THORChain temporarily paused trading after blockchain sleuth ZachXBT and security firm PeckShield flagged what they described as suspicious, multi-chain activity - an incident several outlets estimated at more than $10 million in losses. The pause affected key protocol operations, including trading and (in reports) signing, while investigators and ecosystem contributors assessed the scope and root cause.

The situation remains fluid: the incident has been widely described as a suspected exploit rather than a confirmed root-cause breach. Still, multiple reports point to activity spanning Bitcoin, Ethereum, BNB Smart Chain, and Base, highlighting how cross-chain systems can concentrate both liquidity and risk.

What happened: trading paused after suspicious multi-chain activity

On May 15, 2026, multiple crypto news outlets reported that THORChain paused trading following alerts from ZachXBT and PeckShield about suspicious activity that appeared to span multiple networks. The Block reported that THORChain paused trading after the researchers flagged what they characterized as a suspected multi-chain exploit, estimating losses above $10 million.

Coin360 likewise said that trading and signing were paused after suspicious multi-chain activity, citing estimates from ZachXBT and PeckShield putting losses above $10 million. Cointelegraph also reported the protocol halted trading after a suspected exploit above $10 million, framing the event within broader DeFi security concerns.

Because early incident reporting often evolves as forensic work continues, readers should treat initial loss estimates and technical attributions as provisional unless confirmed by post-mortems or official incident updates.

Which chains were reportedly affected

Several reports described the suspected exploit as spanning Bitcoin, Ethereum, BNB Smart Chain, and Base. The Block explicitly listed those networks as part of the suspected multi-chain activity. Gadgets360 also reported that the suspected activity affected the same set of chains and noted that trading was paused until a specified block, according to its coverage.

Multi-chain incidents can be complex to interpret because funds may move across bridges, aggregators, and decentralized liquidity venues in rapid succession. In practice, investigators typically combine on-chain traces, known entity labels, and transaction pattern analysis to distinguish between compromised components, opportunistic arbitrage, and unrelated contemporaneous flows.

Early loss estimates: "above $10 million," but still unconfirmed

Across the cited coverage, the commonly referenced figure was more than $10 million in suspected losses. The Block reported estimated losses above $10 million, while Coin360 said ZachXBT and PeckShield also estimated losses above $10 million. Cointelegraph similarly described the incident as a suspected exploit above $10 million.

It is important to separate two questions in early reporting:

  • How much value moved in suspicious patterns (often easier to quantify quickly).
  • How much value was irreversibly lost due to an exploit (harder to confirm without deeper tracing and protocol-side analysis).

Until THORChain or independent analysts publish a definitive post-incident accounting, the "above $10 million" figure should be considered an estimate based on available on-chain indicators and investigative interpretation.

Digital vault and transaction paths representing cross-chain forensic analysis
Cross-chain traces can involve multiple hops and venues, complicating early estimates of suspected losses.

Why THORChain can be impacted by cross-chain security events

THORChain is designed to enable cross-chain swaps, which inherently requires interacting with multiple external networks and managing assets across environments with different security models, transaction finality, and operational constraints. In any cross-chain system, the attack surface can extend beyond a single smart contract to include:

  • Network-specific integrations and transaction-signing logic
  • Relayers, validators, and messaging assumptions
  • Edge cases in how deposits/withdrawals are observed and attested
  • Operational processes for pausing, resuming, or upgrading components

This does not by itself indicate wrongdoing or negligence in any particular incident. It does, however, help explain why security researchers often frame these events as "multi-chain" in nature - because the observed flows and the system's trust boundaries span multiple chains.

Incident response: pausing trading and signing to contain risk

According to Coin360's report, THORChain paused trading and signing following suspicious multi-chain activity. The Block and Cointelegraph both described the protocol halting trading. Gadgets360 reported that trading was paused until a specified block, suggesting the pause was implemented as a controlled, time- or height-bounded measure in response to the alerts.

In DeFi and cross-chain protocols, an immediate pause is a common containment step intended to:

  • Prevent additional potentially malicious transactions from executing
  • Give maintainers time to analyze suspicious flows
  • Coordinate with security partners and independent researchers
  • Reduce uncertainty while patches or configuration changes are prepared

Pauses can be disruptive for legitimate users, but they are often viewed as preferable to allowing activity to continue when exploit conditions are suspected and not yet understood.

Protocol safe mode interface representing a DeFi incident response
Trading halts and safe-mode style controls are often used to limit damage while teams and researchers investigate suspected exploit conditions.

Possible technical cause mentioned in reports: Bifrost Attestation Gossip bug

While the underlying cause was not presented as definitively confirmed in the sourced brief, Coin360 reported that Blockaid linked the suspected issue to a "Bifrost Attestation Gossip" bug, according to the report. At this stage, this should be treated as a reported hypothesis/attribution rather than a finalized conclusion unless THORChain or a formal post-mortem validates it.

For readers, the key point is that early technical explanations in security incidents can change as new evidence emerges. Initial attributions can be refined, partially corrected, or replaced after a deeper review of logs, signer behavior, deposit/observation rules, and chain-specific edge cases.

Market reaction: RUNE reportedly fell after the news

Gadgets360 reported that RUNE, THORChain's native token, dropped following the news. Price reactions are common during security incidents due to uncertainty around:

  • The size and reversibility of potential losses
  • Whether additional vulnerabilities exist
  • How long trading or key protocol functions may remain paused
  • Potential impacts on liquidity providers and integrators

This article does not make any recommendation to buy or sell RUNE or any cryptocurrency. Market moves around security events can be volatile and are not, by themselves, proof of the final technical outcome.

Context: DeFi security concerns and the broader trend in exploit losses

Cointelegraph connected the THORChain incident to broader DeFi security concerns and noted it cited DefiLlama data on April exploit losses. While the THORChain situation is specific to its own architecture and incident timeline, it arrives amid continued attention on security hardening across DeFi - especially for protocols that touch multiple chains and depend on complex operational workflows.

As the ecosystem grows, security researchers and analytics firms increasingly play a public role by flagging suspicious flows in near real time. That visibility can help contain damage, but it can also create information gaps where early alerts are widely shared before root cause is fully established.

What to watch next: confirmations, post-mortems, and resumption conditions

In the coming days, the most important updates will be those that clarify what is confirmed versus still suspected. Specifically, readers should watch for:

  • Official incident updates explaining what triggered the pause and what conditions must be met to resume normal operations
  • A detailed post-mortem describing the exploit path (if confirmed), the affected components, and mitigation steps
  • Final loss accounting distinguishing between suspicious transfers, recoveries, frozen funds, and unrecovered losses
  • Security remediation such as patches, configuration changes, audits, or new monitoring/alerting

Until those details are published, the event should be understood as a protocol response to a suspected multi-chain exploit flagged by prominent security researchers, with early estimates putting losses above $10 million.

Conclusion

THORChain's decision to pause trading after ZachXBT and PeckShield flagged suspicious multi-chain activity underscores how quickly cross-chain incidents can escalate - and how containment actions can become necessary even before a root cause is fully confirmed. Multiple reports pegged suspected losses at more than $10 million and described activity affecting Bitcoin, Ethereum, BNB Smart Chain, and Base, while at least one report referenced a possible link to a Bifrost Attestation Gossip bug.

For now, the key facts are the pause itself and the existence of credible third-party alerts; the outstanding questions are the precise exploit mechanics (if confirmed), the definitive loss total, and the timeline for full restoration of normal protocol operations.

This article is for informational purposes only and does not constitute financial, investment, legal, or tax advice. Cryptocurrency markets are highly volatile. Always do your own research before making any financial decision.