly $900 million in Lazarus-linked funds. Despite these documented flows, no formal regulatory action against THORChain, its operators, or its founders had been publicly announced as of the date of this investigation. The permissionless design and jurisdictional ambiguity continue to complicate regulatory intervention.","heading":"Regulatory Risk and Illicit Finance Exposure","severity":"critical","sources":[{"credibility":1,"name":"Inside North Korea's Favorite Crypto Laundering Tool: THORChain — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2025/04/07/the-blockchain-fueling-north-korea-s-massive-crypto-laundering-operation"},{"credibility":2,"name":"Thorchain watched Lazarus launder $900m in stolen crypto. That's a big problem for DeFi — DL News","type":"news_article","url":"https://www.dlnews.com/articles/defi/thorchain-role-in-lazarus-laundering-is-big-defi-problem/"},{"credibility":2,"name":"Lazarus Group exploits ThorChain for $292M rsETH laundering operation — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/lazarus-group-exploits-thorchain-for-292m-rseth-laundering-operation/"},{"credibility":2,"name":"Inside DeFi exchanges caught in North Korea's $1.4bn laundering spree — DL News","type":"news_article","url":"https://www.dlnews.com/articles/defi/lazarus-laundering-spree-threatens-chainflip-and-thorchain/"}]}],"sources_used":[{"credibility":1,"name":"Thorchain halts trading after $10 million cross-chain exploit, RUNE token drops 12% — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/05/15/thorchain-halts-trading-after-usd10-million-cross-chain-exploit-rune-token-drops-12"},{"credibility":2,"name":"THORChain Exploit Drains USD 11M+ Across at Least Nine Chains: What TRM Knows Now — TRM Labs","type":"research","url":"https://www.trmlabs.com/resources/blog/thorchain-exploit-drains-usd-11m-across-at-least-nine-chains-what-trm-knows-now"},{"credibility":2,"name":"$10.8 Million Drained: Inside the THORChain Exploit That Froze Cross-Chain DeFi for 13 Hours — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/17/10-8-million-drained-inside-the-thorchain-exploit-that-froze-cross-chain-defi-for-13-hours/"},{"credibility":2,"name":"Chainalysis Traces THORChain Hacker's Pre-Attack Monero-Hyperliquid Trail — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/16/chainalysis-traces-thorchain-hackers-pre-attack-monero-hyperliquid-trail/"},{"credibility":2,"name":"THORChain Shares Exploit Report Revealing $10.7M Vault Breach by New Node — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/21/thorchain-shares-exploit-report-revealing-10-7m-vault-breach-by-new-node/"},{"credibility":2,"name":"THORChain Publishes Exploit Report, Points to GG20 Flaw — CoinNewSpan","type":"news_article","url":"https://www.coinnewsspan.com/thorchain-publishes-exploit-report-gg20-flaw/"},{"credibility":2,"name":"THORChain Plots Recovery as $10M Hack Spurs Governance Vote — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/19/thorchain-plots-recovery-as-10m-hack-spurs-governance-vote/"},{"credibility":2,"name":"THORChain Opens ADR028 Vote as Community Charts Recovery Path — BanklessTimes","type":"news_article","url":"https://www.banklesstimes.com/articles/2026/05/22/thorchain-opens-adr028-vote-as-community-charts-recovery-path/"},{"credibility":2,"name":"THORChain Nodes Approve ADR028 After $10.7M Exploit, RUNE Restart Begins — CoinPaprika","type":"news_article","url":"https://coinpaprika.com/news/thorchain-nodes-approve-adr028-107m-exploit/"},{"credibility":1,"name":"Inside North Korea's Favorite Crypto Laundering Tool: THORChain — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2025/04/07/the-blockchain-fueling-north-korea-s-massive-crypto-laundering-operation"},{"credibility":2,"name":"Torchain watched Lazarus launder $900m in stolen crypto — DL News","type":"news_article","url":"https://www.dlnews.com/articles/defi/thorchain-role-in-lazarus-laundering-is-big-defi-problem/"},{"credibility":1,"name":"THORChain to Issue Equity Tokens to Battle $200M