Chainalysis: The THORChain attack source possesses sophisticated money laundering capabilities, transferring funds across chains weeks before launching the attack.

CoinFeed reported on May 16 that Chainalysis published an article on the X platform disclosing the source of the THORChain attack. The article stated that wallets associated with the suspected attackers had been transferring funds through Monero, Hyperliquid, and THORChain for several weeks prior to the attack. The attackers' wallets had deposited funds into Hyperliquid positions through the Hyperliquid and Monero privacy bridges as early as the end of April. The funds were subsequently converted to USDC and transferred to Arbitrum, then bridged to Ethereum. Some of the ETH was then transferred to THORChain to stake RUNE for a newly joined node, which is believed to be the source of the attack.