North Korea’s Lazarus Group, notorious for its cyber heists, has found a surprisingly accommodating partner in the crypto world: THORChain. It’s not a secret handshake, more like an open door. After the $1.4 billion Bybit hack – a truly staggering sum, even for these guys – researchers tracked a whopping 85% of the stolen funds flowing through THORChain. That’s over a billion dollars washing through a system built for swapping cryptocurrencies, and nobody seems particularly eager to stop it.
- THORChain has become a popular method for laundering stolen cryptocurrency, particularly funds from the $1.4 billion Bybit hack. Despite requests from law enforcement, THORChain has largely refused to block transactions associated with these illicit funds.
- Validators and wallet developers connected to THORChain have profited significantly from the stolen funds, earning millions in fees. This has raised ethical and legal concerns, with some warning of potential repercussions from regulatory bodies.
- While THORChain proponents defend its decentralized nature, critics argue that it’s being used as a convenient excuse to avoid responsibility for facilitating money laundering. The debate highlights the tension between decentralization and the need to prevent illicit activity in the crypto world.
John-Paul Thorbjornsen, the founder of THORChain and a former Australian Air Force pilot, is now pushing a new wallet, Vultisig, touting its security. Ironically, the increased activity around Vultisig and THORChain itself isn’t due to newfound popularity, but to a surge in illicit funds. He insists he’s largely stepped back from daily operations, but remains the face of a protocol that’s become a laundering machine. “The protocol keeps running and swapping despite chaos,” he told CoinDesk. A bit like a very efficient, very expensive washing machine for dirty money.
A Refusal to Block
The FBI asked THORChain to block transactions linked to the Bybit hack. A reasonable request, you’d think. They said no. Despite the pleas, THORChain’s operators, and the wallets built on top of it – like Asgardex and Vultisig – haven’t lifted a finger. It’s a strange position. Other services, like Tether and a layer-2 blockchain called Mantle, *did* freeze funds linked to the heist. But THORChain? Business as usual. It’s like a digital Wild West, and THORChain is happily providing the saloon.
And people are making money off it. A lot of money. Blockchain security researchers estimate that validators and wallet developers connected to THORChain have pocketed over $12 million in fees from the stolen Bybit funds. That’s a tidy sum, earned by facilitating the movement of money stolen in one of the largest cyber heists in history. A former U.S. Treasury Department official put it bluntly: making money off these fees could land you in hot water with OFAC (the Office of Foreign Assets Control). It’s a risk, but apparently, a risk worth taking for some.
The argument, of course, is decentralization. THORChain’s supporters claim it’s a decentralized protocol, like Bitcoin or Ethereum, and therefore shouldn’t be held responsible for how users choose to use it. But critics aren’t buying it. Taylor Monahan, a blockchain security researcher at MetaMask, points out the hypocrisy: “They claim it’s decentralized when convenient, yet they’re profiting from this.” It’s a bad look, to say the least.
Even some within the THORChain community are getting nervous. A developer known as “TCB” posted on X, warning that the sheer volume of stolen funds flowing through the network is turning it into a national security issue. “This isn’t a game anymore,” they wrote. It’s a sentiment that’s probably echoing in the halls of the FBI right now.
The Bybit hack itself was a classic Lazarus Group operation. The hackers tricked Bybit’s founder into visiting a compromised website, gaining access to Ethereum wallets and making off with $1.4 billion worth of ether. Then came the laundering, a complex process of splitting the funds across multiple wallets and using “cross-chain bridges” – like THORChain – to move the money between different blockchains. Before THORChain, Monahan explains, swapping between Ethereum and Bitcoin was a headache, prone to freezing. Now, it’s remarkably easy, and remarkably attractive to criminals.
Vultisig swaps have collected $200k in revenue so far! 🚀 https://t.co/wJq9q9q999
On February 27th, the FBI circulated a list of addresses linked to the Lazarus Group, urging crypto firms to block transactions. Many did. But THORChain briefly attempted a pause on Ethereum swaps, only to reverse course after community backlash. Thorbjornsen argues that the network isn’t responsible for the actions of its users, since they aren’t required to register. It’s a convenient argument, but it doesn’t sit well with everyone. The lead developer, “Pluto,” even quit in protest.
Decentralization or Just a Convenient Excuse?
Thorbjornsen insists THORChain should be treated like Bitcoin or Ethereum, decentralized protocols that aren’t expected to censor transactions. He points to the network’s 100+ validators as proof of its distributed nature. But critics argue that THORChain isn’t truly decentralized. In January, a single developer paused the network during a liquidity crisis – something that shouldn’t have been possible if the system were truly distributed. And then there’s the admin key, initially controlled by Thorbjornsen himself, which could be used to unilaterally control the network. He now claims the key is managed by others, but the questions remain.
The real issue, perhaps, is who’s profiting. Wallet apps like Vultisig and Asgardex are earning significant fees from the stolen funds. Asgardex, in particular, is designed to avoid tracking and filtering, making it a favorite among those who want to keep their transactions private. Thorbjornsen, while claiming no financial stake in Asgardex, is actively promoting his new wallet, Vultisig, which is already generating revenue – some of which, inevitably, comes from the Bybit hack. It’s a messy situation, and it raises serious questions about the ethics of profiting from stolen funds. It’s a bit like selling shovels to gold miners, except the gold was stolen in the first place.
The debate over THORChain highlights a fundamental tension in the crypto world: how do you balance decentralization with the need to prevent illicit activity? Is a network truly decentralized if it can be controlled by a small group of individuals? And what responsibility do developers and validators have when their platforms are used to launder stolen funds? These are questions that the entire crypto community will need to grapple with, and the case of THORChain is a stark reminder that decentralization isn’t always a shield against wrongdoing.
