The cross-chain liquidity protocol THORChain (RUNE) has suspended all trading operations following reports of a potential multi-chain security breach. Preliminary data suggests that the exploit targeted the protocol’s router across several major networks, leading to estimated losses exceeding 1.4 million USD. The incident was first brought to light by prominent on-chain sleuth ZachXBT on May 15, 2026, prompting an immediate response from the project's decentralized node operators.
Scope of the Security Incident
The suspected attack appears to have originated from vulnerabilities within the TC Router, affecting transactions across multiple blockchain environments. According to technical reports and community updates, the unauthorized activity impacted assets on the following networks:
- Bitcoin (BTC): Significant outflows were traced to the address bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37.
- Ethereum (ETH): Suspicious movements detected via EVM-compatible routing contracts.
- BNB Chain and Base: The exploiters targeted liquidity pools and cross-chain bridges on these layers.
Upon discovering the abnormal transfer activity, THORChain community members and developers communicated via Discord to coordinate a defensive maneuver. The protocol utilizes a decentralized network of nodes that can collectively decide to pause the system during emergencies to prevent further drainage of liquidity.
Emergency Response and Mitigation
Following the identification of the breach, node operators were advised to execute a global emergency halt. This mechanism effectively freezes the swapping and bridging functions of the network. The protocol’s core developers are currently conducting a forensic analysis to determine the exact nature of the vulnerability.
"The protocol's trading function has now been suspended. This is a proactive measure while the community investigates the suspected attack addresses and the scope of the TC Router vulnerability."
The EVM-related address 0x82fc0d5150f3548027e971ec04... has been identified as a primary point of interest for investigators. Such halts are common in DeFi protocols to protect the remaining Total Value Locked (TVL) during active security threats.
Conclusion
While the total loss is currently estimated at over $1.4 million, the figure may be subject to change as the THORChain team continues its audit of the impacted smart contracts. Users are advised to monitor official channels for updates regarding the resumption of services and any potential recovery plans for affected liquidity providers. This incident highlights the ongoing security challenges faced by cross-chain interoperability solutions in the evolving cryptocurrency landscape.
Frequently Asked Questions
Quick answers to the most common questions about this topic.
For educational purposes only. Nothing here constitutes financial or investment advice. Crypto markets are highly volatile — always DYOR before making any decisions.
Fact-checked per our editorial policy. We maintain strict independence from advertisers. Spot an error? Let us know.