Blockchain investigator ZachXBT has flagged a possible exploit involving THORChain, saying the cross-chain liquidity protocol was “likely exploited” across Bitcoin, Ethereum, BNB Smart Chain and Base for more than $7.4 million.
The alert, posted in ZachXBT’s Telegram channel, identified 2 addresses tied to the suspected theft: a Bitcoin address, bc1q14u94k1k2651nfur2ujk9p6uh52f2a8jhf6f37, and an EVM address, 0x82fc0d5150f3548027e971ec04c065f3c93154eb. At the time of writing, there was no clearly visible public post-mortem from THORChain confirming the incident, and open searches for the listed addresses did not return a detailed independent write-up.
That leaves the story in an early stage. The claim is serious, but the exact attack path remains unclear. The central question is whether THORChain itself was exploited, or whether stolen funds from another source were moved through THORChain after the fact.
That distinction matters. THORChain is not a standard token bridge that relies on wrapped assets. It is built to support swaps between native assets, including Bitcoin and Ethereum, through vaults operated by validator nodes. Its Bifrost module observes external chain transactions involving THORChain vaults, validates those transactions through consensus, and signs outbound transactions using threshold signature technology. THORChain’s own documentation says Bifrost requires 67% agreement from nodes before processing observed transactions, while vaults are controlled by active validator nodes using TSS rather than a single private key. (docs.thorchain.org)
If the reported theft came directly from THORChain vaults, the incident would point toward a protocol-level issue. That would mean the attacker found a way to cause the system to release real assets without a valid corresponding economic input, or otherwise exploited a flaw in routing, observation, accounting, or vault handling.
If the funds came from user wallets, front-end infrastructure, a third-party integration, or another compromised protocol, the story would be different. In that case, THORChain may have been used as part of the movement of stolen assets rather than being the source of the theft.
The presence of both a Bitcoin theft address and an EVM address is what makes the alert more sensitive. A theft touching Bitcoin, Ethereum, BNB Smart Chain and Base is not the usual shape of a simple single-chain smart-contract bug. It suggests either a shared cross-chain mechanism, a routing problem repeated across networks, or a laundering route that used THORChain’s native asset swap design to move value between ecosystems.
THORChain’s history also explains why the alert drew immediate attention. In July 2021, THORChain suffered 2 back-to-back ETH Router exploits. THORChain’s own post-mortem said the attacks tricked Bifrost into reporting that it had received assets it had not received, with the root cause tied to a Bifrost interface that did not fully account for manipulation in smart-contract events. CoinDesk reported at the time that one of the incidents resulted in an $8 million loss.
That older incident does not prove the same type of flaw is involved now. But it does show why any claim involving THORChain, Bifrost, vaults, or fake transaction recognition is especially sensitive. Cross-chain protocols have a narrow margin for error because they must correctly interpret activity on multiple external chains and then authorize value movement elsewhere.
For now, the strongest verified facts are limited: ZachXBT issued the alert, 2 suspected theft addresses were shared, and the alleged loss exceeds $7.4 million. The unverified part is the mechanism. There is not yet enough public evidence to say whether the attacker exploited THORChain’s core protocol, an external integration, a router path, a front end, or simply used THORChain after compromising funds elsewhere.
The next confirmation point will be on-chain flow. If the listed EVM address received assets directly from THORChain-controlled contracts or vault-linked addresses on Ethereum, BNB Smart Chain or Base, that would strengthen the case for a protocol or routing issue. If the Bitcoin address received funds as the output of swaps following transfers from other compromised wallets, the incident may look more like post-theft laundering through THORChain liquidity.
A second signal would be any pause in THORChain activity. Cross-chain systems often halt or restrict affected routes when validators or maintainers suspect an accounting or vault-level problem. Any chain-specific pause, outbound delay, emergency update, or node operator warning would make the incident more concrete.
Until then, the careful wording is important. This should be reported as a possible THORChain exploit flagged by ZachXBT, not as a confirmed protocol hack. The $7.4 million figure is large enough to matter, but the real market impact depends on the attack path. A front-end or third-party compromise would be damaging. A direct vault or Bifrost-level failure would be more serious because it would raise questions about the core security assumptions behind native cross-chain swaps.