THORChain
RUNEDecentralized Liquidity Network
News Heat Trend
Project Overview
THORChain is a decentralized cross-chain AMM trading protocol, created by a group of anonymous cryptocurrency developers at Binance's Hackathon in 2018. Its aim is to decentralize cryptocurrency liquidity via a network of public THORNodes and ecosystem products. Access to its native and cross-chain liquidity is open to any person, product, or institution.
THORChain Releases Security Incident Update: Losses to Be Absorbed Through Protocol-Owned Liquidity, Attacker Node Fully Slashed
THORChain has released its fourth update regarding the Asgard vault intrusion incident, publishing the ADR028 proposal and opening voting for node operators. The proposal indicates that the protocol will first absorb losses through its Protocol-Owned Liquidity (POL), with the remaining portion to be borne by synthetic asset holders. The exact proportion is still under evaluation. The POL will be reduced to zero as a result, and the proposal suggests allocating a portion of system revenue over time to gradually replenish it. This plan does not involve minting new RUNE, selling RUNE, or diluting holder equity.On the technical side, the GG20 version will be temporarily retained with a patch upgrade. Trading will resume after the vulnerability is fixed and a successful node rotation is completed. A slower, more security-focused release cadence is planned for the future.Regarding the slashing mechanism, unrelated nodes sharing the same vault as the attacker will be protected, while the attacker's node will be fully slashed. The recovered RUNE will be paired with recoverable assets from the affected vault, and any excess RUNE will be burned.Additionally, THORChain has offered a white-hat bounty to the attacker to recover funds. If a portion of the funds is recovered, the recovery plan will be adjusted proportionally. THORChain emphasizes its commitment to remaining neutral and permissionless, stating it will not censor the attacker's swap transactions after trading resumes.Currently, node operators are voting on the overall direction and principles of the proposal. The specific figures in the ADR are indicative and will be adjusted later via the Mimir mechanism. The goal is to restart the network as soon as possible. A "yes" vote means developers can proceed further along this path.
THORChain: No Refund, Airdrop, or Compensation Plan Has Been Initiated; Community Warned to Beware of Scams
Odaily News: THORChain officially stated that a large number of fake accounts and false information have been spotted on the market, involving activities such as "refunds," "airdrops," and "compensation." Preliminary investigations indicate that user funds were not compromised in the previous security incident. No refund, airdrop, or compensation plan has been initiated. Any accounts claiming otherwise are imposters or are disseminating false information. Further investigation progress and additional details will be announced subsequently.
THORChain: Network Paused Due to Security Incident, Suspected Single Malicious Node Exploiting GG20 TSS Vulnerability to Steal Funds
Odaily Odaily, THORChain posted on platform X that its developers have released an incident update on Discord. Current evidence points to a node thor16uc...cn84q, which recently joined the network, as being associated with the attack. This node is operated by a single malicious actor. The primary hypothesis is that the attacker exploited a vulnerability in the GG20 TSS implementation, causing sensitive key material of vault participants to leak over time. This ultimately enabled the reconstruction of the vault's private key and the execution of unauthorized outgoing transactions.Regarding network status, the network has been paused after multiple node operators executed `make pause`. RUNE transfers and on-chain observation may resume within approximately 12 hours, but transactions, LP operations, signing, and other sensitive operations remain paused.Discussed recovery plans include slashing the affected node's bond, covering losses with protocol-owned liquidity (POL), or other community-driven solutions. THORSec and Outrider Analytics are continuing their investigation. The Treasury is gathering forensic data and coordinating with relevant law enforcement agencies. Full functional recovery is expected to take several days or longer.
THORChain: Asgard Vault Breach Results in Approximately $10.7 Million Loss; User Cross-Chain Transactions Unaffected for Now
According to Odaily, THORChain has issued an emergency announcement stating that after discovering a suspected breach of an Asgard vault, the network has suspended trading operations to respond to the security incident. Preliminary information indicates that user funds remain unaffected, with losses primarily concentrated on the protocol's own capital.The official statement noted that the system automatically detected anomalous behavior and halted signing operations, thereby alerting the community and preventing further asset outflow. The investigation is currently ongoing to determine the root cause of the vulnerability and the full scope of the impact.Known information indicates that this incident involves one of the six Asgard vaults, with estimated losses of approximately $10.7 million. Meanwhile, staked RUNE on the affected nodes has been slashed due to a penalty mechanism triggered by unauthorized outgoing transactions. The network has paused churn operations and delayed the launch of new chains and related features until system stability is restored.THORChain stated that no user cross-chain transactions have been affected so far and has requested node operators to thoroughly inspect their infrastructure, secure key management, and anomalous behavior, and to submit relevant logs to assist the investigation.
