John-Paul Thorbjornsen, a former Australian Air Force pilot turned crypto entrepreneur, has spent recent weeks promoting his new crypto wallet, โVultisig.โ Built on THORChain โ a blockchain he founded to allow crypto swaps without intermediaries โ the walletโs main selling point is that itโs harder to hack than similar apps.
Recently, Vultisig โ along with the THORChain network itself โ has seen a spike in activity, but security experts have traced the growth to a troubling source: North Koreaโs Lazarus hacking group.
Following Februaryโs $1.4 billion hack of crypto exchange Bybit โ the largest cyber heist in history โ THORChain emerged as central to North Koreaโs laundering operations. Researchers have tracked nearly $1.2 billion โ or 85%โ of the stolen funds through the network, which has become the Kim regimeโs primary tool for moving crypto between blockchains.
Unlike some other blockchain services, THORChainโs operators have refused to block transactions linked to the Bybit heist, despite requests from the FBI and other government agencies. THORChain wallets like Asgardex and Vultisig โ tools that most people use to transact on the network โ havenโt budged, either.
According to estimates from blockchain security researchers who spoke to CoinDesk, THORChainโs major wallet developers and validators โ many publicly identified and based in jurisdictions with strict anti-money-laundering regulations, including the U.S. โ have earned over $12 million in fees connected to the heist.
Thorbjornsen, known publicly as JP Thor, insists he is no longer involved in THORChainโs daily operations yet remains its most visible advocate. โThe protocol keeps running and swapping despite chaos,โ he told CoinDesk. โItโs doing great, actually.โ
The U.S. Office of Foreign Assets Control (OFAC) has previously sanctioned blockchain services used in connection with money laundering, such as the mixer app Tornado Cash (which has since been delisted after a court ruling) and Bitzlato, an exchange. Prosecutors have also charged operators behind similar platforms.
For legal experts and the crypto community, whether THORChain โ a layer-1 blockchain โ should be treated differently than these other services revives a fundamental debate faced by virtually all crypto platforms: Is the network truly decentralized?
Critics argue it isnโt โ at least in comparison to popular blockchains like Bitcoin and Ethereum, which have earned less scrutiny for facilitating illicit transactions. THORChainโs supporters โclaim itโs decentralized when convenient, yet theyโre profiting from this [Bybit hack],โ said blockchain security researcher Taylor Monahan. โItโs a really bad look.โ
THORChainโs transaction fees โ particularly those earned by its wallet apps, which are maintained by small developer teams โ further complicate its defense. According to a former U.S. Treasury Department official, โAnybody making money on fees related to the movement of hacked funds that have already been publicly attributed to Lazarus and North Korea potentially has an OFAC issue.โ
Even some of THORChainโs most vocal supporters have grown concerned. โWhen the huge majority of your flows are stolen funds from North Korea for the biggest money heist in human history, it will become a national security issue,โ cautioned a THORChain developer known as โTCBโ on X. โ[T]his isnโt a game anymore.โ
Biggest hack in history
Februaryโs hack of Bybit, a major Dubai-based crypto exchange, was large even by the standards of the Lazarus group โ the elite North Korean cyber unit behind most of the largest crypto heists of the past decade.
The hack took place after Bybitโs founder was tricked into interacting with a website that Lazarus had compromised. The mistake granted the hackers access to some of Bybitโs primary Ethereum wallets. They stole $1.4 billion worth of ether (ETH) tokens from the exchange.
North Koreaโs launderers, well-practiced after years of big-money crypto heists, immediately began splitting their record-breaking haul across a series of fresh crypto wallets โ the first step in a complex journey designed to convert dirty crypto into clean cash.
โDPRK uses advanced technical capabilities to launder cryptocurrency,โ explained Andrew Fierman, the head of national security intelligence at Chainalysis. After moving the funds โthrough an extensive number of intermediary wallets,โ the launderers use โcross-chain bridges in order to move the stolen funds across various different assets, such as Bitcoin, Ethereum, Tron, Solana and others.โ
THORChain proved essential to the bridging stage, serving as a go-between for swapping tokens across blockchains โ often repeatedly, to throw investigators off their trail.
โBefore ThorChain existed, there was no way to swap from Ethereum to Bitcoin without getting frozen,โ explained Monahan, a security researcher at MetaMask.
Centralized swap services โ including crypto exchanges like Coinbase and Binance โ require users to register their accounts and risk having illicit funds seized. Most decentralized services, meanwhile, lack the liquidity to support transactions on the scale of the Lazarus group.
Put on notice
On the day after the Bybit hack, THORChainโs daily swap volume exceeded $529 million โ its biggest trading day ever, according to data from DeFiLlama. Volumes continued climbing for days afterward, generating millions of dollars in fees for THORChainโs validators, liquidity providers and wallet services.
On February 27, the FBI circulated a list of DPRK-linked blockchain addresses and urged โprivate sector entities including RPC node operators, exchanges, bridges, blockchain analytics firms, DeFi services, and other virtual asset service providers to block transactions with or derived from [them].โ
By this point, many of the other crypto tools used by North Koreaโs launderers had already begun blocking heist-linked activity.
Tether, the largest stablecoin operator, eventually froze $9 million linked to the heist, and Mantle, a layer-2 blockchain connected to Ethereum, froze $41 million more. One platform โ a decentralized exchange operated by the company OKX โ paused its services altogether.
