John-Paul Thorbjornsen, a former pilot with the Australian Air Force who has ventured into the cryptocurrency realm, has recently been advocating for his new crypto wallet named “Vultisig.” Developed on THORChain — a blockchain he initially established to facilitate direct crypto swaps without the need for intermediaries — this wallet claims to offer enhanced protection against hacking compared to similar applications.
In recent weeks, Vultisig and the THORChain network have experienced a notable increase in user activity. However, cybersecurity experts have identified a concerning trend: this growth can be linked to North Korea’s Lazarus hacking group.
After a staggering $1.4 billion breach at the cryptocurrency exchange Bybit in February — the largest cyber theft on record — THORChain has become pivotal in the laundering operations orchestrated by North Korea. Analysts have followed almost $1.2 billion, or 85% of the pilfered assets, through THORChain, which has turned into a primary instrument for the Kim government in moving cryptocurrencies across various blockchains.
Distinct from some other blockchain platforms, THORChain’s operators have declined to halt transactions tied to the Bybit breach, notwithstanding appeals from the FBI and other agencies. Similarly, wallets like Vultisig and Asgardex, which are commonly employed for transactions within the network, have not taken action.
As blockchain security experts point out, developpers and validators associated with THORChain — many of whom are in jurisdictions with stringent anti-money laundering laws, like the U.S. — are estimated to have accrued over $12 million in fees related to the heist.
Thorbjornsen, publicly known as JP Thor, claims he no longer actively manages THORChain but remains a prominent figure representing it. “The protocol continues to function and execute trades despite the turmoil,” he mentioned. “It’s actually performing quite well.”
The U.S. Office of Foreign Assets Control (OFAC) has previously imposed sanctions on blockchain services implicated in money laundering activities, including the mixer service Tornado Cash (which was removed following a judicial ruling) and the exchange Bitzlato. Legal actions have also been taken against the operators of similar platforms.
This situation has reignited a crucial debate within the legal community and the cryptocurrency sector: Should THORChain, regarded as a layer-1 blockchain, be viewed differently from other applications? A key question persists: Is the network authentically decentralized?
Critics contend that THORChain does not hold the same level of decentralization compared to prominent blockchains like Bitcoin and Ethereum, which have faced less scrutiny for facilitating illegal transactions. As blockchain security analyst Taylor Monahan put it, “They assert it’s decentralized when it suits them, yet they’re profiting from this [Bybit heist]. It’s a poor image.”
Moreover, THORChain’s transaction fees — particularly those acquired by its wallet applications, supported by relatively small development teams — complicate its rebuttals. A former U.S. Treasury official warned that “Anyone profiting from transaction fees associated with the movement of stolen assets supposedly linked to Lazarus and North Korea may face potential OFAC concerns.”
Even within THORChain’s supportive camp, concerns are growing. A developer known as “TCB” remarked, “When the vast majority of your transactions originate from stolen funds related to the most significant theft in history, it elevates to a national security concern. This isn’t just a game anymore.”
The Largest Heist in History
The February incident involving Bybit was significant, even by Lazarus group’s standards — the elite team behind many of the decade’s largest crypto thefts.
The hack occurred after Bybit’s founder was misled into engaging with a compromised website, granting hackers access to key Ethereum wallets, allowing them to siphon off $1.4 billion worth of ether (ETH) from the platform.
North Korea’s launderers, adept due to years of high-stakes crypto heists, promptly began distributing their unprecedented take across numerous new crypto wallets as a preliminary measure in a complex scheme to legitimize illicit funds.
“The DPRK harnesses advanced technical methods to launder cryptocurrency,” Andrew Fierman, head of national security intelligence at Chainalysis, explained. Following the funds through numerous intermediary wallets, they utilize “cross-chain bridges to transfer stolen assets across various cryptocurrencies like Bitcoin, Ethereum, Tron, Solana, among others.”
THORChain has been crucial during this bridging phase, acting as an intermediary for swapping tokens across different blockchains — often repeating the process to mislead investigators.
Monahan noted, “Prior to THORChain’s existence, swapping Ethereum for Bitcoin without the risk of being flagged was impossible.”
Centralized exchange services like those from Coinbase and Binance necessitate user registration, increasing the risk of confiscation of illicit funds. On the other hand, many decentralized services are typically devoid of the liquidity needed for transactions of such scale.
On Alert
The day after the Bybit breach, THORChain recorded a daily swap volume surpassing $529 million — marking its biggest trading day to date, according to data from DeFiLlama. The figures continued to rise for several days, earning substantial fees for THORChain’s validators, liquidity providers, and wallet services.
On February 27, the FBI disseminated a list of blockchain addresses associated with North Korea and encouraged “private sector entities, including RPC node operators, exchanges, bridges, blockchain analytics firms, DeFi services, and other virtual asset service providers to block transactions related to these addresses.”