Chainalysis Tracks THORChain Attack Source: Proficient Money Laundering Skills, Cross-Chain Fund Transfer Weeks Before Attack
Odaily Chainalysis posted on X platform, stating that prior to the THORChain theft, wallets suspected to be linked to the attacker had been transferring funds through Monero, Hyperliquid, and THORChain for several consecutive weeks. As early as late April, the attacker-associated wallets deposited funds into Hyperliquid positions via Hyperliquid and the Monero privacy bridge. These funds were subsequently converted to USDC and transferred to Arbitrum, then bridged to Ethereum. Some of the ETH was then moved to THORChain to stake as RUNE for a newly joined node, which is believed to be the source of the attack.Subsequently, the attacker bridged a portion of the RUNE back to Ethereum and split it into four chains. One chain went directly to the attacker, passing through intermediate wallets before transferring 8 ETH to the wallet that would ultimately receive the stolen funds, just 43 minutes before the attack. The funds from the other three chains flowed in reverse. Between May 14 and 15, these wallets bridged the ETH back to Arbitrum again, deposited it into Hyperliquid, and transferred it into Monero via the same privacy bridge, with the final transaction occurring less than 5 hours before the attack commenced. As of Friday afternoon, the stolen funds remain untouched, but the attacker has demonstrated sophisticated cross-chain money laundering capabilities. The Hyperliquid to Monero path may be the next move.
THORChain: Asgard Vault Breach Results in Approximately $10.7 Million Loss; User Cross-Chain Transactions Unaffected for Now
According to Odaily, THORChain has issued an emergency announcement stating that after discovering a suspected breach of an Asgard vault, the network has suspended trading operations to respond to the security incident. Preliminary information indicates that user funds remain unaffected, with losses primarily concentrated on the protocol's own capital.The official statement noted that the system automatically detected anomalous behavior and halted signing operations, thereby alerting the community and preventing further asset outflow. The investigation is currently ongoing to determine the root cause of the vulnerability and the full scope of the impact.Known information indicates that this incident involves one of the six Asgard vaults, with estimated losses of approximately $10.7 million. Meanwhile, staked RUNE on the affected nodes has been slashed due to a penalty mechanism triggered by unauthorized outgoing transactions. The network has paused churn operations and delayed the launch of new chains and related features until system stability is restored.THORChain stated that no user cross-chain transactions have been affected so far and has requested node operators to thoroughly inspect their infrastructure, secure key management, and anomalous behavior, and to submit relevant logs to assist the investigation.
PeckShield: THORChain Suffers Attack, Losing Approximately $10 Million in Cryptocurrency Assets
According to on-chain analyst PeckShield (@PeckShieldAlert), THORChain has been hacked, resulting in losses of approximately $10 million in crypto assets, including 36.75 BTC (around $3 million) and roughly $7 million in assets from BNB Chain, Ethereum, and Base.
TrustedVolumes: Attacker Has Laundered Approximately $278,000 in Stolen Funds
According to on-chain analyst PeckShield (@PeckShieldAlert), the TrustedVolumes attacker has laundered approximately $278,000 of stolen funds to date, including depositing 10.2 ETH (approx. $23,600) into Tornado Cash and swapping 110 ETH (approx. $250,000) for BTC via THORChain. Additionally, the attacker attempted to deposit 0.5 ETH into Railgun but subsequently withdrew it. TrustedVolumes was attacked on May 7, resulting in losses of approximately $6.7 million.
A whale swapped 40 BTC for 1,384.6 ETH and transferred the funds via Tornado Cash.
According to on-chain analyst Onchain Lens (@OnchainLens), a whale address swapped 40 BTC (approximately $3.23 million) for 1,384.6 ETH via THORChain, then transferred the funds into Tornado Cash for coin mixing.
