This attack was carefully prepared over weeks, not executed overnight. Chainalysis traced the attacker’s setup back to late April, when a linked wallet moved XMR through a privacy bridge, swapped into USDC, bridged to Ethereum, and bonded RUNE on THORChain to operate as a legitimate validator before executing the exploit.

The attack targeted THORChain’s GG20 threshold signature scheme, where validators jointly sign transactions using split key shares. By exploiting a flaw in the implementation, the attacker gradually extracted enough key material to reconstruct private key and bypass signing process.

THORChain detected abnormal balances within minutes and halted the network through validator coordination and emergency governance actions, without any central authority. Only 1 of 6 Asgard vaults was breached: $10.7M was drained, while the remaining vaults, LP positions, and user funds were unaffected.