THORChain stopped its own market on Friday, May 15, 2026, after an attacker drained roughly $10.8 million from the protocol. The cross-chain liquidity service paused all trading and signing, and its governance module held that freeze for about 12 hours and 42 minutes. RUNE, the protocol's token, fell 12% on the news.
What happened
The loss spread across four blockchains: Bitcoin, Ethereum, BSC, and Base. The biggest share went out in ether, 3,443 ETH worth $7.77 million at the time. The attacker also took 36.85 BTC worth $2.97 million and 96.6 BNB worth about $66,000. Added up, that comes to roughly $10.8 million in a single incident.
What made the attack possible was not clear when it happened. THORChain had not published a post-mortem naming the specific vector, so the cause stayed open. We are not going to guess at it here. When a protocol confirms how it was breached, that detail matters; until then, the honest answer is that nobody outside the team knew yet.
The response: halt everything
THORChain's reaction tells you something about how these systems work under stress. Rather than try to chase the funds in real time, the protocol flipped a switch and stopped. Its Mimir governance module set the trading-halt and signing-halt parameters to active, and nodes paused for close to 13 hours.
That is a blunt tool, and a deliberate one. THORChain moves value between chains by holding assets and coordinating signers. If signing keeps running while an attack is live, more money can leave. Freezing trading and signing buys the team time to look at what went wrong without bleeding further. The cost is that everyone using the protocol was locked out for half a day, with no swaps in or out until the halt lifted.
Why cross-chain plumbing keeps getting hit
If you have read crypto headlines for any stretch, the pattern is familiar. The pieces that connect one blockchain to another, the bridges and cross-chain routers, are among the most attacked parts of the whole market. They have to hold real funds, trust messages passed between separate networks, and react fast across systems that were never built to talk to each other. That is a wide door, and attackers keep finding gaps in it.
The reason comes down to where the money sits. A bridge or a cross-chain protocol pools assets so it can fill swaps on demand. That pool is a target. A bug in how the protocol validates a deposit, signs a release, or tracks balances can let an attacker pull out more than they put in. THORChain's freeze is what a careful response looks like, but the freeze itself shows the trade-off: the same machinery that moves your funds across chains can also be stopped cold, with your funds inside it, while the team sorts out a problem.
The practical takeaway
You do not need to follow THORChain's internals to act on this. The lesson is about where you keep your money. Cross-chain protocols are useful when you actually need to move an asset from one chain to another. They are not a place to park funds. Bridge what you need, when you need it, then get the assets to a wallet or venue you control.
The less value you leave sitting in cross-chain plumbing, the less is exposed when something like this hits. THORChain users who held funds in the protocol on May 15 had no way to move during the halt. Treating these tools as a pass-through rather than a parking spot keeps you out of that position. For more on protecting your holdings, see our crypto safety guide; the same thinking applies whether you hold bitcoin or ethereum.