Debt — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2025/02/03/thorchain-to-issue-equity-tokens-to-battle-usd200m-debt-after-pausing-bitcoin-ether-lending"},{"credibility":2,"name":"THORChain halts withdrawals amid $200M insolvency — Blockworks","type":"news_article","url":"https://blockworks.co/news/thorchain-halts-withdrawals-insolvency"},{"credibility":2,"name":"Explained: The THORChain Hack (July 2021) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-thorchain-hack-july-2021"},{"credibility":1,"name":"Blockchain Protocol Thorchain Suffers $8M Hack — CoinDesk","type":"news_article","url":"https://www.coindesk.com/markets/2021/07/23/blockchain-protocol-thorchain-suffers-8m-hack"},{"credibility":2,"name":"SlowMist: Analysis of Three Consecutive Attacks on THORChain — Medium","type":"research","url":"https://slowmist.medium.com/slowmist-analysis-of-three-consecutive-attacks-on-thorchain-6223f1c691be"},{"credibility":1,"name":"Welcome to the dark side of crypto's permissionless dream — MIT Technology Review","type":"news_article","url":"https://www.technologyreview.com/2026/02/18/1132587/jean-paul-thorbjornsen-dark-side-crypto-permissionless-dream/"},{"credibility":2,"name":"THORChain Faces Growing Questions Over Long-Term Viability After Six Exploits in Five Years — NullTX","type":"news_article","url":"https://nulltx.com/thorchain-faces-growing-questions-over-long-term-viability-after-six-exploits-in-five-years/"},{"credibility":2,"name":"THORChain price today, RUNE to USD — CoinGecko","type":"other","url":"https://www.coingecko.com/en/coins/thorchain"},{"credibility":2,"name":"THORChain price today, RUNE to USD live price — CoinMarketCap","type":"other","url":"https://coinmarketcap.com/currencies/thorchain/"}],"summary":"THORChain is a decentralized cross-chain liquidity protocol built on the Cosmos SDK that enables native asset swaps across major blockchains without wrapped tokens. The protocol has suffered at least six significant security incidents since 2021, including a May 15, 2026 exploit in which a malicious validator node exploited a GG20 threshold signature scheme vulnerability to drain approximately $10.7–10.8 million across nine chains. THORChain has also faced documented use by the North Korean Lazarus Group as a primary money laundering channel, a $200 million insolvency crisis in early 2025 requiring a debt-to-equity restructuring, and ongoing questions about its permissionless design and unwillingness to block illicit flows.","timeline":[{"date":"2018-01-01","event":"THORChain conceptualized during a Binance Dexathon competition; founding team begins development","source":"CoinMarketCap — What Is THORChain","source_url":"https://coinmarketcap.com/cmc-ai/thorchain/what-is/"},{"date":"2019-06-19","event":"RUNE token launches with pre-mined supply of 1.0 billion tokens","source":"CoinMarketCap — What Is THORChain","source_url":"https://coinmarketcap.com/cmc-ai/thorchain/what-is/"},{"date":"2021-07-15","event":"First major exploit: approximately $4.9 million drained via Ethereum router logical flaw","source":"Halborn — Explained: The THORChain Hack (July 2021)","source_url":"https://www.halborn.com/blog/post/explained-the-thorchain-hack-july-2021"},{"date":"2021-07-23","event":"Second exploit within the same month: approximately $8 million drained via Bifrost Protocol manipulation","source":"CoinDesk — Blockchain Protocol Thorchain Suffers $8M Hack","source_url":"https://www.coindesk.com/markets/2021/07/23/blockchain-protocol-thorchain-suffers-8m-hack"},{"date":"2022-06-22","event":"THORChain declares mainnet achieved","source":"CoinMarketCap — What Is THORChain","source_url":"https://coinmarketcap.com/cmc-ai/thorchain/what-is/"},{"date":"2024-03-01","event":"Founder Jean-Paul Thorbjornsen publicly reveals identity after six years operating under pseudonym 'Leena'","source":"MIT Technology Review — Welcome to the dark side of crypto's permissionless