THORChain exploit and Alephium bridge hack expose forged cross-chain message flaws
THORChain was exploited across Bitcoin, Ethereum, BNB Chain, and Base, with losses rising from an initial estimate of $7.4 million to more than $10.7 million after an Asgard vault was drained. The protocol paused trading after the attack, and community investigators published suspected theft addresses on Bitcoin and EVM-compatible networks. Separately, Alephium disclosed that its private Wormhole-fork TokenBridge was exploited on Ethereum and BNB Chain for about $815,000 after an off-chain backend flaw let forged guardian messages pass through its four-guardian system, enabling the minting of 13.76 million unbacked wrapped ALPH on Ethereum.
New reporting tied the THORChain incident to a privately disclosed but allegedly unremediated proposer-forgery flaw in the Bifrost attestation system. Security firm V12 said it warned THORChain about a critical fund-draining bug, but the protocol silently patched code, did not pay a bounty, and retired its bug bounty program; researchers said a May 6 fix intended to block proposer forgery failed automated testing and was never deployed before the exploit. In Alephium’s case, the project and Blockaid revised earlier claims of guardian key theft and said the root cause was forged malicious events or messages observed and signed because of a backend vulnerability; Alephium shut down the bridge, halted new transactions, and urged holders to pull liquidity from Uniswap and PancakeSwap while the attacker still controls the unbacked tokens.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
V12 says it will release PoC for additional THORChain flaws
V12 said it plans to publicly release proof-of-concept exploit code for additional unpatched THORChain chain-halt denial-of-service vulnerabilities. The announcement came alongside its claims that THORChain silently patched the earlier bug, offered no bounty, and retired its bug bounty program.
Alephium and Blockaid revise cause of bridge attack
Alephium and Blockaid revised their initial assessment of the bridge incident, moving away from suspected guardian key compromise. They concluded the roughly $815,000 exploit instead stemmed from forged malicious events or messages being observed and signed due to a backend vulnerability.
Alephium discloses TokenBridge exploit and shuts bridge
Alephium disclosed that its private Wormhole-fork TokenBridge on Ethereum and BNB Chain was exploited via an off-chain backend flaw that allowed forged messages through its four-guardian system. The company shut down the bridge, said no new transactions can be initiated, and warned users to remove ALPH liquidity from Uniswap and PancakeSwap because the attacker still holds 13.76 million unbacked wrapped ALPH.
THORChain pauses trading after exploit
In response to the May 15 THORChain incident, the protocol paused trading. This operational response followed reports of multi-chain losses exceeding $10.7 million.
THORChain exploited across multiple blockchains
On May 15, 2026, THORChain was reported exploited across Bitcoin, Ethereum, BSC, and Base, with losses first estimated at $7.4 million and later updated to more than $10.7 million. The exploit was described as draining an Asgard vault, and suspected theft addresses on Bitcoin and Ethereum-compatible networks were identified.
THORChain developers author proposer-forgery fix
THORChain developers authored a fix on May 6, 2026 intended to prevent proposer forgery. Researchers cited in the report said the patch failed automated testing and was never deployed before the later exploit.
V12 privately discloses critical THORChain vulnerability
Security startup V12 said it privately disclosed a critical THORChain fund-draining vulnerability to the protocol on April 28, 2026. According to V12, the issue could enable theft via a proposer-forgery flaw in the Bifrost attestation system.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
V12 Says THORChain Silently Patched Its Critical Bug, Then Told Researchers the Bounty Is 'Permanently Retired' - "The Defiant"
thedefiant.io
Open sourceAlephium Bridge Loses $815K to Forged Guardian Messages, Not Stolen Keys - "The Defiant"
thedefiant.io
Open sourceTelegram: View @investigations
t.me
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
THORChain Asgard Vault Breach Drained More Than $10 Million Across Nine Blockchains
THORChain disclosed that one of its six Asgard vaults was compromised, enabling unauthorized outbound transactions before the network halted signing activity. Loss estimates ranged from about **$10.7 million** to more than **$11 million**, with stolen assets taken across at least nine blockchains including **Bitcoin, Ethereum, BNB Smart Chain, Base, Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP**. Investigators said the attacker initially dispersed funds across multiple chains and later consolidated proceeds into a two-address cluster, while THORChain said automated detection helped stop additional transfers. The root cause remained under investigation, with THORChain examining possible issues in the `GG20` implementation layer as well as potential infrastructure or operational compromise affecting node operators. The protocol paused signing-related churn activity, delaying validator rotation and other operations, and asked operators to review infrastructure, key management, and Bifrost logs tied to the affected vault. TRM Labs said no actor had been attributed at publication time, but urged compliance teams to quickly screen counterparties and flag deposits linked to tagged addresses as the stolen funds continue to move.
May 15, 2026
Verus-Ethereum Bridge Exploit Drains $11.6 Million and Halts Network
An exploit against the **Verus-Ethereum bridge** drained about **$11.58 million** in crypto assets, according to reports from Blockaid, PeckShield, and GoPlus. PeckShield said the attacker stole **103.6 tBTC, 1,625 ETH, and 147,000 USDC**, then swapped the proceeds into roughly **5,402 ETH**; the attacker wallet was reportedly seeded with **1 ETH from Tornado Cash**. Security researchers also identified attacker and destination wallets as the theft unfolded. Verus said its network was **halted**, with most block-producing nodes taking themselves offline after the attack’s effects appeared, while developers investigated the root cause and recovery options. GoPlus said the exploit may stem from **cross-chain message validation or signature forgery**, a **withdrawal logic bypass**, or an **access control flaw** in the bridge, which was launched to move assets between the privacy-focused Verus blockchain and Ethereum.
May 25, 2026
Cross-chain bridge failures at CrossCurve and KelpDAO expose verifier trust risks
CrossCurve disclosed a roughly **$3 million** cross-chain bridge exploit after attackers abused a validation weakness, prompting the protocol to pursue legal action while investigators worked to trace the stolen funds. Reporting on the incident said the attack targeted the bridge’s transaction verification logic rather than a simple wallet compromise, underscoring how weaknesses in cross-chain message validation can let adversaries authorize fraudulent transfers and drain locked assets. A larger breach hit **KelpDAO**, where attackers stole about **$290 million** in `rsETH` by exploiting its LayerZero-based bridge path with effectively **`1-of-1` DVN verification**, allowing a forged packet to be accepted on Ethereum without a legitimate source-chain transaction. The theft was widely attributed to North Korea-linked **Lazarus/TraderTraitor**, and recovery efforts later included burning more than **117,000 rsETH** held by the exploiter on Arbitrum, restoring backing through an Aave-controlled recovery wallet, increasing bridge requirements to four independent attestors and 64 block confirmations, and beginning a migration to **Chainlink CCIP** after investigators characterized the incident as an operational and verification failure rather than a confirmed public smart-contract bug.
May 25, 2026