On May 15, 2026, the cross-chain liquidity protocol THORChain, which has been involved in security controversies multiple times, was once again thrust into the spotlight. On social media, on-chain analyst ZachXBT pointed out that THORChain might be facing security attacks across multiple public chains. Meanwhile, community members noticed a series of abnormal transfers from TC Router on Discord: funds were quickly drained from THORChain-related addresses, with observations mentioning that suspected stolen Bitcoin was centralized at address bc1q14u94klk265lnfur2ujk9p6uh52f2a8jhf6f37, approximately 36.85 BTC, while Ethereum and BNB were transferred to address 0x82fc0d5150f3548027e971ec04c065f3c93154eb, approximately 216 ETH and some BNB. These specific aggregation paths still need further verification. After the abnormality rapidly spread within the community, node operators triggered a global pause based on emergency suggestions in Discord, halting all transactions and cross-chain exchange functions of THORChain to prevent potentially expanding losses. Preliminary estimates indicate the suspected attack has caused losses exceeding 7.4 million dollars, affecting the Bitcoin, Ethereum, BNB Chain, and Base networks, prompting reports from various Chinese media outlets. However, as of now, the specific technical details of the attack, the final destination of the funds, and THORChain's complete response plan have not been clearly disclosed in public channels, leaving the truth of the whole incident amidst information asymmetry and uncertainty.

Multi-chain abnormal transfers: Alarm before the pause

On May 15, while community members were still discussing the scale of losses, they first noticed a detail on Discord: THORChain's TC Router address had initiated unreasonable transfer requests to multiple chains almost simultaneously. On the BTC side, there were multiple large transfers to a single external address, and similar patterns of asset transfers from the same routing address could also be seen on Ethereum, BNB Chain, and Base. These transfers did not correspond to common cross-chain exchange paths and lacked the context of normal user interactions, quickly earning the label "abnormal" from the community.

As screenshots and transaction hashes were forwarded within the channel, these anomalies were quickly interpreted as potential attack signals. Someone traced and suggested that the suspected stolen Bitcoin might be accumulating at address `bc1q14u94klk265lnfur2ujk9p6uh52f2a8jhf6f37`, approximately 36.85 BTC; while Ethereum and BNB were directed to address `0x82fc0d5150f3548027e971ec04c065f3c93154eb`, approximately 216 ETH plus some BNB. It is important to emphasize that these concentration addresses and amounts are currently based on observed public blockchain data and information gathered from the community; they have not been confirmed by THORChain officials, but before the pause, they had already become the only clear on-chain anchor points for the community trying to piece together the attack's overall picture.

Community triggered the fuse: How the global pause was initiated

As suspicious addresses were posted one by one in the Discord channel, the focus of the discussion quickly shifted from "Where did these coins go?" to "Let's pull the lever down first." After noticing the multi-chain abnormal transfers from TC Router, a community member explicitly suggested activating a global pause in Discord; this was not an abstract clause written in the white paper, but a security switch that could be manually activated in moments of risk. As more participants agreed with the "pause first and discuss later" approach in the discussion, node operators executed a global emergency pause, and the THORChain protocol immediately entered a transaction freeze state, halting cross-chain exchanges overall.

This rapid execution of the pause indicates that THORChain has reserved a mechanism in its design to immediately stop cross-chain exchanges under extreme circumstances, reflecting a willingness to sacrifice usability for smaller losses before the "suspected attack" was fully clarified. On one hand, the global pause provided a last line of defense for potentially affected user assets, preventing more abnormal funds from continuing to spread across multiple chains; on the other hand, with transactions fully frozen, normal users lost liquidity access in the short term, and the protocol itself had to bear the cost of operational interruption and trust volatility. Reports indicate that community developers later confirmed the execution process of this global pause, but the specific trigger thresholds, node collaboration details, and technical paths still await further verification, which will also determine how the outside world evaluates whether this fuse mechanism is a "successful case of rapid response" or a "reluctant restart button under a high-risk system."

ZachXBT and Chinese media amplify the alarm

Once the global pause was implemented, the information vacuum was first broken by an on-chain analyst. On the same day, ZachXBT posted on social media, naming THORChain as potentially experiencing an attack, detailing abnormal transfers on the Bitcoin, Ethereum, BNB Chain, and Base networks, and providing a preliminary loss estimation of over 7.4 million dollars. This became the starting point for the event to move out of the technical circle and enter the larger public view. Soon, several Chinese media outlets such as PANews, Deep Tide TechFlow, and Foresight News published reports based on this wave of information, with titles and content revolving around keywords like "multi-chain abnormal transfers," "suspected loss scale," and "global pause." Some even quoted on-chain observations, mentioning that suspected assets or concentrated towards a few addresses, but these details were clearly labeled as still needing further verification.

