What Happens to Stolen Bitcoin in the First 24 Hours — A Live Forensic of the THORChain Attacker

THORChain runs on a network of Asgard vaults — pooled hot wallets that hold inbound user deposits in their native asset until a swap settles. The vaults rotate as the validator set churns; an old vault drains its remaining balance to its successor and a new one begins accepting deposits. The mechanism resembles a hot wallet at any custodial exchange, with one critical difference: the signing key is held collectively by a TSS (threshold signature scheme) ceremony among the active validator set, never by a single party.

That rotation pattern leaves a characteristic on-chain signature. A high-throughput Bitcoin wallet with a transaction count in the hundreds and a complete turnover history — funded equals spent, balance zero — is consistent with a retired vault that has been fully drained.

`bc1qt8f467qdkpmuflgwvgvvlr86r0kldnnvm7zhyv` matches that signature. 354 transactions across its lifetime. 5,911 BTC of aggregate throughput — that figure is lifetime turnover, not amount held. Current balance zero. Mempool.space's chain stats show every output spent.

This wallet — almost certainly a THORChain Asgard BTC vault, although we cannot independently confirm via THORChain's own API at this writing (Midgard refused connection, Viewblock returned 403) — is the source of the May 15 drain.

For context, this is the fourth time THORChain's vault or bridge layer has been drained. In July 2021 the protocol absorbed two back-to-back hits — roughly $4.9 million through a Bifrost bug, then $8 million a week later through an ETH router exploit — and was paused both times under its `make halt` failsafe. The protocol's security track record is not in question because of one bug; it is in question because the same class of bug keeps finding a way in.

At 07:31:47 UTC on May 15, 2026, in block 949477, the wallet `bc1qt8f467...` sent 36.8535 BTC in a single transaction (`3f21c6876494e798...`) to `bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37`.

Within hours the transaction surfaced in security telemetry. PeckShield's automated alerts flagged the transfer. ZachXBT posted to Telegram by 10:11 UTC: "It appears THORChain was likely exploited on Bitcoin, Ethereum, BSC, Base for $10.7M+." THORChain's Mimir governance module flipped both trading-halt and signing-halt parameters at block 26190429, pausing the network for approximately twelve hours and forty-two minutes.

CoinDesk, BanklessTimes, AMBCrypto, Cryptopolitan, Cryptobriefing and The Block published coverage within the next eight hours. Each outlet identified the same two consolidation wallets:

- BTC: `bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37` - EVM: `0xd477b69551f49C0519F9B18c55030676138890Bd`

PeckShield's framing — repeated by every outlet through the first twenty-four hours — was that the funds were "still sitting" at these addresses. TRM Labs, in its initial analysis, declined to attribute the actor and noted attribution remained open. THORChain has not, as of this writing, published a post-mortem.

What the published coverage we tracked did not walk through: by approximately 22:30 UTC the same day, the BTC at `bc1ql4u94...` had been routed through six more wallets and a small constellation of parking addresses. The on-chain data is openly accessible and the major forensic firms (TRM, Chainalysis, Elliptic) have continuous-trace pipelines that almost certainly already hold this. They do not, as a matter of business practice, publish the chain hop by hop in real time — their customers receive it through screening feeds, not blog posts.

Two hours and twelve minutes after the drain, at 09:43:37 UTC in block 949490, `bc1ql4u94...` made its first outgoing transaction. Output split:

- 36.7535 BTC → `bc1qdx4vkwde0jqmlzx7g6vyh35jgexxp7nh403ua5` - 0.1 BTC → `bc1qw2t8lrpthl6za4tq6zn52weas7wmademmq3hca`

The 0.1 BTC tranche is small relative to the 40 BTC at the consolidation wallet — about a quarter of a percent. It could be a fee allocation, a standard-size change output, or a deliberate staging address that the operator wants to revisit later; the on-chain data alone does not distinguish between the three. The 36.7535 BTC main tranche is the start of the laundering chain.

`bc1qdx4vkw...` was a fresh wallet at this point. Its first incoming transaction is the one in block 949490. Current chain stats: 36.7535 BTC received, all spent, balance zero, three total transactions.

The split-output pattern itself is recognisable. A laundering trail of this kind typically begins with a divided send — one large tranche to advance, one small tranche to either probe the route, allocate fees, or stake out a parallel parking address that can be revisited later. The 0.1 BTC at `bc1qw2t8l...` has not moved in the eighteen hours since.

