News
17 May 2026, 16:24
Bitcoin developer warns users after Google email hack reveals risk

π¨ Google email vulnerability exposes $BTC users to new phishing threats. Hackers used official Google emails and sites to appear legitimate. Continue Reading: Bitcoin developer warns users after Google email hack reveals risk The post Bitcoin developer warns users after Google email hack reveals risk appeared first on COINTURK NEWS .
17 May 2026, 03:00
$10M Gone: Thorchain Exploit Triggers Security Fears Across DeFi

Blockchain tracking firm Arkham Intelligence has labeled a set of suspicious wallets as βTHORChain Exploiterβ addresses, with one Bitcoin-linked wallet holding close to 36.85 BTC β worth roughly $3 million β and a separate Ethereum wallet carrying around 216 ETH. The funds are sitting there, visible on-chain, linked to two addresses that security researchers have already flagged publicly. Who Found It First The person who spotted the attack before anyone else did was on-chain investigator ZachXBT. He reported suspicious movement tied to THORChainβs router infrastructure, describing how attackers shifted roughly $7.2 million in assets β including USDT, USDC, and wrapped Bitcoin β across several blockchains before converting them into ETH. His initial estimate of losses above $7.4 million was later revised upward. The total stolen , according to ZachXBT, may now exceed $10 million. Can tell because they did not check the numbers themselves / chains listed. I finished accounting again now and it looks to be $10M+ stolen at least. β ZachXBT (@zachxbt) May 15, 2026 THORChain is a cross-chain trading protocol that lets users swap crypto assets across different blockchains without relying on a centralized exchange. That design also means its infrastructure touches multiple networks at once β and in this case, that became a vulnerability. The attack hit Bitcoin, Ethereum, BNB Chain, and Base simultaneously. Security firm PeckShield independently confirmed the breach. Based on their estimates, attackers walked away with around 36.75 BTC worth close to $3 million, along with roughly $7 million more pulled from the Ethereum, BNB Chain, and Base ecosystems. Markets React, Team Goes Quiet RUNE, THORChainβs native token, dropped close to 14% in the hours following news of the breach, sliding toward the $0.50 mark as traders moved to cut their exposure. The price drop was fast. The official response was not. As of reporting, THORChain had not issued a public statement explaining the scope of the exploit or what steps were being taken to address it. That silence has added to the anxiety in the market. The protocol survived earlier security incidents by tapping into treasury reserves and recovery mechanisms, but without clarity from the team, it is difficult to know whether a similar path is possible this time. A Pattern That Keeps Repeating Cross-chain infrastructure has repeatedly been the site of major losses in decentralized finance. Bridges and routing systems that connect different blockchains require complex code β and complex code creates more opportunities for something to go wrong. The THORChain attack fits that pattern. The stolen assets remain in the flagged wallets for now. Whether they stay there is another question. Featured image from Unsplash, chart from TradingView
16 May 2026, 21:00
KelpDAO: rsETH Records $936k Net Outflows One Month Post-Hack β Details

The $292 million KelpDAO exploit is among the biggest crypto losses of 2026. The impact of this attack on usersβ confidence was broad, triggering a $13.5 billion drop in DeFi total value locked (TVL). However, recent developments suggest a return in market confidence. Investors Move To Accumulate rsETH As KelpDAO Resumes Operations On April 18, attackers exploited a vulnerability in KelpDAOβs LayerZero-cross chain bridge, carting away 152,577 rsETH, valued at $292 million. According to a report from analytics firm Santiment, this day also experienced a net inflow of 563 rsETH, worth $1.1 million, into exchanges. Santiment analysts explain that the market reaction is expected, as the exploit has generated concern about KelpDAOβs safety and rESTH. Therefore, investors moved their holdings to exchanges to sell or swap them for other assets, e.g., stablecoins, thereby reducing their exposure to the negative effects of the hack. On April 18th, the infamous day of the Kelp DAO exploit, Santiment data showed a large spike of $rsETH moving onto exchanges, with a net inflow of roughly +563 rsETH. This reaction made sense because traders were understandably feeling uncertain around the safety of theβ¦ pic.twitter.com/2ADQe6iskn β Santiment Intelligence (@SantimentData) May 16, 2026 Following the hack, there have been multiple recovery efforts, including coordinated seizures by the KelpDAO, Abritrum, and Aave of the hackersβ positions on their respective platforms. In particular, the Aave DAO also issued donations alongside the DeFi platforms such as EtherFi, Lido, and Ethena. On May 15, KelpDAO announced a resumption of reETH activities, including withdrawals, bridging, and protocol operations. Santiment observed that this announcement was shortly followed by a net outflow of approximately 435 rsETH ($936,000) from exchanges. In line with typical market dynamics, this outflow signals growing investor confidence in rsETH following the recovery process and the lifting of restrictions. There is now a clear shift of rsETH away from exchanges and into self-custody wallets, staking platforms, and DeFi protocols. THORChain Suffers $11 Million Hack In other news, the decentralized liquidity protocol THORChain has suffered an attack resulting in losses of $10.8 million, according to an independent on-chain investigator, ZachXBT. The exploits occurred across four blockchains, including Bitcoin, Ethereum, Binance Smart Chain (BSC), and Base. As a cross-chain exchange, THORChain enables direct swaps between various blockchains and has previously been used as a laundering rail by bad actors and hackers. Following the recent exploit, WuBlockchain reports that the protocolβs management has halted trading and issued a global emergency alert. Exploits and hacks remain a major security concern for crypto users. According to DefiLama today, total losses from these malicious activities in 2026 are now $823.9 million. At press time, the total crypto market cap is $2.57 trillion, down 2.74% over the past day.
16 May 2026, 14:22
THORChain warns users as scammers target victims after $10M exploit

