THORChain said a malicious node operator exploited a vulnerability in its GG20 threshold signature system to drain about $10.7 million from one of the protocol’s vaults.

The GG20 threshold signature scheme is used to secure THORChain vaults by splitting key control across multiple node operators, meaning no single node normally holds the full private key.

The vulnerability allowed the malicious node operator to reconstruct a full private key for one vault, through “progressive key material leakage,” the protocol said in a post-mortem report released on Wednesday.

THORChain said its automatic solvency checks triggered within minutes and halted signing and trading across multiple chains without human intervention. Node operators subsequently coordinated via Discord for a full network halt within two hours after and deployed a patch to fix the vulnerability.

The post-mortem report shows that the protocol’s automatic solvency checks functioned and stopped the exploiter from draining more funds. The report comes a week after blockchain investigator ZachXBT first flagged the $10 million exploit, shortly before THORChain announced a halt to all trading and signing.

The incident adds to a resurgence in crypto exploits, which stole more than $634 million in April, according to DefiLlama data.

Timeline of the $10 million THORChain exploit. Source: THORChain

THORChain weighs recovery path without RUNE sales

THORChain said Friday that the post-exploit recovery path will be determined by a community consensus and published governance proposal ADR-028, with votes currently open for node operators.

The proposal would have THORChain absorb losses first through protocol-owned liquidity and spread the remainder across synth holders. It would deplete protocol-owned liquidity but redirect a portion of protocol income to replenish it over time, without minting or selling THORChain (RUNE) tokens.

ADR-028 community proposal for recovery after $10 million exploit. Source: Gitlab

THORChain also offered a recovery bounty for the return of the stolen funds and said it would slash the attacker’s malicious node while protecting innocent nodes that were placed in the same vault as the exploiter.

Related: Polymarket team says user funds safe as exploit losses climb above $600K

ADR-028 proposes keeping the existing GG20 TSS framework in a patched and upgraded version and said it will resume trading only after the vulnerability is fixed, drawing mixed reactions from crypto industry watchers.

Pseudonymous crypto project analyst Bird said the initial vulnerability suggests that the GG20 TSS signing stack has a “flaw in randomness generation or local signing isolation,” but praised THORChain’s auto-safeguard for limiting the damage done by the exploit.

Other industry watchers were more critical of the decision. “My mental model is that GG20 has many brittle assumptions. You can keep patching it, but it will forever be a bit of a black box,” wrote crypto investor JP in a Wednesday X post.

RUNE/USD, 1-week chart. Source: CoinMarketCap

The RUNE token’s price fell 15.5% in the week following the exploit, but staged a 4% recovery in the 24 hours leading up to 11:00 a.m. UTC on Friday, CoinMarketCap data shows.

Magazine: The legal battle over who can claim DeFi’s stolen millions 

Gold fell below $4,500 per ounce on Friday as both spot prices and New York futures dropped about 0.94 percent, extending a sharp pullback from this year’s record highs.

Early on May 22, gold slipped below $4,500 as spot and New York futures fell 0.94 percent, after the metal broke a key psychological level during New York trading.

Why did gold fall below $4,500 today?

In a widely cited follow up post, market watcher OnChainHutan said gold “slipped below $4,500, closing around $4,497.29 – $4,535.60 depending on the contract,” adding that the drop came as the US dollar hovered near a six week high and oil pushed above $97 per barrel.

That combination reinforced a familiar macro squeeze for bullion, since a stronger dollar makes gold more expensive for buyers in other currencies while higher energy costs fan inflation fears and push traders to price in the risk of tighter policy rather than imminent cuts.

According to OnChainHutan, futures markets are now “fueling bets the Fed may hike rates later this year,” with markets “pricing in a roughly 58 percent chance” of another move, a shift that directly undermines the appeal of a non yielding asset that earlier soared on expectations of aggressive easing.

The pullback lands just months after gold repeatedly punched through records above $4,900 per ounce, driven by central bank buying, geopolitical stress and wagers that Federal Reserve chair would have to slash borrowing costs into a slowing US economy.

In April, analysts surveyed by Investing.com still projected a median 2026 gold price of about $4,916 per ounce, underscoring how far sentiment has swung in a matter of sessions as spot now tests the lower edge of a $4,300 to $4,700 trading corridor highlighted in prior rate cut driven rallies.

What does the gold slide signal for risk assets and crypto?

Reactions on X captured the emotional whiplash, with one user noting that “gold drops 1 percent and suddenly everyone becomes a long term investor again,” while another user quipped that a “tiny red candle creates more panic than ten green ones create excitement.”

OnChainHutan argued that “gold pulling back while risk assets stay strong says a lot about current market sentiment,” pointing to an environment where equities and high beta plays have held up despite renewed Iran war risks, a dynamic also visible in recent crypto market outlook coverage of how traders fade geopolitical headlines.

Earlier this month, gold briefly fell back toward $4,500 per ounce on “heightened inflation fears” after a three percent intraday drop wiped out two weeks of gains, a move that foreshadowed today’s breach of the same level as investors reassessed whether bullion had outrun its macro narrative.

