THORChain Opens Refund Portal After $10M Hack
THORChain confirmed the $10 million exploit and launched a recovery portal, which allows affected users to revoke malicious token authorizations and file refund claims with an equal amount from the refund pool provided by the Treasury.
In a post on Saturday, the THORChain Foundation introduced a recovery portal, saying, “Aggrieved users are now able to confirm what they will be paid as compensation following the exploit.”
Citing a PeckShield postmortem, the portal said the attack was discovered at 02:14 UTC on May 11, when node operators reported unusual outgoing transactions. Within eight minutes, trading and signing abroad stopped. In total, attackers spent 36.75 BTC, worth $3 million, and approximately $7 million in tokens on BNB Chain, Ethereum, and Base by hitting 12,847 wallets across four chains.
THORChain Recovery Portal Source: THORChain
Aggrieved users have 21 days to file claims. The refund window closes on June 4, after which any unclaimed allocations will be transferred to the protocol's insurance fund.
Related: Russia-linked crypto exchange Grinex ceases trading after $14M hack
How THORChain flows
In an incident update, THORChain's main theory is that the attacker used a vulnerability in the GG20 threshold signature plan (TSS) implementation, which allowed the sensitive vault key material to slowly leak. By accumulating enough of this leaked information over time, the attacker was able to reconstruct the Vault's private key and allow unauthorized outbound transactions.
The protocol is believed to have entered the network a few days before the attack on a newly cracked node, and is now believed to be associated with it, and onchain connections between the node's link addresses and the wallets that received the stolen funds have been identified.
“Treasury is collecting forensic data and coordinating with Outrider Analytics and relevant law enforcement agencies in an effort to identify the attacker and recover as many stolen funds as possible,” the protocol reads.
Related: Law enforcement seizes $41M linked to $150M crypto Ponzi bust
Crypto hack losses reached $630 million in April
Crypto hacks spiked in April, with total losses reaching $629.7 million, making it the worst month for the industry since February 2025, when $1.47 billion was stolen. KelpDAO's $293 million exploit and Drift Protocol's $280 million hack caused most of the damage, together representing 82% of April's losses, with DeFi being the most targeted sector.
The attack approach is increasingly focused on breaches of protocols, bridges, exploits and operational failures rather than actual smart contract errors.
Magazine: AI-Driven Hacks Could Kill DeFi – Unless Projects Act Now