THORChain has released a statement on X on May 16, asking users to disregard information about it conducting a recovery program following the exploit that drained around $10 million in crypto assets. On the same day that THORChain is clearing the air about misinformation flying around, blockchain analytics firm Chainalysis published on-chain evidence that links the attackers to wallets that were funded weeks before the theft was executed. THORChain wrote , βWe have become aware of multiple fake accounts and false information circulating regarding βrefundsβ, βairdropsβ, compensation claims, and other alleged initiatives.β The Bitcoin-focused decentralized exchange stated that, based on their initial findings, no user funds were lost in the exploit. It also stated that they are not currently conducting any refund, airdrop, or compensation programs. It called on users to disregard any account claiming otherwise or impersonating THORChain. The $10M exploit that rocked ThorChain Security firm PeckShield estimated the funds stolen from ThorChain at roughly $10 million, including 36.75 BTC (about $3 million) and approximately $7 million in assets from Ethereum, BNB Chain, and Base. The Bitcoin was moved to a single wallet, while more than 3,156 ETH landed in a separate address tracked by Arkham Intelligence, according to Cryptopolitanβs earlier reporting. On May 15, THORChain stated that βCurrent evidence points toward a newly churned node linked to the attack, likely operated by a single malicious actor.β It stated that it is still investigating the exploit but added that its leading theory for what caused it is an exploit in the GG20 TSS implementation, allowing vault key material to βleak over time.β The network is currently paused after multiple node operators executed βmake pauseβ but it stated that it is currently working on a restart plan. So far, the platform has not committed to a recovery plan; however, it stated that all recovery decisions will likely require node governance decisions regarding how to handle losses. THORChainβs native token RUNE has since fallen by over 21% in the aftermath, trading near $0.42 as of May 16. Chainalysis links attacker to pre-staged wallets Chainalysis published a five-part thread on X on May 16 detailing weeks of preparatory on-chain activity by wallets it connected to the attacker. The firm said attacker-linked wallets moved funds through Monero, Hyperliquid, and THORChain itself before executing the theft. In late April, one such wallet deposited XMR through a Hyperliquid-Monero privacy bridge, swapped the resulting position for USDC, withdrew to Arbitrum, and bridged to Ethereum, Chainalysis stated. The bridged ETH was then split into four branches. One branch connected directly to the attackerβs receiving wallet: an intermediary forwarded 8 ETH into it just 43 minutes before the stolen funds arrived, according to the firmβs analysis. THORChain contributors said in a Discord update that current evidence points to a newly churned node linked to the attack, likely operated by a single malicious actor. The leading theory involves a vulnerability in the GG20 signature scheme, according to the protocolβs incident update posted on X. The exploit adds to a string of DeFi security incidents in May 2026. Cryptopolitan has previously reported on exploits of Transit Finance (approximately $1.88 million lost) as well as the ones that occurred at Huma Finance (approximately $101,400 lost) and Ink Finance (around $140,000) earlier in the month, both targeting smart contracts on Polygon. Donβt just read crypto news. Understand it. Subscribe to our newsletter. It's free .
16 May 2026, 13:00
The $293 million KelpDAO hack shows why DeFi is finally being forced to grow up

For protocol founders and security researchers, the incident reinforced a broader shift underway across crypto: DeFi is no longer primarily battling coding bugs. Itβs battling complexity.
16 May 2026, 11:26
THORChain Faces Growing Questions Over Long-Term Viability After Six Exploits in Five Years

