THORChain (RUNE)

UPDATE: @THORChain says its $10.7M exploit was caused by a malicious validator abusing a flaw in its GG20 signing system. The network automatically halted trading and signing within minutes. Limiting the damage to one vault while developers investigate and roll out fixes. https://t.co/NNmbDznylL

"The Thorchain attacker started back in April. They had to become a signer/validator. "The signers come together, but the raw key never exists. Somehow the attacker created the raw key. We don't know how. Some people are saying it's a zero day." 🤯 -- Tay https://t.co/UQzizRG5GA

"I think that DPRK must be very upset that someone hacked Thorchain" 🤣🤣🤣 -- Tay https://t.co/ewCzMMPHfZ

Lookonchain discovered three major hacks in just four days • On May 15, THORChain was exploited, with stolen funds exceeding $10M. • On May 18, the Verus-Ethereum Bridge was hacked, with ~$11.5M stolen. • Today, Echo Protocol was exploited, the hacker minted 1,000 eBTC ($76.64M) and has already used it to steal 385 ETH ($821K). What is really going on?

JUST IN: THORChain confirms attack vector is unrelated to known GG20 exploits. Version 3.18.1 releasing tomorrow for node operators. New Discord channel opened for community governance on lost funds https://t.co/aeX5fFFcDq

The THORChain attacker did not just show up and steal $9.8M… They spent weeks rehearsing. >Monero for privacy. > Hyperliquid to move funds without flags. > THORChain to bond a node and get inside the protocol's own infrastructure. The last preparatory transaction happened 5 hours before the attack. The wallet that received the stolen funds was loaded just 43 minutes before. They tested the escape route before they committed the crime. This was a choreographed operation with a weeks-long dry run on the same exact rails they'd use to escape. The full thread by @chainalysis breaks every hop down. Worth reading slowly. 👇

50% of the DeFi TVL is gone since October 📉 And this happens because we are tired of these exploits. > Thorchain ( $RUNE ) on May 15 > Echo Protocol today on Monad ( $MON ) The attacker minting 1k eBTC, borrowing WBTC against a portion of it, and funneling around $821.7K in ETH through Tornado Cash. 👉 HACKS DON’T END WITH THE HACK Every exploit creates a second wave. First, the protocol loses funds. Then users start asking: “Where else am I exposed?” That is when withdrawals begin, LPs pull back, yields collapse, and the TVL chart starts falling again. KelpDAO showed this clearly in April. One major hack, then nearly $13B left DeFi in 48 hours. Now we have seen three hacks in four days. You can imagine what the market is thinking. 👉 THE WEAK POINTS ARE BIGGER THAN CODE The uncomfortable part is that DeFi’s risk is not only smart contracts. 40% of major bridge validators reportedly run on the same three cloud providers. So while the front-end looks decentralized, some of the backbone still depends on the same choke points. That is not a small problem. 👉 THIS IS WHY BIG MONEY HESITATES JPMorgan called hacks the main barrier to institutions entering DeDeFi. And honestly, can you blame them? 40+ protocols have already shut down in 2026. DeFi still has the vision. But right now, the market is not asking “where is the yield?” It is waiting for survival