Seven hours and twenty-one minutes later, at 17:04:49 UTC in block 949540, `bc1qdx4vkw...` made its outgoing transaction. Output split:

- 35.2535 BTC → `bc1q32cmjkwn05wn7wlqd7ywf0qvkydvsd6vkfvy5h` - 1.5 BTC → `bc1qsq0kn3xdrvwtfque3ae8gdd234lfvrr9v3atjc`

The 1.5 BTC parking address `bc1qsq0kn3...` would later receive a second 2.5 BTC tranche from a different upstream node — bringing its total to exactly 4.0 BTC. The fact that the operator topped this address up from a separate inflow tranche suggests `bc1qsq0kn3...` is not a passive parking spot but an intentional staging destination with a target size in mind.

`bc1q32cmjkw...` chain stats: 35.2535 BTC received, all spent, balance zero, three total transactions.

The seven-hour gap between Hop 2 and Hop 3 is operationally interesting. The earlier and later hops happened within minutes of each other; this one waited. Two structural explanations are plausible: the operator was waiting for additional confirmations or for a specific block-height milestone to reduce reorg risk; or the operator was offline — a single human, processing the laundering one step at a time, rather than an automated pipeline. Without additional context neither is more probable than the other.

While the first 36.85 BTC was working its way down the chain, a second tranche arrived at the publicly-named attacker wallet. At 21:00:32 UTC in block 949559, `bc1qt8f467...` (the source vault) sent an additional 3.8743 BTC to `bc1ql4u94...`. Transaction hash `7199089c8313e87e...`.

This raised the cumulative stolen at the attacker's main wallet to 40.7278 BTC.

Three interpretations of the second drain are open. The underlying vulnerability could be exploited multiple times and the attacker returned for a second round; or a separate vault rotation had to settle before the next withdrawal could be authorised; or — a third reading — the second tranche was a THORChain vault-rotation transfer that the attacker was able to intercept in the normal churn process, meaning the timing was driven by the protocol's own schedule rather than the attacker choosing a moment. The third reading would imply persistent access to the TSS ceremony rather than a repeatable bug, which is a materially different attribution problem.

The second tranche, like the first, did not stay long.

Twenty-one minutes after the second-tranche arrival, at 21:21:57 UTC in block 949564, `bc1ql4u94...` made its second outgoing transaction. Output split:

- 1.3743 BTC → `bc1qx9vfh9ct9cpmvfeg5l0jh03kw9uekhf8zkrhwu` - 2.5 BTC → `bc1qsq0kn3xdrvwtfque3ae8gdd234lfvrr9v3atjc`

`bc1qsq0kn3...` is the same address that received 1.5 BTC during Hop 3. Its total is now exactly 4.0 BTC.

The deliberate top-up to a round number is a small detail, easy to miss, and structurally meaningful. It is the kind of operator behaviour that distinguishes a planned laundering chain from a panicked one.

Twenty-nine minutes after the second-tranche disposal, at 21:50:49 UTC in block 949565, `bc1q32cmjkw...` (Hop 3) made its outgoing transaction. Output split:

- 32.2535 BTC → `bc1q909gg9cyyza4zn80769zlel2r9sjgxaw0jtjhp` - 3.0 BTC → `bc1qdzv9mnlaelz2l7zt7hzp09xn2yz0j2spgzmnrg`

`bc1q909gg9c...` chain stats: 32.2535 BTC received, all spent, balance zero, two total transactions. The 3.0 BTC parking address `bc1qdzv9mn...` has not moved in the hours since.

At 22:18:24 UTC in block 949569, `bc1qx9vfh9...` — the address that received 1.3743 BTC during the second-tranche disposal — was itself spent. Output split:

- 1.371765 BTC → `bc1qn4a5p40t20e2cyf8z5pzlhjll5wwguahv0ge43` - 0.0025 BTC → `bc1qs23ggedhsa0svw7guk6scvpeyk4p08qu32jp2l`

The 0.0025 BTC tranche to `bc1qs23gg...` is dust, almost certainly change. The 1.37 BTC at `bc1qn4a5p40...` is the newest substantive holding in the chain. As of this writing it is unspent and we did not find it referenced by name in the press coverage we reviewed.

Eight minutes later, at 22:26:34 UTC in block 949570, `bc1q909gg9c...` (Hop 4) made its outgoing transaction. Output split:

- 29.0535 BTC → `bc1qllmwm58fzv9v9z5q8x72n2e8zspf8y3hnkxjnw` - 3.2 BTC → `bc1qp3dwdxgcqnrjcmlctz9ff6mnwpzjfaalmz0emv`

This is the current bulk concentration of the THORChain stolen BTC. As of chain tip 949581 — the most recent block at this writing, two blocks past the last attacker movement — `bc1qllmwm58...` has not had a single outgoing transaction. The 29.05 BTC sits there.