For a moment, THORChain seemed like it might follow suit. In response to the FBIโs notice, a group of THORChain validators coordinated to halt Ethereum swaps on the protocol โ a move intended to slow the outflow of illicit funds. But the pause lasted just 30 minutes before it was rolled back following community pushback.
โThere is no proof, nor can there be, that any signed and propagated transaction is from a specific geographical location,โ Thorbjornsen told CoinDesk, arguing that any links between THORChain and North Korea are โallegedโ since the networkโs users are not forced to register themselves.
The pause reversal proved to be a breaking point for some in the THORChain community. โEffective immediately, I will no longer be contributing to THORChain,โ the protocolโs lead developer, known as โPluto,โ wrote in an X post.
Decentralization theater?
Thorbjornsen and others maintain that THORChain should be treated as a decentralized protocol like Bitcoin or Ethereum, neither of which blocked transactions following the Bybit heist.
They point to its community of more than 100 validators โ computers that verify transactions โ as evidence that no single entity controls the system.
THORChainโs governance model relies on these validators who stake the networkโs native RUNE token to participate in consensus and earn rewards. In theory, major protocol decisions require approval from a supermajority of these validators, creating a distributed power structure resistant to centralized control.
Critics, however, argue the network is not nearly as decentralized as claimed. In January, a single developer paused the network during a liquidity crisis โ an action that should have required validator consensus if the system were more decentralized.
When THORChain was involved in previous North Korean laundering operations, โwe were told there was nothing they could do about the illicit funds,โ said Monahan. โThe entire time, JP had a single private key that had control over the entire system.โ
Thorbjornsen concedes the chain was paused by an administrative keyholder at a moment when THORChain was facing an โexistentialโ threat. However, Thorbjornsen said the pause was initiated by a keyholder with the pseudonym โLeena.โ
Thorbjornsen created the Leena account early in THORChainโs development and initially used it to hide his real identity. He now says the Leena account is no longer solely controlled by him, and someone else paused the chain in accordance with acceptable security procedures.
For Thorbjornsen, the debate over who controlled the admin key misses the larger point.
โIn the first couple years of Bitcoin existing, you could have easily made the case that Bitcoin was completely centralized,โ he told CoinDesk, pointing to an instance in 2010 where Satoshi upgraded the original blockchain to fix a major bug.
โDecentralization is earned, and itโs earned by years of being in the arena and proving it,โ Thorbjornsen said. โAll of these things like the pause and the unpause โฆ this is all part of the journey of decentralization.โ
Business as usual
On March 1, THORChainโs biggest day of trading following the Bybit heist, the network recorded over $1 billion in swaps, more than it typically processes in an entire month.
The activity was a boon for THORChainโs infrastructure providers โ wallet services and validators who take a cut of each transaction on the network.
According to blockchain forensics firm Chainalysis, THORChain node operators earned at least $12 million in fees connected to the Bybit heist. Chainalysis called its estimate โconservative.โ
According to legal experts, these fees are what could ultimately get THORChainโs operators into trouble. A former U.S. Treasury Department official warned in an interview with CoinDesk that โa lot of this just comes down to the question of whoโs making money: Is it a concentrated set of people, and is it relatively knowable that [the funds] are from bad actors?โ
Wallet apps like Vultisig and Asgardex have earned special scrutiny from legal and security experts, since โfrontendโ applications used to interact with blockchains are generally considered more centralized than blockchains themselves.
Asgardex, one of the more popular THORChain wallets, earned $1 million from Bybit-linked transactions, according to Monahan. โThe reason why you use Asgardexโ as opposed to other THORChain wallets โis because you donโt want tracking โ you donโt want filtering or anything,โ said Thorbjornsen, who helped develop the program.
Thorbjornsen says he no longer has an operational or financial stake in Asgardex, which is open-source and can technically be re-programmed by its users to operate without fees. However, he has recently actively promoted VultiSig, his new hack-resistant THORChain wallet.
On March 20, Thorbjornsen boasted in an X post that more people than ever were using the app: โVultisig swaps have collected $200k in revenue so far!โ ZachXBT, a crypto sleuth known for investigating North Koreaโs cyber operations, responded by pointing out that โa good chunk of that revenue is being generated from the Bybit hack.โ
โVultisig is not a chain,โ ZachXBT said. โ[T]hey operate a centralized interface for users to interact with protocols for a fee.โ
On April 16, Vultisig is launching its official crypto token: VULT. The token will be distributed for free to some of the walletโs most loyal users.
Read More: www.coindesk.com
Bitcoin 
Ethereum 
Tether 
XRP 
BNB 
Solana 
USDC 
Dogecoin 
Cardano 
TRON 
Lido Staked Ether 
Wrapped Bitcoin 
Sui 
Chainlink 
Avalanche 
Stellar 
LEO Token 
Shiba Inu 
Hedera 
Toncoin 
Wrapped stETH 
USDS 
Bitcoin Cash 
Litecoin 
Polkadot 
Hyperliquid 
Binance Bridged USDT (BNB Smart Chain) 
Bitget Token 
WETH 
Ethena USDe 
Pi Network 
WhiteBIT Coin 
Monero 
Wrapped eETH 
Pepe 
Coinbase Wrapped BTC 
Uniswap 
Aptos 
Dai 
OKB 
Ondo 
NEAR Protocol 
Official Trump 
Bittensor 
Internet Computer 
Gate 
sUSDS 
Kaspa 
Ethereum Classic 
Tokenize Xchange