Balancer attacker-linked address transferred 5,609 ETH worth $13 million to THORChain over the past 9 hours
according to on-chain analyst Ai Yi's monitoring, an address linked to the Balancer attacker has transferred 5,609 ETH, worth $13 million, to THORChain over the past 9 hours. In November 2025, Balancer was hacked for over $116 million, a incident with the same suspected culprit as the Aave attack, both pointing to the North Korean hacker group Lazarus Group. Both entities have recently been frequently using Tornado Cash for money laundering.
THORChain: ZEC Listing Delayed Due to Recent Zcash Vulnerability Disclosure
According to the THORChain blog, ZEC is in the queue for launch on THORChain. However, due to a recent vulnerability disclosed in Zcash—whose existing patch impacts integrators’ normal operations—THORChain must first complete a minor code modification to its Bifrost module before proceeding. The development team stated that the change is minimal but must be completed prior to ZEC’s launch. Monero (XMR) is currently expected to launch by the end of this month, with ZEC scheduled to follow.
CertiK: Crypto platform attack losses fell to $68.3 million in May, down nearly 90% month-over-month
CertiK data shows attack losses on crypto platforms fell to $68.3 million in May, down nearly 90% from $650 million in April. May became the third month in 2026 with losses below $100 million. Approximately $2.6 million of this came from phishing attacks, and about $9.4 million of the stolen funds have been recovered or returned. The largest single loss in May came from the Verus Protocol cross-chain bridge attack, with $11.5 million stolen; THORChain ranked second, with $10.1 million stolen. Code vulnerabilities were the attack type with the highest losses, totaling approximately $45 million, accounting for 66%; wallet or private key leaks resulted in $13.7 million in losses. Cross-chain bridges were the primary attack targets, suffering losses of $28.6 million, accounting for 42%.
THORChain Releases Security Incident Update: Losses to Be Absorbed Through Protocol-Owned Liquidity, Attacker Node Fully Slashed
THORChain has released its fourth update regarding the Asgard vault intrusion incident, publishing the ADR028 proposal and opening voting for node operators. The proposal indicates that the protocol will first absorb losses through its Protocol-Owned Liquidity (POL), with the remaining portion to be borne by synthetic asset holders. The exact proportion is still under evaluation. The POL will be reduced to zero as a result, and the proposal suggests allocating a portion of system revenue over time to gradually replenish it. This plan does not involve minting new RUNE, selling RUNE, or diluting holder equity.On the technical side, the GG20 version will be temporarily retained with a patch upgrade. Trading will resume after the vulnerability is fixed and a successful node rotation is completed. A slower, more security-focused release cadence is planned for the future.Regarding the slashing mechanism, unrelated nodes sharing the same vault as the attacker will be protected, while the attacker's node will be fully slashed. The recovered RUNE will be paired with recoverable assets from the affected vault, and any excess RUNE will be burned.Additionally, THORChain has offered a white-hat bounty to the attacker to recover funds. If a portion of the funds is recovered, the recovery plan will be adjusted proportionally. THORChain emphasizes its commitment to remaining neutral and permissionless, stating it will not censor the attacker's swap transactions after trading resumes.Currently, node operators are voting on the overall direction and principles of the proposal. The specific figures in the ADR are indicative and will be adjusted later via the Mimir mechanism. The goal is to restart the network as soon as possible. A "yes" vote means developers can proceed further along this path.
THORChain: No Refund, Airdrop, or Compensation Plan Has Been Initiated; Community Warned to Beware of Scams
Odaily News: THORChain officially stated that a large number of fake accounts and false information have been spotted on the market, involving activities such as "refunds," "airdrops," and "compensation." Preliminary investigations indicate that user funds were not compromised in the previous security incident. No refund, airdrop, or compensation plan has been initiated. Any accounts claiming otherwise are imposters or are disseminating false information. Further investigation progress and additional details will be announced subsequently.
THORChain: Network Paused Due to Security Incident, Suspected Single Malicious Node Exploiting GG20 TSS Vulnerability to Steal Funds
Odaily Odaily, THORChain posted on platform X that its developers have released an incident update on Discord. Current evidence points to a node thor16uc...cn84q, which recently joined the network, as being associated with the attack. This node is operated by a single malicious actor. The primary hypothesis is that the attacker exploited a vulnerability in the GG20 TSS implementation, causing sensitive key material of vault participants to leak over time. This ultimately enabled the reconstruction of the vault's private key and the execution of unauthorized outgoing transactions.Regarding network status, the network has been paused after multiple node operators executed `make pause`. RUNE transfers and on-chain observation may resume within approximately 12 hours, but transactions, LP operations, signing, and other sensitive operations remain paused.Discussed recovery plans include slashing the affected node's bond, covering losses with protocol-owned liquidity (POL), or other community-driven solutions. THORSec and Outrider Analytics are continuing their investigation. The Treasury is gathering forensic data and coordinating with relevant law enforcement agencies. Full functional recovery is expected to take several days or longer.