By then, many other crypto platforms utilized by North Korea’s launderers had already taken steps to restrict activity tied to the heist.
Tether, the leading stablecoin, eventually froze $9 million linked to the breach, while Mantle, a layer-2 blockchain associated with Ethereum, froze an additional $41 million. One exchange, a decentralized platform operated by OKX, suspended services entirely.
For a moment, it appeared THORChain might consider a similar approach. In response to the FBI’s alert, a cohort of THORChain validators worked together to temporarily suspend Ethereum swaps on the protocol, intending to curb the outflow of illicit funds. However, this pause lasted only 30 minutes before being reversed in light of community backlash.
“There’s no definitive proof, nor could there be, that any transaction is from a particular geographical area,” Thorbjornsen remarked, claiming that any alleged ties between THORChain and North Korea are merely speculative since users aren’t mandated to register.
The reversal of the suspension marked a critical moment for some within the THORChain community. “Effective immediately, I will no longer contribute to THORChain,” stated the protocol’s lead developer, referred to as “Pluto,” in a post on X.
Is It Decentralization Theater?
Thorbjornsen and others uphold that THORChain should be regarded as a decentralized protocol, akin to Bitcoin or Ethereum, both of which didn’t obstruct transactions that followed the Bybit breach.
The presence of over 100 validators — machines that authenticate transactions — is cited as evidence that no single entity monopolizes the system.
THORChain’s governance structure hinges on these validators staking its native RUNE token to join in consensus and reap rewards. In principle, significant protocol choices necessitate a supermajority approval from these validators, fostering a distributed power network that counters centralized authority.
Opponents, however, assert that the network’s decentralization claims are exaggerated. In January, during a liquidity crunch, an individual developer paused the entire network — a move that ideally should have mandated validator consensus if true decentralization were in effect.
Past instances of THORChain’s involvement in North Korean laundering operations revealed a lack of action regarding illicit funds, according to Monahan. “We were repeatedly told they couldn’t preclude the movement of these funds,” he noted, adding, “Through it all, JP maintained a sole private key that governed the entire system.”
Thorbjornsen confirmed that the chain was paused by an administrative keyholder at a moment THORChain faced an “existential” peril. However, he stated that the pause was initiated by someone operating under the pseudonym “Leena.”
This Leena account was originally created by Thorbjornsen to conceal his true identity during THORChain’s inception. He now claims it is under shared control. A different individual halted the chain in alignment with accepted security measures.
For Thorbjornsen, the ongoing discourse about admin key ownership overlooks a vital perspective.
“In Bitcoin’s initial years, one could argue it was entirely centralized,” he commented, referencing a case from 2010 where Satoshi subjugated the original blockchain following a major bug fix.
“Decentralization is a process earned through time and effort,” he emphasized. “All these pauses and restarts are part of the decentralization journey.”
Business as Usual
On March 1, coinciding with a record trading day after the Bybit breach, THORChain registered over $1 billion in swaps, exceeding its usual monthly transaction volume.
This spike benefited THORChain’s infrastructure providers — the wallet services and validators who take a portion from each transaction made on the platform.
According to the blockchain analysis company Chainalysis, THORChain’s node operators amassed at least $12 million in fees corresponding to the Bybit heist, which the company identified as a “conservative estimate.”
Legal experts believe that these fees could ultimately put THORChain’s operators at risk. A former U.S. Treasury official cautioned, stating that “a lot of this depends on who’s benefiting: Is it a concentrated group, and can it be clearly shown that these funds are linked to illicit activities?”
Wallet applications like Vultisig and Asgardex have attracted particular attention from legal and cybersecurity professionals, as “frontend” applications that interact with blockchains are typically deemed more centralized than the blockchains themselves.
The Asgardex wallet, popular among THORChain users, reportedly earned $1 million from transactions linked to Bybit. “The reason you choose Asgardex over other wallets is to avoid tracking and filtering,” Thorbjornsen, a contributor to its development, explained.
He’s adamant about no longer holding an operational or financial interest in Asgardex, which is open-source and technically could be adapted by users to function without any fees. Nevertheless, he has been actively promoting Vultisig, his latest hack-resistant THORChain wallet.
On March 20, Thorbjornsen announced in an X post that Vultisig’s user base was expanding: “Vultisig swaps have generated $200k in revenue to date!” Responding to this, ZachXBT, a crypto investigator recognized for scrutinizing North Korea’s cyber activities, pointed out that “a significant portion of that revenue is sourced from the Bybit hack.”
“Vultisig is not a chain,” added ZachXBT. “[T]hey provide a centralized interface for users to engage with protocols for a fee.”
On April 16, Vultisig will unveil its official cryptocurrency token: VULT, which will be distributed for free to some of the wallet’s most loyal users.