Chainalysis: THORChain Attack Tied to Weeks of Sophisticated Cross-Chain Funding Activity

Chainalysis said on X that wallets believed to be linked to the THORChain attacker had been moving funds across chains for several weeks before the theft, using Monero, Hyperliquid and THORChain. According to the firm's tracing, activity began as early as late April, when associated wallets funded Hyperliquid positions via Hyperliquid and Monero privacy bridges. Those funds were converted into USDC and sent to Arbitrum, then bridged to Ethereum. Part of the ETH was later routed into THORChain as newly staked RUNE for a node Chainalysis identified as the attack source. The attacker later bridged some RUNE back to Ethereum and split it into four routes. One route ultimately led to the attacker: after passing through intermediary wallets, it delivered 8 ETH to the final receiving wallet 43 minutes before the hack. The other three routes showed funds moving in the opposite direction. Between May 14 and May 15, the same wallets bridged ETH back to Arbitrum, deposited it into Hyperliquid and sent it through the same privacy bridge into Monero, with the last transfer occurring less than five hours before the attack started. As of Friday afternoon, the stolen funds had not moved. Chainalysis said the attacker has demonstrated advanced cross-chain laundering tactics, and the Hyperliquid-to-Monero route may be the next step.