Analysts have warned that if the Fed leans more hawkish into the summer, bullion could spend extended time below $4,500 before any renewed push toward the $4,700 to $5,000 band that technical strategists previously mapped out once prices cleared $4,300 and $4,400.

For crypto traders, the move matters because this year’s record breaking gold surge above $4,900 per ounce ran alongside a powerful rally in Bitcoinm (BTC), as both assets traded like alternative macro hedges on US policy risk and Middle East tension.

If the market now believes the Federal Reserve is more likely to hike than cut, that same macro repricing could pressure high flying digital assets, just as it has started to bleed some air from bullion’s record run, something earlier crypto market outlook and ceasefire reports have highlighted whenever rate expectations flip.

Security exploits are weighing on institutional appetite for decentralized finance (DeFi), even as broader crypto adoption continues through stablecoins and tokenized assets.

In an April research note, JPMorgan analysts said that bridge security remains a challenge for the industry, raising questions on whether DeFi can grow to support further institutional adoption. 

The recent exploit on the Versus-Ethereum bridge was the eighth major attack against DeFi bridges in 2026 so far, with cumulative losses totalling $328.6 million.

DeFi bridges remain prime targets for hackers seeking to steal millions of dollars. Source: PeckShield

Misha Putiatin, CEO of smart contract security firm Statemind and co-founder of DeFi protocol Symbiotic, said he regularly fields calls from major traditional institutions exploring DeFi exposure, often with bad timing. 

“Five minutes before I have a call with a big traditional institution, another big hack,” he told Cointelegraph. 

“They sit there looking at me like, ‘Is this normal? Is this every day for you?”

Still, institutions may get into DeFi, but the terms on which they arrive could reshape it into something that looks a lot more like traditional finance than the open, permissionless system its builders envisioned. 

DeFi has become too complex for DYOR

At the beginning of April, North Korea’s Lazarus Group was implicated in the $285 million Drift Protocol exploit, carried out through a months-long social engineering campaign in which infiltrators approached Drift contributors at an in-person crypto conference.

The same actors were blamed for the KelpDAO breach a few weeks later, which drained about $290 million from the protocol’s cross-chain bridge. 

Total value locked across DeFi fell to around $86 billion from just under $100 billion in two days following the KelpDAO hack in April. The outflows came from pools with no direct exposure to compromised assets, said JPMorgan analysts.

DeFi pools lost around $14 billion following the attack on KelpDAO. Source: DefiLlama

Related: Wall Street’s tokenization boom has a liquidity problem: Axis CEO

Putiatin said the complexity of modern DeFi makes it nearly impossible for ordinary users to know where their risk actually sits. “Do your own research doesn’t work anymore,” he said. “It hasn’t been working for a really long time.”

He explained that the system has become too interconnected and complex to trace. 

For example, when a user deposits Ether (ETH) to earn yield while never touching any other token, they can still get hit by a breach on a bridge connected to a token they’ve never even heard of. 

Do your own research, or DYOR, is an industry mantra born in the early days of Bitcoin, when protocols were simple enough that a user could read a whitepaper and make an informed decision. 

Today, with smart contracts running up to tens of thousands of lines of code, protocols layered on top of one another, and new services and tokens launching at breakneck speed, that expectation has become almost impossible to meet.

“I’m not ever expecting people that just want to invest their money to ever figure out every part of the stack themselves,” Putiatin said.

“I’m not going to spend the next two years of my life trying to figure out how to get a 6% yield,” he added, claiming that traditional finance alternatives are close enough in return that the DeFi’s security risk rarely makes sense for most investors.

A shrinking premium for an unquantifiable risk

Tether (USDT), the world’s largest stablecoin, offers a supply APY of 2.74% on Aave’s Ethereum market, the biggest DeFi lending protocol. That’s below the 3.57% available on a three-month US Treasury bill. Circle’s USDC (USDC) fares better at 4.14%.

Supply and borrow APY on Aave’s Ethereum market. Source: Aave

Related: Why stablecoins and SWIFT may have to coexist

Putiatin said institutions see this clearly, even if they struggle to quantify it precisely. The problem is that institutions have no reliable framework for pricing the hack risk sitting underneath them. 

“They can’t price risk properly,” he said. “So they discount the yield we provide by a lot.”

DeFi yields have compressed as the market has matured, eroding the premium that once justified the risk. 

At the same time, the hacks have not slowed down. For investors used to underwriting risk with actuarial precision, shrinking upside and unquantifiable downside is a hard sell.

The cost of DeFi’s seat at the table

Putiatin’s benchmark for when DeFi has genuinely turned a corner is an onchain insurance system capable of underwriting hack risk across the entire ecosystem and pricing it with the kind of actuarial precision that institutions require.

“When we have circuit breakers, curators that can do due diligence, and a framework for that — we will get the fourth one that we desperately need as an industry,” he said. “We will get insurance.”

DeFi has lost over $7.76 billion to exploits, according to DeFiLlama data tracing back to 2016. Though DeFi insurance providers exist, their capacity remains too small to backstop anything approaching institutional scale.