For the second time in a short space of time, THORChain has been the victim of another major security incident, moving it from an isolated blunder into what we at least view as consistent systemic weaknesses within their architectural design. $10M THORChain Exploit Triggers Network-Wide Emergency Security Response to Halt Attacks In five years this cross-chain liquidity protocol has experienced six separate exploits attacking a totally unique design layer. Now in 2026 the latest assault has ingrained an entirely new layer of a troubling cycle that is drawing increasing attention from both investors and users. Multi-layer Exploits are the Key Focus THORChainβs issues arenβt a unique flaw. But it lays bare a wider architectural fragility, in which new attack surfaces have arisen gradually. Attackers exploited a vulnerability in the smart contract of an Ethereum router in 2021. By manipulating msg. value events, THORChain suffered two separate losses of $13 million and $2.9 million can be attributed to the Bifrost system misinterpreting transaction data. Thorchain has been hacked six times in five years, and not once the same way. Each one through a different layer of the architecture. 2021 β Smart contract bug in the ETH Router. Attackers tricked Bifrost into reading manipulated msg.value events. ~$15.5M across three exploits.β¦ pic.twitter.com/Ub6AbYRTsN β Vadim (AI, β) (@zacodil) May 16, 2026 A year later the risk shifted from smart contracts. Controversy erupted when in 2022, a bug involving the validator software led nodes to act non-deterministically, inhibiting consensus throughout part of the network for around 20 hours raising fundamental questions about KSMs ability to achieve consensus. Fast-forward to 2023, and the threat-landscape was a lot different. In a recent incident, the threshold signature scheme (TSS) key generation process had a weakness that allowed a bad validator to steal vault funds. While developers were quick to pick up on this mistake and halt the network before any funds could be lost, it revealed how fragile important pieces of infrastructure can be. New Risks From Economic Design And Our Human Weaknesses Challenges of the protocol are not limited to code. The THORFi lending model of THORChain was found to have a basic economic defect in January 2025. The system was reliant on RUNE to flip all the major assets, including Bitcoin and Ethereum. This assumption broke, however, and around $200 million became effectively trapped within the protocol. Then, in September 2025 the attack vector turned to human vulnerabilities. A socially engineered Telegram deepfake designed to impersonate co-founder JP73 has been associated with North Korean actors. Using this, the attackers were able to get into his MetaMask keys through iCloud Keychain and make off with $1.35 million. This evolution highlights a more troubling trend: that system security can break due to human factors and economic assumptions, even when the code itself does not change. Exploit of 2026: Crypto Vulnerability Exposed The 2026 exploit has a new failure point within THORChainβs cryptographic implementation as of the latest. The GG20 TSS protocol had a vulnerability that was exploited by a malicious validator. The attacker then leaked critical pieces of material from over the different signing sessions to piece together the vaultβs private key, stealing as much as $10.7 million in the process. This assault is alarming, above all else, in light of the fact that its refinement. It was not a bug or design flaw elsewhere in the protocol, but rather laid bare an issue at the very cryptographic heart of Bitcoin, an area one might hope would be reasonably secure when correctly implemented. Chainalysis Traces Complex Activity Before an Attack The Chainalysis report on the THORChain attack reveals that the activity of the attacker started weeks before the exploit , having been active long before. The operation began with Monero, one of the best privacy currencies in the ecosystem to hide transaction history. In the last week of April an attacker came in and deposited XMR into a Hyperliquid position through a Monero Bridge. They then swapped these for USDC, withdrew to Arbitrum and bridged further to Ethereum. The attacker converted the hundred-thousands of dollars worth of ETH into THORChain, bonded RUNE and generated a freshly churned validator node from Ethereum now understood to be the point of entry for this attack. Some RUNE was issued back into ETH to maintain the cycle of cross-chain movement. This level of preparation points toward a surgically planned attack instead of an impulsive exploit, running through multiple blockchains and liquidity layers to hide their action. Before stealing $9.8M from #THORChain , likely attacker-connected wallets spent weeks moving its own funds through Monero, Hyperliquid, and THORChain. On-chain activity ties them to the wallet that would later receive millions of stolen funds. It started with Monero. 1/5 β Chainalysis (@chainalysis) May 16, 2026 Final Moves Prior To The Exploit This attack has an additional layer of precision that is revealed during the execution phase. This bridged ETH went into four separate transaction paths. One route linked on their end directly to the attackers wallet. It was just 43 minutes prior to the exploit, when that wallet received 8 ETH one step away from receiving millions in stolen assets. In the meantime, the three other paths seemed to be pulling out funds. From these wallets too, on the 14th and 15th of May ETH were bridged back to Arbitrum again, deposited in Hyperliquid and routed through Monero using the same privacy bridge once more. The last in this chain of trades happened just under five hours before the attack started. Further, the questions raised by this Detailed attacker breakdown demonstrates that this was a coordinated and well planned operation. Funds Lie Dormant But Risks Still Linger The stolen funds remain dormant as of Friday afternoon. Yet this slumber, analysts are quick to caution, might be short-lived. Plus, the attacker has shown just how complex their cross-chain laundering strategies can be. The MoneroβHyperliquid pathway used prior to the exploit continues to be a possible avenue for moving funds around. More than the economic costs incurred by this loss, a larger question is whether this incident constitutes a pattern. Combined, these events represent nearly 227 million dollars in direct losses or βtrapped moneyβ. Moreover, the protocol is seen as having laundered about $605 million of stolen property including proceeds related to the Lazarus Group fuelling its increasingly contentious image. Every fresh exploit reinforces the same conclusion: THORChainβs architecture does not fail predictably, it collapses along new and unexpected vectors. The implication for investors and users is crystal clear. Not only does THORChain have a risk of being hacked again but it could very well be an unexpected layer of the system that leads to its next failure. Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services. Follow us on Twitter @nulltxnews to stay updated with the latest Crypto, NFT, AI, Cybersecurity, Distributed Computing, and Metaverse news !












