Pulling the trail together. All times UTC, May 15, 2026.

| Block | Time | From → To | BTC | Note | |---|---|---|---|---| | 949477 | 07:31 | THORChain vault → Hop 1 | 36.8535 | Drain 1 | | 949490 | 09:43 | Hop 1 → Hop 2 / parking | 36.7535 / 0.1 | | | 949540 | 17:04 | Hop 2 → Hop 3 / parking | 35.2535 / 1.5 | | | 949559 | 21:00 | THORChain vault → Hop 1 | 3.8743 | Drain 2 | | 949564 | 21:21 | Hop 1 → second-tranche split | 1.3743 / 2.5 | | | 949565 | 21:50 | Hop 3 → Hop 4 / parking | 32.2535 / 3.0 | | | 949569 | 22:18 | Second-tranche → new wallet | 1.3718 / 0.0025 | | | 949570 | 22:26 | Hop 4 → Hop 5 / parking | 29.0535 / 3.2 | |

Total stolen (sum of inbound to `bc1ql4u94...`): **40.7278 BTC**, approximately $3.27 million at current spot.

Total currently parked across all downstream addresses: **40.7278 BTC**. The delta is 2,738 satoshis — roughly two dollars in cumulative network fees across all eight transactions. The operator paid sub-dollar fees on $3.3 million of moved value, which says something about both the state of Bitcoin's fee market today and the operator's lack of urgency.

Reconciliation: every satoshi that left the THORChain vault is currently sitting in one of seven addresses. Nothing has been moved to a mixer, exchange, or OTC desk. Nothing has been bridged.

Current address state at chain tip 949581:

| Address | Holds | Status | |---|---|---| | `bc1qllmwm58fzv9v9z5q8x72n2e8zspf8y3hnkxjnw` | 29.05 BTC | Bulk, untouched | | `bc1qsq0kn3xdrvwtfque3ae8gdd234lfvrr9v3atjc` | 4.00 BTC | Parking | | `bc1qp3dwdxgcqnrjcmlctz9ff6mnwpzjfaalmz0emv` | 3.20 BTC | Parking | | `bc1qdzv9mnlaelz2l7zt7hzp09xn2yz0j2spgzmnrg` | 3.00 BTC | Parking | | `bc1qn4a5p40t20e2cyf8z5pzlhjll5wwguahv0ge43` | 1.37 BTC | Newest hop | | `bc1qw2t8lrpthl6za4tq6zn52weas7wmademmq3hca` | 0.10 BTC | Probe / dust | | `bc1qs23ggedhsa0svw7guk6scvpeyk4p08qu32jp2l` | 0.0025 BTC | Change |

Inside our dashboard the same trail renders as a connected graph: the source vault as the top-left node, the publicly named attacker as the next, then seven downstream nodes with BTC volume along each edge. The 29.05 BTC bulk at `bc1qllmwm58...` is the dead-end on the right. A compliance officer screening a Bitcoin deposit sees the connection in a single click, and the graph updates as each new hop confirms — the seventh wallet was added to the picture the moment block 949569 was mined.

Bitcoin is one of the four to nine chains the May 15 exploit hit, depending on who is counting; TRM Labs cites at least nine. The EVM-side trail is harder to follow in a comparable hop-by-hop chronicle — Ethereum-style accounts mingle multiple counterparties in a single address — but it does provide a useful piece of the funding signature.

The EVM-side staging hub is `0x82Fc0d5150f3548027e971ec04c065f3c93154eb`. This wallet was funded approximately twelve hours before the BTC drain. Etherscan now carries the public label **"THORChain Exploiter 3"** for it, with a warning note reported by ZachXBT — that part of the trail is in the public record. What is also visible on the address page, and harder to notice without looking, is the inbound funding source: **"Stargate: Pool Native"** — a LayerZero-based cross-chain bridge.

The funding transaction traces upstream to Arbitrum One, via the LI.FI Diamond aggregator (`0x1231DEB6f5749EF6cE6943a275A1D3E7486F4EaE`) calling `swapAndStartBridgeTokensViaStargate`. The Arbitrum source wallet was `0x8e76565472e1303ef3cdef6d4019a8a00e3028a5`, bridging approximately 795.9 USDC.

