THORChain co-founder identified as victim in $1.2 million hack linked to North Korea

SourceCryptopolitan

Sep 12, 2025 12:00

A personal wallet allegedly belonging to a co-founder of THORChain has been compromised, resulting in a loss of over $1.2 million, according to the security tracker Peckshield. The protocol has denied previous reports on social platforms claiming that the breach affected its entire network.

The Web3 security platform ExVul Defender posted on X on Friday that the attacker began moving funds two days ago. They apparently obtained initial liquidity from a mixer before interacting with the THORChain network, making their first transactions at 06:41:47 AM UTC on Wednesday.

Correction: This incident involved the exploitation of a user's personal wallet, and is not related to @THORChain. 🙏

— THORChain (@THORChain) September 12, 2025

On Etherscan, the wallet address, along with THORChain, has issued three bounty offers within two days following the hack, but so far, the attacker has not responded.

ZachXBT: The victim is JP, co-founder of THORChain

In response to PeckShield's alert post on X, blockchain security researcher ZachXBT identified the victim as John-Paul Thorbjornsen, also known as JP, co-founder of both THORChain and the Vultisig wallet application.

The wallet likely belongs to @jpthor, who had a compromised private wallet due to a fake meeting scam a few days ago.

JP is one of the people who has economically benefited from the laundering of hacks/exploits from DPRK.

So it's a bit poetic that it was shattered here by DPRK. pic.twitter.com/T57RRJ0bbf

— ZachXBT (@zachxbt) September 12, 2025

According to ZachXBT, JP's personal wallet was emptied of approximately $1.35 million during a Telegram meeting call scam orchestrated by North Korean hackers on Tuesday.

JP, and platforms linked to it, have previously been associated with financial benefits arising from money laundering activities linked to hacks from North Korea, including the exploitation of $1.5 billion in Ethereum tokens executed at the end of February.

“JP is one of the people who has financially benefited from the laundering of hacks and exploits from the DPRK,” wrote ZachXBT. “So it's a bit poetic that he has been wrecked here by the DPRK.”

The blockchain records from September 9 reveal a series of fund movements from the theft address, which may have been an attempt to cover up the money trail. The first transfer involved 6,233,015 THORChain tokens, which were moved out of the compromised wallet three days ago.

Almost immediately afterwards, another transaction placed 6,233,180 tokens in an address marked as “Fake_Phishing1347722”, a label associated with money laundering and phishing-related obfuscation.

Still within the day, the attacker moved 6,333,180 tokens through THORChain, followed by another 6,333,333 tokens, possibly cycling large amounts to different addresses, along with a smaller payment of 1,250,000 tokens.

The largest group of stolen funds, amounting to 2,778,345 tokens, finally reached the Kyber protocol, likely exchanged to create layers of separation from the original source.

Currently, most of the stolen funds worth $1.218 million are in 0x7abc09ab94d6015053f8f41b01614bb6d1cc7647, said ZachXBT on his research Telegram channel.

Did THORChain benefit from the laundering of the hack?

Arkham Intelligence data shows that the hackers behind the attack moved at least 209,384 ETH, valued at approximately $480 million, to Bitcoin. This represented more than 50% of the approximately 400,000 ETH stolen.

Blockchain researchers tracked nearly $1.2 billion in illicit crypto, approximately 85% of the lost funds, moving through THORChain. In the early days of the incident, at least $240 million of the proceeds were laundered through THORChain and converted to BTC, Arkham reported.

Some competitors collaborated with authorities to restrict suspicious transactions, but the operators of THORChain did little or nothing to block addresses, despite formal requests from the FBI and other agencies. Wallet applications built on the network, including Asgardex and Vultisig, continued processing activity without interruption.

Blockchain security firms suggested that network validators and wallet developers, many of whom are publicly identifiable and operate in jurisdictions with strict anti-money laundering requirements, claimed fees of over $12 million for laundering the funds.

“The protocol continues to function and exchange despite the chaos. In fact, it is working very well,” Thorbjornsen reportedly said, defending his operations. At that time, THORChain recorded its largest trading day, with over $737 million in tokens exchanged across the network.