THORChain Under Siege: Three Major Attacks and the Hunt for the Hacker

In mid-2021, THORChain—a decentralized cross-chain liquidity protocol—was rocked by three devastating security breaches within just a few weeks. These attacks not only exposed critical vulnerabilities in its codebase but also raised pressing questions about the identity of the attacker. Were these separate incidents carried out by different threat actors, or was a single, highly skilled hacker behind all three?

Using advanced blockchain analytics, SlowMist’s AML team conducted an in-depth investigation into the attacks, tracking fund flows and uncovering hidden patterns. Here’s a comprehensive breakdown of what happened, how it happened, and whether the same individual could be responsible.

First Attack: The "Fake Deposit" Vulnerability

Overview

The first attack on THORChain occurred on June 29, 2021, exploiting a logic flaw in how the system handled ERC20 tokens with the symbol "ETH." Due to improper validation, attackers were able to deposit fake ETH (an ERC20 token mimicking Ethereum) and have it recognized as genuine ETH within the network. This allowed them to swap the counterfeit tokens for real assets across multiple chains.

According to THORChain's official post-mortem, the losses included:

• 9,352.49 PERP
• 1.44 YFI
• 2,437.94 SUSHI
• 10.62 ETH

👉 Discover how blockchain protocols can prevent similar exploits with enhanced security checks.

Fund Flow Analysis

SlowMist’s MistTrack anti-money laundering system revealed that the attacker began preparations as early as June 21. Initial capital was acquired through ChangeNOW, an anonymous cryptocurrency exchange service. Five days later, on June 26, the attack contract was deployed.

After successfully executing the exploit, proceeds were funneled into multiple addresses before being partially laundered through Tornado Cash, a privacy-focused mixer designed to obscure transaction trails. Some funds remained in two primary wallets: 0xace…d75 and 0x06b…2fa.

Further analysis by SlowMist uncovered additional losses not initially reported by THORChain:

• 29,777.38 USDT
• 78.14 ALCX
• 11.75 ETH
• 0.60 YFI

This highlights a common issue in post-breach assessments—underestimated damages due to incomplete tracking.

Second Attack: Value Override Exploit

Overview

On July 16, 2021, THORChain suffered a second major breach. This time, the vulnerability stemmed from incorrect handling of msg.value during deposit calls. Attackers called the Router contract’s deposit function with an amount parameter set to zero but attached actual ETH value (msg.value) to the transaction.

Due to flawed logic, the system used the attached ETH value instead of the declared zero amount, effectively allowing attackers to deposit “nothing” while receiving full credit.

Official losses reported:

• 2,500 ETH
• 57,975.33 SUSHI
• 8.74 YFI
• 171,912.96 DODO
• 514.52 ALCX
• 1,167,216.74 KYL
• 13.30 AAVE

Fund Flow Analysis

MistTrack identified that the main attack address (0x4b7…c5a) received its initial 10 ETH from Tornado Cash, reinforcing the attacker’s focus on anonymity.

Post-exploit, all stolen assets were consolidated into a single beneficiary wallet: 0xace…70e. This address made only one outgoing transaction—sending 10 ETH back through Tornado Cash—suggesting either test behavior or continued obfuscation efforts.

SlowMist discovered unreported losses totaling:

• 2,246.60 SUSHI
• 13,318.35 DODO
• 110,108 KYL
• 243.93 USDT
• 259,237.77 HEGIC

The reuse of privacy tools like Tornado Cash indicates a consistent operational pattern.

Third Attack: Exploiting Refund Logic

Overview

The final blow came on July 23, 2021, when attackers exploited a flaw in THORChain’s refund mechanism. By deploying a malicious contract as their own router, they manipulated the returnVaultAssets function.

They sent minimal ETH to trigger a deposit event with falsified asset and amount parameters and crafted an invalid memo that caused node processing to fail. As a result, the system entered its refund logic path—incorrectly releasing large sums to the attacker.

Notably, the memo field in the transaction contained a message directed at THORChain’s team: claiming discovery of multiple critical vulnerabilities affecting ETH, BTC, LYC, BNB, and BEP20 assets.

Reported losses included:

• 966.62 ALCX
• 20,866,664.53 XRUNE
• 1,672,794.01 USDC
• 56,104 SUSHI
• 6.91 YEARN
• 990,137.46 USDT

👉 See how real-time threat detection could stop such exploits before they escalate.

Fund Flow Analysis

The attack originated from address 0x8c1…d62, which received seed funding from another known attacker wallet: 0xf6c…747. Tracing further back, this address had received exactly 100 ETH from Tornado Cash in December 2020—over six months before the attack.

This long dormancy period suggests careful planning and resource stockpiling. Post-exploit funds were transferred to 0x651…da1, where most remain untouched to date.

Are All Attacks Linked? Investigative Insights

Despite no overlapping wallet addresses across the three incidents, several behavioral patterns point toward a possible single actor:

• Use of anonymizing services: All attacks used ChangeNOW or Tornado Cash for funding.
• Short attack intervals: Occurred within 24 days of each other.
• Escalating scale: Losses grew from ~$350K to ~$8M per incident.
• Unspent proceeds: Most stolen funds remain unconverted, reducing incentive for multiple actors to share spoils.
• Sophisticated knowledge: Exploits required deep understanding of smart contract logic and cross-chain mechanics.

While definitive attribution remains elusive, SlowMist AML assesses it highly likely that one individual or coordinated group executed all three attacks.

As of now, approximately $13 million in stolen assets remain in attacker-controlled wallets**, with total losses exceeding **$16 million when accounting for unreported tokens.

Core Keywords

THORChain attack, blockchain security, smart contract exploit, Tornado Cash, cross-chain vulnerability, cryptocurrency theft, DeFi security, AML analysis

Frequently Asked Questions (FAQ)

Q: What is a "fake deposit" attack?

A: A fake deposit occurs when an attacker tricks a system into accepting a counterfeit token as a legitimate native asset (e.g., passing off an ERC20 token as real ETH). This often exploits parsing or validation flaws in smart contracts.

Q: Why was Tornado Cash used in these attacks?

A: Tornado Cash is a decentralized mixer that obscures transaction trails using zero-knowledge proofs. Attackers use it to launder stolen funds and avoid detection by blockchain analysts.

Q: Could these attacks have been prevented?

A: Yes. Rigorous testing—including edge cases like symbol spoofing and value overrides—and third-party security audits could have identified these flaws before deployment.

Q: Is THORChain still vulnerable today?

A: Following these incidents, THORChain implemented multiple security upgrades and paused operations temporarily to patch vulnerabilities. However, continuous monitoring and proactive defense are essential for any DeFi protocol.

Q: How do AML teams track hacker funds?

A: Platforms like MistTrack use labeled address databases and behavioral analytics to trace fund movements across chains and exchanges, identifying suspicious patterns even after mixing.

Q: What should users do to protect themselves?

A: Avoid granting unnecessary token approvals, use hardware wallets for large holdings, and monitor transaction details closely—especially when interacting with cross-chain bridges or DeFi protocols.

👉 Stay ahead of emerging threats with cutting-edge blockchain security insights.