We cross-checked that source address against published KelpDAO-cluster and Lazarus-cluster attribution — Chainalysis, TRM Labs, The Defiant, Decrypt, Coindesk, the Arbitrum Foundation forum, the Arbitrum Security Council April 21 emergency-action announcement. None of those sources name `0x8e76565472e1303ef3cdef6d4019a8a00e3028a5`. We are not in a position, on the visible data, to associate the address with any previously-known cluster.

What is structurally specific is the funding pattern itself. Cross-chain bridge to staging hub to attack wallet is a different operational signature from the canonical 2026 Lazarus pattern, which routes pre-attack staging funds through Tornado Cash:

- KelpDAO (April 18, 2026, attributed to Lazarus by LayerZero in the April 20 post-mortem): staging wallets funded from the Tornado Cash 0.1 ETH pool. - Drift Protocol (April 1, 2026, attributed to UNC4736 / TraderTraitor by TRM Labs): a single 10 ETH withdrawal from Tornado Cash on March 11 fed the staging operation. - Bybit (February 2025, attributed to TraderTraitor by FBI/Mandiant): post-exploit laundering routed through eXch and, subsequently, through THORChain itself.

We are not in a position to attribute the May 15 THORChain attacker. TRM has explicitly declined attribution. THORChain has not published a post-mortem. What we can say is that the visible funding-side signature in this case (Stargate bridge) is structurally different from the visible funding-side signature in recent Lazarus-attributed exploits (Tornado Cash). Whether that difference reflects a different actor, an evolution in DPRK operational tradecraft, or a deliberate decoy is not determinable from the on-chain data alone. None of the three readings should be treated as the leading hypothesis at this stage.

There is one inversion worth naming. For the Bybit and KelpDAO hackers, THORChain was the tool — the protocol that laundered the stolen ETH on its way to terminal off-ramps. If the May 15 attacker turns out to be the same actor, the protocol has now been both weapon and target. That is not a small distinction.

PeckShield, ZachXBT, CoinDesk, BanklessTimes, AMBCrypto, Cryptopolitan, Cryptobriefing, The Block, and TRM Labs each published coverage of the May 15 exploit within the first twelve hours. The coverage we tracked names the BTC consolidation wallet and the EVM consolidation wallet (Etherscan has since labeled the latter "THORChain Exploiter 3" on a ZachXBT-sourced note) but does not walk through the BTC downstream chain.

The reasons are structural rather than analytical, and they are not about us catching anything the major forensic firms missed. PeckShield's automated alert pipeline catches the initial drain and the consolidation wallet but is not built to publish every subsequent hop. ZachXBT's threads typically update when something materially changes the attribution picture — a new exchange deposit, a Tornado Cash entry, a known-attacker-cluster connection — and a multi-hop dispersion across novel addresses is, from a public-thread point of view, less newsworthy than a clean attribution. TRM, Chainalysis, Elliptic and Sanctuary all run continuous-trace pipelines for paying customers; the trail surfaces in those products as it confirms on-chain, not after a write-up. The data sits inside the products. It just doesn't sit inside the press cycle.

Every transaction above is openly visible on mempool.space. The "Stargate: Pool Native" attribution that surfaces the EVM funding source sits on the staging hub's Etherscan page. The trail is there for anyone with the time to follow it from one wallet to the next.

Several questions remain open as of this writing.

**The attacker's identity.** TRM Labs has not attributed. THORChain has not published a post-mortem. The Stargate funding signature differs from documented Lazarus tradecraft, but a difference in funding mechanics is not by itself evidence of a different actor.

**The attack vector.** Whether the THORChain Asgard vault drain was a TSS signing-ceremony exploit, a router-contract bug, an internal-key compromise, or a compromised validator is not visible from the on-chain data. THORChain's post-mortem, when published, will resolve this.

**The next move.** None of the seven downstream addresses has spent a single satoshi as of chain tip 949581. The next outbound transaction will tell investigators more about the operator's intent than any of the preceding moves: a centralised-exchange deposit signals a cash-out attempt; a mixer signals patient laundering; an OTC counterparty signals direct disposal.

**The Arbitrum source address.** `0x8e76565472e1303ef3cdef6d4019a8a00e3028a5` has no public attribution. Whether it is a fresh wallet, a compromised exchange withdrawal address, or part of a larger un-named cluster is not yet visible. A separate trace through Arbiscan, LayerZero scan data, and bridge counterparty records may surface earlier history.

If you are running screening on Sanctuary, every wallet above plus the EVM staging hub is already tagged Critical in your screening feed — the pipeline added each one within minutes of its on-chain confirmation, and the dashboard graph already shows the connections. The list below is for teams running screening by hand or on a vendor that does not surface multi-hop trails by default.

