THORChain Suspends All Trading After $10 Million Cross-Chain Exploit... RUNE Plummets 12%

On Friday morning, May 15, 2026, THORChain, a decentralized cross-chain protocol, detected a sophisticated exploit and urgently halted trading. All signing and trading functions of the protocol were stopped immediately after security researchers confirmed an outflow of approximately $10.8 million in assets. The attack occurred across four major blockchain networks, causing a sharp drop in the price of THORChain's native token, RUNE, and sending shockwaves through the market.

THORChain immediately suspended trading as security researchers identified signs of a multi-chain exploit totaling approximately $10.8 million across the Bitcoin, Ethereum, BSC, and Base networks.

The THORChain team took immediate action following the incident on the morning of May 15, 2026. All trading and signing functions on the network were suspended as an emergency measure to prevent further asset drainage. The development team is currently analyzing the vulnerability and plans to remain halted until the system is fully restored.

Structure and Scope of the $10.8 Million Exploit

The attack was systematically carried out against four major networks—Bitcoin, Ethereum, BNB Smart Chain (BSC), and Base—rather than a single chain. It is understood that the attacker exploited a vulnerability in the cross-chain liquidity bridge to seize assets. Security experts analyzed the incident as a highly designed multi-chain liquidity theft rather than a simple technical error.

• Estimated Loss: Approximately $10.8 million
• Affected Networks: Bitcoin, Ethereum, BSC, Base
• Actions Taken: Temporary suspension of all trading and signing functions
• Market Reaction: RUNE token price dropped 12%

The market reacted immediately to news of the exploit. According to a report by CoinDesk, THORChain's native asset, RUNE, plunged approximately 12% shortly after the announcement, marking a double-digit decline. With protocol operations suspended, liquidity providers are unable to withdraw assets or conduct trades, leading to heightened investor anxiety.

THORChain is equipped with its own security mechanisms, such as 'Signing Halt' and 'LP Pause,' to prepare for such emergencies. According to development documents, a Signing Halt allows deposits but blocks withdrawal signatures to prevent asset outflows. In this incident, validators collaborated to stop the entire network, serving as a circuit breaker to prevent further capital loss.

2026 DeFi Security Crisis and THORChain's Role

This incident once again highlights the security vulnerabilities in the decentralized finance (DeFi) sector, which have been accelerating in 2026. It is estimated that the volume of stolen assets in the DeFi sector since the beginning of the year has already exceeded $750 million. THORChain, in particular, is at the center of controversy, as it has not only been the target of multiple exploits in the past but has also been used as a route for other hackers to launder stolen funds.

In fact, it was recently reported that the perpetrator of the Kelp DAO hack laundered approximately $80 million worth of Ethereum through THORChain. At that time, THORChain's 24-hour trading volume surged to $394 million, more than 10 times its usual level, showing abnormal flows. Due to this background, THORChain faces the dual challenges of strengthening security and blocking illicit funds.

Governance Dilemma Between Decentralization and Security

The decision to halt the network triggered a conflict between decentralization principles and security within the THORChain community. In the past, there were validator votes to stop trading on specific chains to prevent the movement of hacker funds, but the limitations of the governance model were exposed when some validators opposed and overturned the decisions. This $10.8 million incident is expected to reignite the debate over the intervention authority of validators.

Moving forward, the THORChain team plans to release a detailed attack path and recovery plan through an official post-mortem report. The decision on whether to resume trading will likely be made after a full audit of the vulnerability that enabled the exploit is completed. Investors and the community are paying close attention to the impact this incident will have on the protocol's long-term credibility and potential compensation plans.