THORChain GG20 Threshold Signature Scheme vault drain — ~$11M across nine chains; Switzerland-based protocol

On 2026-05-15 a malicious validator node drained approximately $11M in protocol-owned funds from THORChain, a Switzerland-based decentralised cross-chain liquidity protocol founded in 2018, across Bitcoin, Ethereum, BNB Smart Chain, Base, Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP (The Record, 2026-05-15; TRM Labs, 2026-05-15). The leading technical hypothesis — reported by Chainalysis, PeckShield and Cyvers via CryptoTimes's post-mortem synthesis on 2026-05-17 — is a GG20 Threshold Signature Scheme (TSS) implementation flaw: a node identified as thor16ucjv3v695mq283me7esh0wdhajjalengcn84q joined the active validator set days before the attack, gradually leaked vault key shards during keygen and signing rounds, reconstructed sufficient key material offline, and then forged outbound vault signatures without triggering the protocol's quorum checks. CryptoTimes records verbatim: "the operator (or a compromised machine acting as the operator) exploited a vulnerability in the GG20 Threshold Signature Scheme implementation. Rather than a single dramatic key compromise, the attack appears to have involved the gradual leakage of vault key material during keygen or signing rounds — the kind of malformed-proof exploitation that the TSSHOCK class of CVEs first put on the industry's radar a few years ago." Chainalysis shared an on-chain analysis thread on 2026-05-16 linking attacker-controlled wallets to weeks of preparatory infrastructure staging through Monero and Hyperliquid before the vault drain. TRM Labs traced the proceeds to a two-address cluster within hours but has not attributed the exploit to any specific actor as of disclosure; historical THORChain laundering activity has been dominated by North Korean operators (Lazarus Group, including the $1.5B Bybit and ~$300M KelpDAO thefts per TRM Labs), but no Lazarus attribution is confirmed for this event. The Record reports user balances were not directly drained. Why it matters to us: the relevance to a Swiss / EU public-sector SOC is the technique class, not the cryptocurrency context. Any organisation operating MPC-custody, threshold-signing, or cross-chain bridge validator infrastructure — including FINMA-supervised digital-asset custodians, EU MiCA-regulated DeFi platforms, and any internal HSM-replacement projects that have moved to MPC-TSS — should audit node-admission controls, keygen/signing-round integrity, and whether newly-joined nodes can participate in signing quorums before completing a full security review. The TSSHOCK vulnerability class — CVE-2023-33241 (Fireblocks GG18/GG20 Paillier-ZK-proof flaw) and related GG20/ECDSA-MPC research — showed that malformed or missing zero-knowledge proofs during GG18/GG20 keygen can leak private-key shards across multiple rounds; the THORChain exploit is the second large-scale production demonstration of that theoretical class.