Chainalysis Tracks THORChain Attack Source: Proficient Money Laundering Skills, Cross-Chain Fund Transfer Weeks Before Attack
Odaily Chainalysis posted on X platform, stating that prior to the THORChain theft, wallets suspected to be linked to the attacker had been transferring funds through Monero, Hyperliquid, and THORChain for several consecutive weeks. As early as late April, the attacker-associated wallets deposited funds into Hyperliquid positions via Hyperliquid and the Monero privacy bridge. These funds were subsequently converted to USDC and transferred to Arbitrum, then bridged to Ethereum. Some of the ETH was then moved to THORChain to stake as RUNE for a newly joined node, which is believed to be the source of the attack.Subsequently, the attacker bridged a portion of the RUNE back to Ethereum and split it into four chains. One chain went directly to the attacker, passing through intermediate wallets before transferring 8 ETH to the wallet that would ultimately receive the stolen funds, just 43 minutes before the attack. The funds from the other three chains flowed in reverse. Between May 14 and 15, these wallets bridged the ETH back to Arbitrum again, deposited it into Hyperliquid, and transferred it into Monero via the same privacy bridge, with the final transaction occurring less than 5 hours before the attack commenced. As of Friday afternoon, the stolen funds remain untouched, but the attacker has demonstrated sophisticated cross-chain money laundering capabilities. The Hyperliquid to Monero path may be the next move.
THORChain: ZEC Listing Delayed Due to Recent Zcash Vulnerability Disclosure
According to the THORChain blog, ZEC is in the queue for launch on THORChain. However, due to a recent vulnerability disclosed in Zcash—whose existing patch impacts integrators’ normal operations—THORChain must first complete a minor code modification to its Bifrost module before proceeding. The development team stated that the change is minimal but must be completed prior to ZEC’s launch. Monero (XMR) is currently expected to launch by the end of this month, with ZEC scheduled to follow.
THORChain Releases Security Incident Update: Losses to Be Absorbed Through Protocol-Owned Liquidity, Attacker Node Fully Slashed
THORChain has released its fourth update regarding the Asgard vault intrusion incident, publishing the ADR028 proposal and opening voting for node operators. The proposal indicates that the protocol will first absorb losses through its Protocol-Owned Liquidity (POL), with the remaining portion to be borne by synthetic asset holders. The exact proportion is still under evaluation. The POL will be reduced to zero as a result, and the proposal suggests allocating a portion of system revenue over time to gradually replenish it. This plan does not involve minting new RUNE, selling RUNE, or diluting holder equity.On the technical side, the GG20 version will be temporarily retained with a patch upgrade. Trading will resume after the vulnerability is fixed and a successful node rotation is completed. A slower, more security-focused release cadence is planned for the future.Regarding the slashing mechanism, unrelated nodes sharing the same vault as the attacker will be protected, while the attacker's node will be fully slashed. The recovered RUNE will be paired with recoverable assets from the affected vault, and any excess RUNE will be burned.Additionally, THORChain has offered a white-hat bounty to the attacker to recover funds. If a portion of the funds is recovered, the recovery plan will be adjusted proportionally. THORChain emphasizes its commitment to remaining neutral and permissionless, stating it will not censor the attacker's swap transactions after trading resumes.Currently, node operators are voting on the overall direction and principles of the proposal. The specific figures in the ADR are indicative and will be adjusted later via the Mimir mechanism. The goal is to restart the network as soon as possible. A "yes" vote means developers can proceed further along this path.