In contrast to this wave of high-frequency updates from the community and media, the project team's restraint or near silence stood out. Reports suggest that as of now THORChain's official public channels have not disclosed the technical paths of the attack and the complete response plan in detail, but this claim itself also requires confirmation. In this state of incomplete asymmetry, nodes and developers have internal operation data and disposal progress, while external users and token holders can only see partial on-chain trajectories and secondhand reports, which creates starkly different narratives around the same pause: some consider it a timely self-rescue action in a crisis, while others view it as another exposure of systemic risk, and this narrative difference is directly reshaping external expectations of THORChain's security boundaries and long-term credibility.

Old wounds未愈's new pain: The shadow of THORChain's security rises again

For the outside world, THORChain has always been one of the few decentralized cross-chain liquidity protocols daring to "directly connect native assets" across multiple public chains: users can complete asset exchanges between Bitcoin, Ethereum, BNB Chain, and Base networks without having to entrust their coins to centralized institutions, which has pushed it to the forefront of cross-chain infrastructure. The price of this is that the multi-chain environment and complex cross-chain logic overlap, making it a high-value yet high-risk attack target. Before the current incident, it had already been frequently discussed by the community due to security incidents and controversies. Now, under the premise that it had already introduced security fuse designs, it is still exposed to suspected attacks, with preliminary loss estimates exceeding 7.4 million dollars. This narrative of "old wounds not healed and new pains added" easily amplifies market doubts about its security architecture.

When nodes execute a global pause with a single button, forcing transactions and cross-chain exchanges on the protocol to halt, participant's psychological value is recalibrated: on one hand, the fuse proves that the system at least retains a "last line of defense," locking potential losses within a certain range; on the other hand, with the attack technical details yet to be disclosed and the final flow of funds still unclear, the market has no choice but to label THORChain with a new risk premium in the face of incomplete information. For liquidity-providing users, operators running the nodes, and eco-projects built around it, this multi-chain suspected attack and global pause is not just an unexpected event; it feels more like a collective re-examination of "whether to continue placing trust in this cross-chain solution," and this wave of trust reassessment will ultimately settle as the implicit background for every subsequent launch adjustment, governance decision, and security commitment of THORChain.

What on-chain signals to watch next

The direction that will truly determine future events actually lies in several externally verifiable variables: first, whether THORChain can provide a clear review of the event, attack path, and vulnerability disclosure, along with a simultaneous announcement of remedial and recovery plans. Currently, the attack technical details and complete response plans are still blank in public channels, and if this step continues to be delayed, the market will have no choice but to vote with its feet; second, the subsequent movement of suspected fund addresses, such as the Bitcoin address already marked by the community bc1q14u94klk265lnfur2ujk9p6uh52f2a8jhf6f37 (approximately 36.85 BTC) and the Ethereum and BNB funds suspected to aggregate at 0x82fc0d5150f3548027e971ec04c065f3c93154eb (approximately 216 ETH plus some BNB). Currently, these aggregation pieces of information still need verification, and whether the funds remain stationary or have undergone cross-chain transfers will serve as a reference for determining whether the incident is further spiraling out of control; third, the rhythm of the protocol's recovery from the global pause state—whether it will be phased trials or a full-on reopening. The choice of which path to take will directly impact users’ reassessment of its security commitments. For individual participants, the more challenging decision is to make choices during the information gap: when the causes of the attack, the scope of losses, and the possibility of recourse remain unclear, continuing to place assets on related contracts and routes is essentially betting on systemic uncertainty with one's own position. Therefore, before deciding whether to continue supplying liquidity or restore the use of cross-chain exchanges, everyone needs to first answer one question: under the premise of worst-case scenarios fully realized, how much loss and how long of an uncertain period can one endure.

Join our community, let's discuss, and become stronger together!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh
AiCoin on-chain: https://aicoin.com/hyperliquid
AiCoin exclusive Hyperliquid benefits: https://app.hyperliquid.xyz/join/AICOIN88
AiCoin exclusive Aster benefits: https://www.asterdex.com/zh-CN/referral/9C50e2

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。