Earn up to 50% APR
Boost earnings with NFTs
Play, HODL & earn more
THORChain Keeps Appearing at the Center of Major Crypto Hacks. Now It May Be the Victim
-
THORChain occupies an uncomfortable position in the DeFi security landscape: it is a non-custodial cross-chain liquidity protocol that operates permissionlessly by design, which means it has no mechanism to block transactions from specific wallets even when those wallets contain stolen funds. That property has made it the routing layer of choice for some of the largest hack perpetrators in crypto history. Hackers who stole $1.4 billion from Bybit moved approximately $1.2 billion of the stolen ETH through THORChain to convert it to Bitcoin, a conversion that generated significant protocol revenue. The Kelp DAO attacker used the same infrastructure to swap 75,700 ETH worth roughly $293 million. North Korean Lazarus Group operatives, who are responsible for the majority of large-scale crypto thefts in 2025 and 2026, have consistently used THORChain as part of their laundering infrastructure because its cross-chain, non-custodial architecture makes tracing and intervention significantly more difficult than centralized exchange routes.
The irony of a suspected $10.8 million exploit targeting THORChain itself — the same protocol that has repeatedly been used to move stolen funds from other hacks — reflects a broader DeFi security reality: every protocol that handles significant liquidity is a potential target, and the same permissionless properties that make a protocol useful for laundering stolen funds also make it accessible to attackers looking to drain its own liquidity pools. THORChain's decision to halt all trading and signing within hours of ZachXBT's report demonstrates that the protocol has incident response mechanisms, but the 12-hour pause raises questions about how the exploit was executed across four separate chains simultaneously and what vulnerability allowed it. The RUNE token's 72% decline over the past year, with Thursday's additional 13% drop, reflects a market that has been consistently pricing in the security and regulatory concerns that come with being the protocol most visibly associated with moving stolen crypto assets — concerns that a confirmed self-exploit would significantly intensify.
-
Bybit Kelp Lazarus all used THORChain
-
then it got hit
