ctipilot.ch

THORChain GG20 Threshold Signature Scheme vault drain

incident · incident:thorchain-gg20-tss-vault-drain-11m-nine-chains-switzerland

THORChain GG20 Threshold Signature Scheme vault drain — ~$11M across nine chains (Switzerland-based)

Coverage timeline
1
first 2026-05-18 → last 2026-05-18
Entries
1
1 distinct days
Sources cited
4
4 hosts
Sections touched
1
active-threats
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-05-18THORChain GG20 Threshold Signature Scheme vault drain — ~$11M across nine chains; Switzerland-based protocol
    active-threatsTHORChain GG20 Threshold Signature Scheme vault drain — ~$11M across nine chains; Switzerland-based protocol

Where this entity is cited

  • active-threats1

Source distribution

  • cryptotimes.io1 (25%)
  • nvd.nist.gov1 (25%)
  • therecord.media1 (25%)
  • trmlabs.com1 (25%)

Entries about THORChain GG20 Threshold Signature Scheme vault drain (1)

2026-05-18 · view entry permalink →

THORChain GG20 Threshold Signature Scheme vault drain — ~$11M across nine chains; Switzerland-based protocol

high threat discovered 2026-05-18 05:00 UTC

On 2026-05-15 a malicious validator node drained approximately $11M in protocol-owned funds from THORChain, a Switzerland-based decentralised cross-chain liquidity protocol founded in 2018, across Bitcoin, Ethereum, BNB Smart Chain, Base, Avalanche, Dogecoin, Litecoin, Bitcoin Cash, and XRP (The Record, 2026-05-15; TRM Labs, 2026-05-15). The leading technical hypothesis — reported by Chainalysis, PeckShield and Cyvers via CryptoTimes's post-mortem synthesis on 2026-05-17 — is a GG20 Threshold Signature Scheme (TSS) implementation flaw: a node identified as thor16ucjv3v695mq283me7esh0wdhajjalengcn84q joined the active validator set days before the attack, gradually leaked vault key shards during keygen and signing rounds, reconstructed sufficient key material offline, and then forged outbound vault signatures without triggering the protocol's quorum checks. CryptoTimes records verbatim: "the operator (or a compromised machine acting as the operator) exploited a vulnerability in the GG20 Threshold Signature Scheme implementation. Rather than a single dramatic key compromise, the attack appears to have involved the gradual leakage of vault key material during keygen or signing rounds — the kind of malformed-proof exploitation that the TSSHOCK class of CVEs first put on the industry's radar a few years ago." Chainalysis shared an on-chain analysis thread on 2026-05-16 linking attacker-controlled wallets to weeks of preparatory infrastructure staging through Monero and Hyperliquid before the vault drain. TRM Labs traced the proceeds to a two-address cluster within hours but has not attributed the exploit to any specific actor as of disclosure; historical THORChain laundering activity has been dominated by North Korean operators (Lazarus Group, including the $1.5B Bybit and ~$300M KelpDAO thefts per TRM Labs), but no Lazarus attribution is confirmed for this event. The Record reports user balances were not directly drained. Why it matters to us: the relevance to a Swiss / EU public-sector SOC is the technique class, not the cryptocurrency context. Any organisation operating MPC-custody, threshold-signing, or cross-chain bridge validator infrastructure — including FINMA-supervised digital-asset custodians, EU MiCA-regulated DeFi platforms, and any internal HSM-replacement projects that have moved to MPC-TSS — should audit node-admission controls, keygen/signing-round integrity, and whether newly-joined nodes can participate in signing quorums before completing a full security review. The TSSHOCK vulnerability class — CVE-2023-33241 (Fireblocks GG18/GG20 Paillier-ZK-proof flaw) and related GG20/ECDSA-MPC research — showed that malformed or missing zero-knowledge proofs during GG18/GG20 keygen can leak private-key shards across multiple rounds; the THORChain exploit is the second large-scale production demonstration of that theoretical class.

“One of THORChain's six vaults was compromised, though the platform's automated systems detected abnormal behavior and halted signing activity, preventing further losses. User funds were reportedly unaffected, with only protocol-owned assets impacted.” — The Record

“At the time of writing, TRM has not attributed the May 15 exploit to any specific actor.” — TRM Labs

“the operator (or a compromised machine acting as the operator) exploited a vulnerability in the GG20 Threshold Signature Scheme implementation. Rather than a single dramatic key compromise, the attack appears to have involved the gradual leakage of vault key material during keygen or signing rounds — the kind of malformed-proof exploitation that the TSSHOCK class of CVEs first put on the industry's radar a few years ago.” — CryptoTimes

cryptocrime organized-crime supply-chain cloud switzerland global