THORChain: Network Paused Due to Security Incident, Suspected Single Malicious Node Exploiting GG20 TSS Vulnerability to Steal Funds
Odaily Odaily, THORChain posted on platform X that its developers have released an incident update on Discord. Current evidence points to a node thor16uc...cn84q, which recently joined the network, as being associated with the attack. This node is operated by a single malicious actor. The primary hypothesis is that the attacker exploited a vulnerability in the GG20 TSS implementation, causing sensitive key material of vault participants to leak over time. This ultimately enabled the reconstruction of the vault's private key and the execution of unauthorized outgoing transactions.Regarding network status, the network has been paused after multiple node operators executed `make pause`. RUNE transfers and on-chain observation may resume within approximately 12 hours, but transactions, LP operations, signing, and other sensitive operations remain paused.Discussed recovery plans include slashing the affected node's bond, covering losses with protocol-owned liquidity (POL), or other community-driven solutions. THORSec and Outrider Analytics are continuing their investigation. The Treasury is gathering forensic data and coordinating with relevant law enforcement agencies. Full functional recovery is expected to take several days or longer.
THORChain: Asgard Vault Breach Results in Approximately $10.7 Million Loss; User Cross-Chain Transactions Unaffected for Now
According to Odaily, THORChain has issued an emergency announcement stating that after discovering a suspected breach of an Asgard vault, the network has suspended trading operations to respond to the security incident. Preliminary information indicates that user funds remain unaffected, with losses primarily concentrated on the protocol's own capital.The official statement noted that the system automatically detected anomalous behavior and halted signing operations, thereby alerting the community and preventing further asset outflow. The investigation is currently ongoing to determine the root cause of the vulnerability and the full scope of the impact.Known information indicates that this incident involves one of the six Asgard vaults, with estimated losses of approximately $10.7 million. Meanwhile, staked RUNE on the affected nodes has been slashed due to a penalty mechanism triggered by unauthorized outgoing transactions. The network has paused churn operations and delayed the launch of new chains and related features until system stability is restored.THORChain stated that no user cross-chain transactions have been affected so far and has requested node operators to thoroughly inspect their infrastructure, secure key management, and anomalous behavior, and to submit relevant logs to assist the investigation.
North Korean hackers accounted for 76% of cryptocurrency theft losses in 2026, having stolen over $6 billion cumulatively since 2017.
According to The Block, blockchain intelligence firm TRM Labs released a report stating that North Korean hacker groups stole approximately $577 million in crypto assets during the first four months of 2026—accounting for 76% of global hacking losses over the same period. All these losses stemmed from two major incidents that occurred in April: KelpDAO was attacked by the TraderTraitor group, resulting in $292 million in losses; and Drift Protocol was compromised by another North Korean sub-group, suffering $285 million in losses. Preparations for the latter attack began as early as March 11, and funds were fully extracted within 12 minutes. The two incidents employed distinct money-laundering pathways: stolen funds from Drift remain largely dormant on Ethereum, whereas funds stolen from KelpDAO were rapidly swapped into BTC via THORChain, with subsequent laundering facilitated by Chinese intermediaries. TRM Labs noted that since 2017, North Korea’s cumulative crypto theft has exceeded $6 billion—and its share of global losses has risen steadily, from less than 10% in 2020 to 64% in 2025.
Related news
THORChain: ZEC Listing Delayed Due to Recent Zcash Vulnerability Disclosure
According to the THORChain blog, ZEC is in the queue for launch on THORChain. However, due to a recent vulnerability disclosed in Zcash—whose existing patch impacts integrators’ normal operations—THORChain must first complete a minor code modification to its Bifrost module before proceeding. The development team stated that the change is minimal but must be completed prior to ZEC’s launch. Monero (XMR) is currently expected to launch by the end of this month, with ZEC scheduled to follow.
CertiK: Crypto platform attack losses fell to $68.3 million in May, down nearly 90% month-over-month
CertiK data shows attack losses on crypto platforms fell to $68.3 million in May, down nearly 90% from $650 million in April. May became the third month in 2026 with losses below $100 million. Approximately $2.6 million of this came from phishing attacks, and about $9.4 million of the stolen funds have been recovered or returned. The largest single loss in May came from the Verus Protocol cross-chain bridge attack, with $11.5 million stolen; THORChain ranked second, with $10.1 million stolen. Code vulnerabilities were the attack type with the highest losses, totaling approximately $45 million, accounting for 66%; wallet or private key leaks resulted in $13.7 million in losses. Cross-chain bridges were the primary attack targets, suffering losses of $28.6 million, accounting for 42%.
