Inside North Korea’s Favorite Crypto Laundering Tool: THORChain

John-Paul Thorbjornsen, a former Australian Air Force pilot turned crypto entrepreneur, has spent recent weeks promoting his new crypto wallet, “Vultisig.” Built on THORChain — a blockchain he founded to allow crypto swaps without intermediaries — the wallet’s main selling point is that it’s harder to hack than similar apps.

Recently, Vultisig — along with the THORChain network itself — has seen a spike in activity, but security experts have traced the growth to a troubling source: North Korea’s Lazarus hacking group.

Following February’s $1.4 billion hack of crypto exchange Bybit — the largest cyber heist in history — THORChain emerged as central to North Korea’s laundering operations. Researchers have tracked nearly $1.2 billion — or 85%— of the stolen funds through the network, which has become the Kim regime’s primary tool for moving crypto between blockchains.

Unlike some other blockchain services, THORChain’s operators have refused to block transactions linked to the Bybit heist, despite requests from the FBI and other government agencies. THORChain wallets like Asgardex and Vultisig — tools that most people use to transact on the network — haven’t budged, either.

According to estimates from blockchain security researchers who spoke to CoinDesk, THORChain’s major wallet developers and validators — many publicly identified and based in jurisdictions with strict anti-money-laundering regulations, including the U.S. — have earned over $12 million in fees connected to the heist.

Thorbjornsen, known publicly as JP Thor, insists he is no longer involved in THORChain’s daily operations yet remains its most visible advocate. “The protocol keeps running and swapping despite chaos,” he told CoinDesk. “It’s doing great, actually.”

The U.S. Office of Foreign Assets Control (OFAC) has previously sanctioned blockchain services used in connection with money laundering, such as the mixer app Tornado Cash (which has since been delisted after a court ruling) and Bitzlato, an exchange. Prosecutors have also charged operators behind similar platforms.

For legal experts and the crypto community, whether THORChain — a layer-1 blockchain — should be treated differently than these other services revives a fundamental debate faced by virtually all crypto platforms: Is the network truly decentralized?

Critics argue it isn’t — at least in comparison to popular blockchains like Bitcoin and Ethereum, which have earned less scrutiny for facilitating illicit transactions. THORChain’s supporters “claim it’s decentralized when convenient, yet they’re profiting from this [Bybit hack],” said blockchain security researcher Taylor Monahan. “It’s a really bad look.”

THORChain’s transaction fees — particularly those earned by its wallet apps, which are maintained by small developer teams — further complicate its defense. According to a former U.S. Treasury Department official, “Anybody making money on fees related to the movement of hacked funds that have already been publicly attributed to Lazarus and North Korea potentially has an OFAC issue.”

Even some of THORChain’s most vocal supporters have grown concerned. “When the huge majority of your flows are stolen funds from North Korea for the biggest money heist in human history, it will become a national security issue,” cautioned a THORChain developer known as “TCB” on X. “[T]his isn’t a game anymore.”

Biggest hack in history

February’s hack of Bybit, a major Dubai-based crypto exchange, was large even by the standards of the Lazarus group — the elite North Korean cyber unit behind most of the largest crypto heists of the past decade.

The hack took place after Bybit’s founder was tricked into interacting with a website that Lazarus had compromised. The mistake granted the hackers access to some of Bybit’s primary Ethereum wallets. They stole $1.4 billion worth of ether (ETH) tokens from the exchange.

North Korea’s launderers, well-practiced after years of big-money crypto heists, immediately began splitting their record-breaking haul across a series of fresh crypto wallets — the first step in a complex journey designed to convert dirty crypto into clean cash.

“DPRK uses advanced technical capabilities to launder cryptocurrency,” explained Andrew Fierman, the head of national security intelligence at Chainalysis. After moving the funds “through an extensive number of intermediary wallets,” the launderers use “cross-chain bridges in order to move the stolen funds across various different assets, such as Bitcoin, Ethereum, Tron, Solana and others.”

THORChain proved essential to the bridging stage, serving as a go-between for swapping tokens across blockchains — often repeatedly, to throw investigators off their trail.

“Before ThorChain existed, there was no way to swap from Ethereum to Bitcoin without getting frozen,” explained Monahan, a security researcher at MetaMask.

Centralized swap services — including crypto exchanges like Coinbase and Binance — require users to register their accounts and risk having illicit funds seized. Most decentralized services, meanwhile, lack the liquidity to support transactions on the scale of the Lazarus group.

Put on notice

On the day after the Bybit hack, THORChain’s daily swap volume exceeded $529 million — its biggest trading day ever, according to data from DeFiLlama. Volumes continued climbing for days afterward, generating millions of dollars in fees for THORChain’s validators, liquidity providers and wallet services.