Five operational items.

**One.** Add the seven downstream BTC addresses to your screening at the highest applicable risk tier. The full list is in the table above. Any of them can appear as a deposit at an exchange, OTC desk, or payment processor in the next ninety days; the presence of a deposit from any of them is dispositive.

**Two.** Add the EVM staging hub `0x82Fc0d5150f3548027e971ec04c065f3c93154eb` to ETH-side screening. The hub had 69 transactions in its first day of operation and is the controlling EVM-side wallet for this attacker.

**Three.** Watch `bc1qllmwm58fzv9v9z5q8x72n2e8zspf8y3hnkxjnw` specifically. This is the bulk concentration. The next outbound transaction from this address is the single most consequential data point in the unfolding investigation.

**Four.** Treat the broader THORChain Asgard vault address universe as elevated-risk for the next two weeks. Until THORChain publishes a post-mortem, the possibility of additional vault drains is open. THORChain's vault rotation pattern produces fresh addresses regularly; map the active vault set against your screening data.

**Five.** Cross-reference the Arbitrum source wallet `0x8e76565472e1303ef3cdef6d4019a8a00e3028a5` against your bridge-counterparty data. If the attacker bridged from another chain to fund the EVM staging, the source-chain history may surface a KYC-able earlier wallet.

The trace above took us roughly eight hours by hand — analysts watching mempool.space and Etherscan, copying transaction outputs across tabs, writing the chronology, cross-checking the Arbitrum source against published Lazarus and KelpDAO reporting from Chainalysis, TRM Labs, The Defiant, Decrypt, Coindesk, the Arbitrum Foundation forum and Bitcoin News. That is the manual version, written so any compliance team or independent researcher can reproduce it.

Inside Sanctuary's pipeline the same trace ran in seconds, and the trail surfaced to customer dashboards as each hop confirmed on-chain.

Here is what we built. A continuous monitor watches Bitcoin, Ethereum, BSC, Base, Avalanche, Polygon, Tron, Solana, TON, Doge, Litecoin and Bitcoin Cash — twelve chains. When a tagged address moves, the pipeline follows the outputs forward, builds the next layer of the graph and writes the new nodes into the intelligence set. That set currently holds 9.87 million entity labels and 1.42 million intelligence flags drawn from twenty-plus sources — OFAC SDN, Tether and USDT freeze records, the public Lazarus and KelpDAO clusters, mixer deposit enumerations, exchange address books, dark-market attribution, scam aggregators, sanctions lists from the EU, UK, OFSI, Canada, Japan, Australia and a dozen other jurisdictions.

The graph is the product surface. Paste any of the eight downstream addresses from the table above into the wallet-check at [sanctuary.cv](https://sanctuary.cv) and the dashboard renders the full hop chain back to the THORChain Asgard vault, the EVM-side staging hub through Stargate, and the parking constellation around the bulk wallet. The same surface is available through our API for exchanges screening deposits programmatically, and through `@sanctuaryapp_bot` on Telegram for OTC desks and field operators running checks from a phone.

The May 15 THORChain trail is one of the active laundering chains the pipeline is following this week. The others — older clusters, currently-active operators across the twelve chains — surface to customer feeds the same way, on the same continuous loop.

For compliance buyers: paste a wallet at [sanctuary.cv](https://sanctuary.cv). The graph is the demo.

Press coverage of a major exploit captures the first hop within hours. The downstream laundering chain unfolds over the next twelve to seventy-two hours and, as a rule, doesn't make it into the next news cycle — the firms with continuous-trace pipelines surface it to their customers through screening feeds rather than blog posts. By the time it shows up in a public research-firm write-up, the operational window for a compliance team to act on it has narrowed.

For Sanctuary customers the continuous-trace pipeline does this work in the background — every minute, across twelve chains, for every wallet and every counterparty in the screening set. Teams without that pipeline are doing the same trace by hand, in a browser tab, after the press cycle has moved on. The first hop is reported; everything after the first hop is operational intelligence — and the question for any compliance team in 2026 is whether to earn it manually or have a system earn it for them.

The current bulk of the THORChain stolen BTC sits at `bc1qllmwm58fzv9v9z5q8x72n2e8zspf8y3hnkxjnw`. The next move from that address will tell us, in operational terms, what kind of attacker we are dealing with. Sanctuary customers will see the next hop in their dashboard within seconds of it confirming.

Paste the wallet at [sanctuary.cv](https://sanctuary.cv).

Watch the chain. The chain will tell.