Without that infrastructure, institutions that do come in will do so on their own terms, demanding full know-your-customer checks, custodial controls and tokens that can be frozen at any time.

The open, permissionless architecture that made DeFi worth building gets stripped to satisfy compliance requirements.

“All of the benefits that we have as an industry, they kind of go away,” he said. “Blockchain becomes just a database.”

It is an outcome Putiatin finds more troubling than the hacks themselves. The hacks, at least, are a problem the industry can work on. A version of DeFi that institutions have hollowed out to make it safe enough for their mandates is a surrender of everything the technology was supposed to change.

Magazine: 5 tech predictions the mainstream media got horribly wrong

Bitcoin miner MARA Holdings spent $4.3 million on personal security for CEO Fred Thiel in 2025, including $430,780 to armor a vehicle, as crypto companies respond to rising physical attacks on industry executives and investors.

MARA, the seventh-largest Bitcoin mining company worth more than $5 billion, also spent about $58,810 on Thiel’s home security installations and reported additional expenses related to the security measures of other executives, according to its DEF 14A filing with the US Securities and Exchange Commission on April 30.

The filing shows that MARA spent a total of $4.3 million on Thiel’s security during fiscal year 2025, including the armored vehicle, bodyguards and home security fortifications.

Thiel’s security costs rose sharply from 2024, when MARA reported $191,040 in personal security costs for the CEO. His total “All Other Compensation” rose to $4.4 million in 2025 from $201,390 a year earlier.

MARA Holdings DEF 14A filing for fiscal year of 2025 with the Securities and Exchange Commission. Source: SEC.gov

The disclosures come as crypto-linked physical attacks, often called wrench attacks, have increased globally. The spending shows how physical security has become a material corporate cost for some crypto companies as executives face threats tied to the public visibility and portability of digital assets. Unlike traditional financial theft, wrench attacks use coercion, kidnapping or violence to force victims to surrender private keys, passwords or account access.

The filing also shows that MARA spent $3.9 million on personal security for chief financial officer Salman Khan in 2025, including $438,380 to armor a vehicle.

Cointelegraph has approached MARA for comment on the growing security spending.

Related: Polymarket team says user funds safe as exploit losses climb above $600K

Wrench attacks targeting crypto investors see alarming rise

Cybersecurity firm CertiK reported 72 verified physical coercion incidents in 2025, up 75% from a year earlier.

France saw the biggest number of such incidents in 2025, with 19 confirmed wrench attacks. In response, Jean-Didier Berger, minister delegate to the interior minister of France, promised to implement new “preventative measures” against these threats.

Crypto wrench attacks, key stats for 2025. Source: CertiK

At least 88 people, including 10 minors, have been reportedly indicted in connection with alleged wrench attacks against crypto owners in France, leading up to April 27.

Earlier in February, a senior employee at Binance’s French unit was the victim of an armed home invasion. French authorities arrested three suspects hours after the break-in, Cointelegraph reported on Feb. 13.

Magazine: The legal battle over who can claim DeFi’s stolen millions  

Jeremy Sturdivant, the 19 year old who received 10,000 Bitcoin for two pizzas in May 2010, spent almost all of it long before BTC crossed even $1, let alone today’s five figure levels.

The deal that turned into Bitcoin Pizza Day began on the Bitcointalk forum on May 18, 2010, when Florida programmer Laszlo Hanyecz offered 10,000 BTC to anyone willing to get him “a couple of pizzas” delivered to his home.

Four days later Hanyecz posted, “I just want to report that I successfully traded 10,000 bitcoins for pizza. Thanks jercos!” confirming that forum user Jeremy “jercos” Sturdivant had stepped in, paid for two large Papa Johns pizzas with his credit card, and received 10,000 BTC in return.

At the time, those 10,000 BTC were valued at roughly $40 to $41, while the pizzas themselves cost less than $50, underscoring how informal and experimental the trade really was.

Crypto traders now commemorate that transaction every May 22 as Bitcoin Pizza Day, a tradition crypto.news highlighted in a 15th anniversary feature looking back at how both Hanyecz and Sturdivant view the deal years later.

Today Bitcoin (BTC) trades in the tens of thousands of dollars per coin, with the asset topping $76,000 in recent market cap data tracked by crypto.news.

What did Sturdivant do with the 10,000 BTC and where is he now?

Sturdivant did not become a Bitcoin billionaire because he never held the coins for long.

Crypto.news has revisited the episode repeatedly in coverage of Bitcoin Pizza Day, including reporting on how the community uses the anniversary to reflect on price discovery, early adoption, and the tension between using Bitcoin as money versus treating it as a long term store of value.

One recent explainer on Bitcoin’s evolution from novelty payment method to major asset also situates the pizza trade as a key moment in its price discovery history and links it to later phases where BTC broke above $100, $1,000, and eventually five figure territory.

As of today there is no evidence that Sturdivant accumulated a significant new stash of BTC after spending the original 10,000 coins, which means the teenager who once held what would later be hundreds of millions of dollars worth of Bitcoin cashed out of his position long before the asset reached those levels.