On February 27, the FBI circulated a list of DPRK-linked blockchain addresses and urged “private sector entities including RPC node operators, exchanges, bridges, blockchain analytics firms, DeFi services, and other virtual asset service providers to block transactions with or derived from [them].”

By this point, many of the other crypto tools used by North Korea’s launderers had already begun blocking heist-linked activity.

Tether, the largest stablecoin operator, eventually froze $9 million linked to the heist, and Mantle, a layer-2 blockchain connected to Ethereum, froze $41 million more. One platform — a decentralized exchange operated by the company OKX — paused its services altogether.

For a moment, THORChain seemed like it might follow suit. In response to the FBI’s notice, a group of THORChain validators coordinated to halt Ethereum swaps on the protocol — a move intended to slow the outflow of illicit funds. But the pause lasted just 30 minutes before it was rolled back following community pushback.

“There is no proof, nor can there be, that any signed and propagated transaction is from a specific geographical location,” Thorbjornsen told CoinDesk, arguing that any links between THORChain and North Korea are “alleged” since the network’s users are not forced to register themselves.

The pause reversal proved to be a breaking point for some in the THORChain community. “Effective immediately, I will no longer be contributing to THORChain,” the protocol’s lead developer, known as “Pluto,” wrote in an X post.

Decentralization theater?

Thorbjornsen and others maintain that THORChain should be treated as a decentralized protocol like Bitcoin or Ethereum, neither of which blocked transactions following the Bybit heist.

They point to its community of more than 100 validators — computers that verify transactions — as evidence that no single entity controls the system.

THORChain’s governance model relies on these validators who stake the network’s native RUNE token to participate in consensus and earn rewards. In theory, major protocol decisions require approval from a supermajority of these validators, creating a distributed power structure resistant to centralized control.

Critics, however, argue the network is not nearly as decentralized as claimed. In January, a single developer paused the network during a liquidity crisis — an action that should have required validator consensus if the system were more decentralized.

When THORChain was involved in previous North Korean laundering operations, “we were told there was nothing they could do about the illicit funds,” said Monahan. “The entire time, JP had a single private key that had control over the entire system.”

Thorbjornsen concedes the chain was paused by an administrative keyholder at a moment when THORChain was facing an “existential” threat. However, Thorbjornsen said the pause was initiated by a keyholder with the pseudonym “Leena.”

Thorbjornsen created the Leena account early in THORChain’s development and initially used it to hide his real identity. He now says the Leena account is no longer solely controlled by him, and someone else paused the chain in accordance with acceptable security procedures.

For Thorbjornsen, the debate over who controlled the admin key misses the larger point.

“In the first couple years of Bitcoin existing, you could have easily made the case that Bitcoin was completely centralized,” he told CoinDesk, pointing to an instance in 2010 where Satoshi upgraded the original blockchain to fix a major bug.

“Decentralization is earned, and it’s earned by years of being in the arena and proving it,” Thorbjornsen said. “All of these things like the pause and the unpause … this is all part of the journey of decentralization.”

Business as usual

On March 1, THORChain’s biggest day of trading following the Bybit heist, the network recorded over $1 billion in swaps, more than it typically processes in an entire month.

The activity was a boon for THORChain’s infrastructure providers — wallet services and validators who take a cut of each transaction on the network.

According to blockchain forensics firm Chainalysis, THORChain node operators earned at least $12 million in fees connected to the Bybit heist. Chainalysis called its estimate “conservative.”

According to legal experts, these fees are what could ultimately get THORChain’s operators into trouble. A former U.S. Treasury Department official warned in an interview with CoinDesk that “a lot of this just comes down to the question of who’s making money: Is it a concentrated set of people, and is it relatively knowable that [the funds] are from bad actors?”

Wallet apps like Vultisig and Asgardex have earned special scrutiny from legal and security experts, since “frontend” applications used to interact with blockchains are generally considered more centralized than blockchains themselves.

Asgardex, one of the more popular THORChain wallets, earned $1 million from Bybit-linked transactions, according to Monahan. “The reason why you use Asgardex” as opposed to other THORChain wallets “is because you don’t want tracking — you don’t want filtering or anything,” said Thorbjornsen, who helped develop the program.

Thorbjornsen says he no longer has an operational or financial stake in Asgardex, which is open-source and can technically be re-programmed by its users to operate without fees. However, he has recently actively promoted VultiSig, his new hack-resistant THORChain wallet.

On March 20, Thorbjornsen boasted in an X post that more people than ever were using the app: “Vultisig swaps have collected $200k in revenue so far!” ZachXBT, a crypto sleuth known for investigating North Korea’s cyber operations, responded by pointing out that “a good chunk of that revenue is being generated from the Bybit hack.”

“Vultisig is not a chain,” ZachXBT said. “[T]hey operate a centralized interface for users to interact with protocols for a fee.”

On April 16, Vultisig is launching its official crypto token: VULT. The token will be distributed for free to some of the wallet’s most loyal users.