THORChain Asgard Vault Breach Drained More Than $10 Million Across Nine Blockchains
THORChain disclosed that one of its six Asgard vaults was compromised, enabling unauthorized outbound transactions before the network halted signing activity. Loss estimates ranged from about $10.7 million to more than $11 million, with stolen assets taken across at least nine blockchains including Bitcoin, Ethereum, BNB Smart Chain, Base, Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP. Investigators said the attacker initially dispersed funds across multiple chains and later consolidated proceeds into a two-address cluster, while THORChain said automated detection helped stop additional transfers.
The root cause remained under investigation, with THORChain examining possible issues in the GG20 implementation layer as well as potential infrastructure or operational compromise affecting node operators. The protocol paused signing-related churn activity, delaying validator rotation and other operations, and asked operators to review infrastructure, key management, and Bifrost logs tied to the affected vault. TRM Labs said no actor had been attributed at publication time, but urged compliance teams to quickly screen counterparties and flag deposits linked to tagged addresses as the stolen funds continue to move.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
THORChain halts signing and pauses churn during investigation
After detecting the unauthorized transfers on May 15, 2026, THORChain said its automated systems stopped further outbound activity, halted signing, and paused churn operations. The team began investigating possible causes including a GG20 implementation flaw, node operator infrastructure compromise, or other unauthorized-signing vectors, and asked operators to review security and provide Bifrost logs.
THORChain exploit drains over $10.7M from an Asgard vault
On May 15, 2026, an attacker compromised one of THORChain’s six Asgard vaults and executed unauthorized outbound transactions, draining roughly $10.7 million to more than $11 million across at least nine blockchains. Investigators said the attacker initially dispersed funds across chains before consolidating proceeds into a two-address cluster.
OpenLoop confirms 716,000 people affected by January breach
On May 13, 2026, reporting based on OpenLoop’s disclosures said the January breach affected 716,000 individuals, a figure recently reflected in the U.S. Department of Health and Human Services breach portal. The same reporting noted a hacker calling themselves Stuckin2019 claimed responsibility and alleged a larger theft of 1.6 million patient records, though OpenLoop confirmed 716,000 impacted individuals.
OpenLoop reports breach to authorities and issues notification letter
By March 17, 2026, OpenLoop had reported the incident to authorities, coordinated with federal law enforcement, and issued a breach notice. The notice said about 2,200 Rhode Island residents were affected and offered one year of IDX identity and credit monitoring.
OpenLoop data theft occurs during January 7–8 intrusion window
OpenLoop said unauthorized access and data exfiltration occurred between January 7 and January 8, 2026. The company stated the incident did not involve electronic health records, Social Security numbers, or financial account information.
OpenLoop Health discovers unauthorized access to its systems
OpenLoop Health detected a cyber incident on January 7, 2026 and began investigating with external cybersecurity specialists. The company later determined an unauthorized third party had accessed certain systems and removed data.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
THORChain Reports $10.7M Loss From Compromised Asgard Vault - "The Defiant"
thedefiant.io
Open sourceTHORChain Exploit Drains USD 11M+ Across at Least Nine Chains: What TRM Knows Now | TRM Labs
trmlabs.com
Open sourceMore than $10 million stolen from crypto platform THORChain | The Record from Recorded Future News
therecord.media
Open sourceOpenLoop Health confirms January 2026 Data breach affecting 716,000
securityaffairs.com
Open sourceOag Ca
oag.ca.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
THORChain exploit and Alephium bridge hack expose forged cross-chain message flaws
THORChain was exploited across Bitcoin, Ethereum, BNB Chain, and Base, with losses rising from an initial estimate of **$7.4 million** to more than **$10.7 million** after an Asgard vault was drained. The protocol paused trading after the attack, and community investigators published suspected theft addresses on Bitcoin and EVM-compatible networks. Separately, Alephium disclosed that its private Wormhole-fork TokenBridge was exploited on Ethereum and BNB Chain for about **$815,000** after an off-chain backend flaw let forged guardian messages pass through its four-guardian system, enabling the minting of **13.76 million** unbacked wrapped `ALPH` on Ethereum. New reporting tied the THORChain incident to a privately disclosed but allegedly unremediated proposer-forgery flaw in the Bifrost attestation system. Security firm **V12** said it warned THORChain about a critical fund-draining bug, but the protocol silently patched code, did not pay a bounty, and retired its bug bounty program; researchers said a May 6 fix intended to block proposer forgery failed automated testing and was never deployed before the exploit. In Alephium’s case, the project and Blockaid revised earlier claims of guardian key theft and said the root cause was forged malicious events or messages observed and signed because of a backend vulnerability; Alephium shut down the bridge, halted new transactions, and urged holders to pull liquidity from Uniswap and PancakeSwap while the attacker still controls the unbacked tokens.
Jun 1, 2026
Drift Protocol loses $280M after social-engineered multisig takeover
Drift Protocol, a Solana-based decentralized exchange, lost roughly **$270 million to $286 million** after attackers seized its Security Council administrative powers and drained core vaults, prompting the platform to suspend deposits and withdrawals and warn users not to add funds. Drift later said the theft was not caused by a smart contract bug or leaked seed phrases, but by a sophisticated operation that abused Solana **durable nonce** transactions and pre-signed multisig approvals to execute malicious governance changes later. Investigators and Drift said the attackers removed withdrawal limits, introduced a fake collateral asset called **`CVT`** or CarbonVote Token, manipulated controls, and rapidly moved assets out of borrow/lend products, vault deposits, and trading funds, cutting the protocol’s total value locked from about **$550 million** to below **$250 million** and sending the **DRIFT** token sharply lower. Subsequent post-mortems described the breach as the culmination of a **months-long social-engineering campaign** in which the threat actors posed as a legitimate quantitative trading firm, built trust through conferences, Telegram chats, integrations, and deposits, and likely compromised contributors through a malicious code repository and a trojanized TestFlight wallet app. Blockchain intelligence firms including **Elliptic** and **TRM Labs** said the laundering patterns, cross-chain bridging from Solana to Ethereum, use of **Tornado Cash**, and other indicators were consistent with **North Korean** tradecraft, while Drift linked the operation with medium confidence to **UNC4736 / AppleJeus / Citrine Sleet**. The fallout widened beyond Drift as critics questioned why more than **$230 million in USDC** moved through Circle’s CCTP bridge without being frozen, Solana launched new security initiatives, and Drift later secured recovery backing including up to **$127.5 million from Tether** as it worked with security firms, exchanges, bridges, and law enforcement to trace and recover funds.
Jun 8, 2026
Verus-Ethereum Bridge Exploit Drains $11.6 Million and Halts Network
An exploit against the **Verus-Ethereum bridge** drained about **$11.58 million** in crypto assets, according to reports from Blockaid, PeckShield, and GoPlus. PeckShield said the attacker stole **103.6 tBTC, 1,625 ETH, and 147,000 USDC**, then swapped the proceeds into roughly **5,402 ETH**; the attacker wallet was reportedly seeded with **1 ETH from Tornado Cash**. Security researchers also identified attacker and destination wallets as the theft unfolded. Verus said its network was **halted**, with most block-producing nodes taking themselves offline after the attack’s effects appeared, while developers investigated the root cause and recovery options. GoPlus said the exploit may stem from **cross-chain message validation or signature forgery**, a **withdrawal logic bypass**, or an **access control flaw** in the bridge, which was launched to move assets between the privacy-focused Verus blockchain and Ethereum.
May 25, 2026