dream","source_url":"https://www.technologyreview.com/2026/02/18/1132587/jean-paul-thorbjornsen-dark-side-crypto-permissionless-dream/"},{"date":"2025-01-23","event":"THORChain suspends THORFi Lending and Savers features due to $200 million insolvency; RUNE price drops sharply","source":"Blockworks — THORChain halts withdrawals amid $200M insolvency","source_url":"https://blockworks.co/news/thorchain-halts-withdrawals-insolvency"},{"date":"2025-02-01","event":"Bybit exchange suffers $1.4 billion hack; Lazarus Group subsequently routes approximately $1.2 billion (85%) through THORChain","source":"CoinDesk — Inside North Korea's Favorite Crypto Laundering Tool: THORChain","source_url":"https://www.coindesk.com/tech/2025/04/07/the-blockchain-fueling-north-korea-s-massive-crypto-laundering-operation"},{"date":"2025-02-02","event":"Node operators approve Proposal 6 (TCY restructuring plan): $200 million debt converted to equity via TCY token","source":"CoinDesk — THORChain to Issue Equity Tokens to Battle $200M Debt","source_url":"https://www.coindesk.com/markets/2025/02/03/thorchain-to-issue-equity-tokens-to-battle-usd200m-debt-after-pausing-bitcoin-ether-lending"},{"date":"2025-09-01","event":"Alleged social engineering attack using deepfake impersonating co-founder JP Thor results in approximately $1.35 million in losses","source":"NullTX — THORChain Faces Growing Questions Over Long-Term Viability After Six Exploits in Five Years","source_url":"https://nulltx.com/thorchain-faces-growing-questions-over-long-term-viability-after-six-exploits-in-five-years/"},{"date":"2026-02-18","event":"MIT Technology Review publishes investigative profile of JP Thor/Thorbjornsen examining THORChain's role in illicit finance","source":"MIT Technology Review","source_url":"https://www.technologyreview.com/2026/02/18/1132587/jean-paul-thorbjornsen-dark-side-crypto-permissionless-dream/"},{"date":"2026-05-13","event":"Malicious validator node (thor16ucjv3v695mq283me7esh0wdhajjalengcn84q) joins THORChain network and begins accumulating key shards","source":"Crypto Times — THORChain Shares Exploit Report Revealing $10.7M Vault Breach by New Node","source_url":"https://www.cryptotimes.io/2026/05/21/thorchain-shares-exploit-report-revealing-10-7m-vault-breach-by-new-node/"},{"date":"2026-05-15","event":"GG20 TSS exploit executed: approximately $10.7–10.8 million drained across nine chains; network halted within ~52 minutes; RUNE drops 12%","source":"CoinDesk — Thorchain halts trading after $10 million cross-chain exploit","source_url":"https://www.coindesk.com/tech/2026/05/15/thorchain-halts-trading-after-usd10-million-cross-chain-exploit-rune-token-drops-12"},{"date":"2026-05-16","event":"Chainalysis publishes tracing of attacker's pre-attack Monero-Hyperliquid funding route; THORChain launches refund portal","source":"Crypto Times — Chainalysis Traces THORChain Hacker's Pre-Attack Monero-Hyperliquid Trail","source_url":"https://www.cryptotimes.io/2026/05/16/chainalysis-traces-thorchain-hackers-pre-attack-monero-hyperliquid-trail/"},{"date":"2026-05-21","event":"THORChain publishes formal post-incident exploit report confirming GG20 TSS implementation flaw as root cause","source":"Crypto Times — THORChain Shares Exploit Report Revealing $10.7M Vault Breach by New Node","source_url":"https://www.cryptotimes.io/2026/05/21/thorchain-shares-exploit-report-revealing-10-7m-vault-breach-by-new-node/"},{"date":"2026-05-22","event":"ADR-028 governance vote opens for node operators to approve network restart and POL-based loss absorption plan","source":"BanklessTimes — THORChain Opens ADR028 Vote as Community Charts Recovery Path","source_url":"https://www.banklesstimes.com/articles/2026/05/22/thorchain-opens-adr028-vote-as-community-charts-recovery-path/"},{"date":"2026-05-27","event":"ADR-028 passed by node operators; phased network restart authorized","source":"CoinPaprika — THORChain Nodes Approve ADR028 After $10.7M Exploit, RUNE Restart Begins","source_url":"https://coinpaprika.com/news/thorchain-nodes-approve-adr028-107m-exploit/"}]},"v":1}