THORChain halts trading after $10 million crypto theft exposes DeFi fragility

At a glance:

• THORChain, a cross-chain decentralized exchange protocol, halted all trading, signing, and global chain operations after a suspected exploit drained roughly $11 million across at least nine blockchains.
• Stolen assets included approximately 36.75 bitcoin plus holdings on Ethereum, BNB Chain, Base, Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP Ledger.
• Experts including Ledger CTO Charles Guillemet and Blockstream CEO Adam Back warned that AI-driven vulnerability discovery is lowering the bar for attacks on complex multi-party computation schemes.

The exploit and its scope

On Friday, THORChain's automated systems flagged abnormal behavior linked to the compromise of one of its Asgard vaults. The vulnerability was traced to the protocol's threshold signature scheme, which manages cross-chain liquidity, and it enabled unauthorized outbound transactions from the vault. Initial loss estimates put the damage at around $10.7 million, but revisions pushed the figure closer to $11 million.

The stolen assets spanned at least nine chains: roughly 36.75 bitcoin along with holdings on Ethereum, BNB Chain, Base, Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP Ledger. THORChain's team moved quickly to contain the damage, triggering emergency measures that halted trading, signing, and global chain operations across the network. As of Sunday, trading remained paused while the investigation continued. The protocol has stated that end-user funds were not affected by the incident, though the full scope of the damage is still being assessed.

Why the attack succeeded — and what experts are saying

The incident has reignited debate over the security of multi-party computation (MPC) and threshold signature schemes in decentralized finance. Charles Guillemet, CTO of crypto hardware wallet manufacturer Ledger, offered an early assessment on X, arguing that AI is fundamentally altering the threat model for protocols like THORChain.

"AI changes the threat model. Compromising a full software node, complex Go stack, exposed P2P, custom signing daemons, a churn protocol that admits new participants on a schedule, has always been difficult and acted as a barrier. With LLM-driven vulnerability discovery and exploit synthesis, the bar to compromise one of N validators is dropping fast," Guillemet wrote.

Blockstream CEO and Satoshi Nakamoto candidate Adam Back echoed the concern from a cryptography angle. "Interactive multi-party cryptography is just fragile and complex. And the cryptography needed for MPC ECDSA is novel," Back posted on May 15, 2026. He added that the schemes are "too complex to make work securely, due to adaptive cryptography attacks, implementation/cryptography bugs, few understand enough to review. plus the shards are all ONLINE in software servers. not good!"

The THORChain validators, despite the protocol's branding as "unstoppable," agreed to shut down trading as the probe got underway. The episode highlights a growing tension: the more sophisticated the cryptographic machinery, the harder it is to audit — and the more dangerous a single flaw becomes.

A pattern of centralized responses in DeFi

THORChain's decision to freeze operations is the latest example of blockchain networks behaving more like traditional finance firms when things go wrong. Over the past year, multiple DeFi protocols and layer-two networks have resorted to on-chain freezes, multisig seizures, and off-chain emergency moves that undercut the decentralization narrative.

Last year, several blockchains were frozen in time after a $120 million exploit of Balancer — a hack that worked in a manner similar to the scheme from the film Office Space. More recently, Ethereum layer-two network Arbitrum drew criticism for seizing $71 million worth of hacked funds, equivalent to roughly 30,000 ether, into a multisig wallet controlled by the network's security council. The council acted via emergency powers rather than an on-chain governance vote, prompting accusations that the network was operating with hidden centralization.

Beyond DeFi, broader crypto infrastructure has shown its reliance on traditional systems. Multiple blockchains and DeFi protocols became unreachable last year due to downtime at Amazon Web Services. Stablecoin issuers have also moved to consolidate control: Tether recently seized $344 million worth of its USDT stablecoin linked to the Iranian regime, which had been using USDT to support the value of the rial and to settle international trade. The rial had fallen 43% against the dollar over the prior year, making USDT a key workaround for sanctions-related payments. Circle, meanwhile, raised $222 million from Silicon Valley and Wall Street firms to develop its own blockchain — another step toward issuers owning more of the underlying tech stack.

Record exploit activity and the North Korean shadow

The THORChain theft fits into a wider surge in crypto exploits. April saw nearly one exploit reported per day, hitting record levels for the year. Security firms and government agencies have increasingly pointed to North Korean state-backed actors as the driving force behind the bulk of stolen funds in 2026. The North Korean regime has denied these allegations, but the pattern of high-value, technically sophisticated attacks has led to broad consensus in the security community.

This backdrop makes the THORChain incident particularly concerning. The protocol markets itself as a meta layer that enables cross-chain swaps of native tokens without wrapping — a method it claims is more secure than traditional bridging. Yet the attack bypassed those safeguards by exploiting the very threshold-signature infrastructure that underpins the protocol's cross-chain liquidity model.

Market impact and the altcoin underperformance story

The broader fallout extends beyond THORChain's user base. A recent JPMorgan analyst report suggests that persistent security and centralization concerns are weighing on the viability of non-bitcoin crypto networks, particularly Ethereum. Analysts noted that ether and altcoins have continued to underperform bitcoin since 2023, despite broader market recoveries. If DeFi protocols increasingly rely on centralized decision-making — emergency freezes, multisig seizures, off-chain governance — investors may further gravitate toward bitcoin's simpler security model.

For THORChain specifically, the road ahead will depend on how transparently the team communicates the root cause and recovery plan. The protocol's claim that end-user funds were unaffected will need to be verified as the investigation concludes. Meanwhile, the debate over MPC fragility and AI-augmented attack capabilities is likely to influence how the next generation of cross-chain protocols are designed.

What to watch next

• Whether THORChain can resume trading and restore confidence among liquidity providers across all nine affected chains.
• Follow-up findings from the THORChain team on the specific vulnerability in the threshold signature scheme and any patches or protocol changes.
• Regulatory and industry response to the North Korean-linked exploit wave, which could accelerate compliance demands on DeFi protocols.
• JPMorgan and other institutional analysts for updated views on ether and altcoin performance as security concerns mount.

Tags

• THORChain
• DeFi security
• crypto exploit
• multi-party computation
• North Korea crypto theft
• cross-chain trading