THORChain Releases Security Incident Update: Losses to Be Absorbed Through Protocol-Owned Liquidity, Attacker Node Fully Slashed
THORChain has released its fourth update regarding the Asgard vault intrusion incident, publishing the ADR028 proposal and opening voting for node operators. The proposal indicates that the protocol will first absorb losses through its Protocol-Owned Liquidity (POL), with the remaining portion to be borne by synthetic asset holders. The exact proportion is still under evaluation. The POL will be reduced to zero as a result, and the proposal suggests allocating a portion of system revenue over time to gradually replenish it. This plan does not involve minting new RUNE, selling RUNE, or diluting holder equity.On the technical side, the GG20 version will be temporarily retained with a patch upgrade. Trading will resume after the vulnerability is fixed and a successful node rotation is completed. A slower, more security-focused release cadence is planned for the future.Regarding the slashing mechanism, unrelated nodes sharing the same vault as the attacker will be protected, while the attacker's node will be fully slashed. The recovered RUNE will be paired with recoverable assets from the affected vault, and any excess RUNE will be burned.Additionally, THORChain has offered a white-hat bounty to the attacker to recover funds. If a portion of the funds is recovered, the recovery plan will be adjusted proportionally. THORChain emphasizes its commitment to remaining neutral and permissionless, stating it will not censor the attacker's swap transactions after trading resumes.Currently, node operators are voting on the overall direction and principles of the proposal. The specific figures in the ADR are indicative and will be adjusted later via the Mimir mechanism. The goal is to restart the network as soon as possible. A "yes" vote means developers can proceed further along this path.
THORChain: No Refund, Airdrop, or Compensation Plan Has Been Initiated; Community Warned to Beware of Scams
Odaily News: THORChain officially stated that a large number of fake accounts and false information have been spotted on the market, involving activities such as "refunds," "airdrops," and "compensation." Preliminary investigations indicate that user funds were not compromised in the previous security incident. No refund, airdrop, or compensation plan has been initiated. Any accounts claiming otherwise are imposters or are disseminating false information. Further investigation progress and additional details will be announced subsequently.
THORChain: Network Paused Due to Security Incident, Suspected Single Malicious Node Exploiting GG20 TSS Vulnerability to Steal Funds
Odaily Odaily, THORChain posted on platform X that its developers have released an incident update on Discord. Current evidence points to a node thor16uc...cn84q, which recently joined the network, as being associated with the attack. This node is operated by a single malicious actor. The primary hypothesis is that the attacker exploited a vulnerability in the GG20 TSS implementation, causing sensitive key material of vault participants to leak over time. This ultimately enabled the reconstruction of the vault's private key and the execution of unauthorized outgoing transactions.Regarding network status, the network has been paused after multiple node operators executed `make pause`. RUNE transfers and on-chain observation may resume within approximately 12 hours, but transactions, LP operations, signing, and other sensitive operations remain paused.Discussed recovery plans include slashing the affected node's bond, covering losses with protocol-owned liquidity (POL), or other community-driven solutions. THORSec and Outrider Analytics are continuing their investigation. The Treasury is gathering forensic data and coordinating with relevant law enforcement agencies. Full functional recovery is expected to take several days or longer.
Chainalysis Tracks THORChain Attack Source: Proficient Money Laundering Skills, Cross-Chain Fund Transfer Weeks Before Attack
Odaily Chainalysis posted on X platform, stating that prior to the THORChain theft, wallets suspected to be linked to the attacker had been transferring funds through Monero, Hyperliquid, and THORChain for several consecutive weeks. As early as late April, the attacker-associated wallets deposited funds into Hyperliquid positions via Hyperliquid and the Monero privacy bridge. These funds were subsequently converted to USDC and transferred to Arbitrum, then bridged to Ethereum. Some of the ETH was then moved to THORChain to stake as RUNE for a newly joined node, which is believed to be the source of the attack.Subsequently, the attacker bridged a portion of the RUNE back to Ethereum and split it into four chains. One chain went directly to the attacker, passing through intermediate wallets before transferring 8 ETH to the wallet that would ultimately receive the stolen funds, just 43 minutes before the attack. The funds from the other three chains flowed in reverse. Between May 14 and 15, these wallets bridged the ETH back to Arbitrum again, deposited it into Hyperliquid, and transferred it into Monero via the same privacy bridge, with the final transaction occurring less than 5 hours before the attack commenced. As of Friday afternoon, the stolen funds remain untouched, but the attacker has demonstrated sophisticated cross-chain money laundering capabilities. The Hyperliquid to Monero path may be the next move.