Chainalysis Traces THORChain Attack Funding Trail, Highlights Advanced Cross-Chain Laundering

ChainCatcher reports that blockchain analytics firm Chainalysis said on X it has identified weeks of pre-attack fund movements linked to the suspected THORChain attacker, spanning Monero, Hyperliquid and THORChain. Chainalysis said that as early as late April, wallets tied to the attacker routed funds through Hyperliquid and Monero privacy bridges to open positions on Hyperliquid, then converted the assets into USDC. The USDC was sent to Arbitrum and later bridged to Ethereum. Part of the ETH was subsequently transferred to THORChain and used as newly staked RUNE for a node Chainalysis identified as the source of the exploit. Afterward, a portion of the RUNE was bridged back to Ethereum and split into four routes. One route led directly to the attacker: following hops through intermediary wallets, 8 ETH reached the final recipient wallet 43 minutes before the attack. The other three routes moved in the opposite direction, with ETH sent back to Arbitrum, deposited into Hyperliquid, and pushed again through the same privacy bridge into Monero. Chainalysis said the last such transfer took place less than five hours before the exploit began. As of Friday afternoon, the stolen funds had not been moved. Chainalysis said the activity shows sophisticated cross-chain laundering capabilities, and the Hyperliquid-to-Monero route could be the attacker's next move.