THORChain Under Scrutiny: DeFi’s Role in Criminal Activity

The controversy surrounding THORChain began with the $1.4 billion exploit on Bybit. North Korean state-backed hackers, identified as the Lazarus Group, quickly flocked to the protocol to convert their stolen Ether (ETH) to Bitcoin. Despite the serious allegations of money laundering, THORChain’s supporters defended the protocol by emphasizing its focus on decentralization while critics pointed to the protocol’s increased centralization.

In a rapid conversion, the Lazarus Group converted their Ether within just 10 days of the hack, highlighting the speed and efficiency of the protocol. This response immediately triggered internal conflict, governance cracks, and developer resignations, raising a fundamental question: Can DeFi remain neutral when criminals exploit it at scale?

Crucially, it’s important to note that THORChain isn’t a traditional mixer. It’s a decentralized swap protocol—and therefore, some argue it’s unfair to classify it as a laundering machine, as the output is traceable. Unlike mixers, which aim to conceal cryptocurrency fund trails to preserve user privacy, even when illicit purposes are involved, THORChain’s swaps are fully transparent.

Federico Paesano, Crystal Intelligence’s investigations lead, argued that the claim of “laundering” by the Lazarus Group is misleading because there’s been no concealment, only conversion. The stolen ETH have been swapped for BTC using various providers, and every swap is fully traceable.

Hackers also utilized Uniswap and OKX DEX, but THORChain became the focal point of scrutiny due to its significant role in the massive fund flow. A March 4th X post by Bybit CEO Ben Zhou confirmed that 72% of the stolen funds (361,255 ETH) passed through THORChain, considerably exceeding activity on other DeFi platforms.

A truly decentralized platform’s strength lies in its neutrality and censorship-resistance—foundational to blockchain’s value proposition, according to Rachel Lin, SynFutures’ CEO. “The line between decentralization and responsibility can evolve with technology,” Lin stated. “While human intervention contradicts decentralization’s ethos, protocol-level innovations could automate safeguards against illicit activity.”

Following the exploit, THORChain collected at least $5 million in fees from the transactions, a windfall for the project struggling with financial instability. This financial benefit fueled criticism, with some questioning whether THORChain’s reluctance to intervene reflected ideological priorities or pragmatic considerations.

Governance cracks surfaced as decentralization became a shield. In an attempt to halt the hackers, three validators voted to halt ETH trading, effectively preventing the conversion. However, four validators quickly overturned the decision. This exposed a contradiction in THORChain’s governance model: the protocol claims to be inherently decentralized, yet it previously intervened to pause its lending feature due to insolvency risks – swapping remained operational.

Some crypto community members challenged this approach, arguing that it was selective decentralization, where governance interventions occurred only when perceived as necessary. Pluto, a key THORChain developer, resigned. TCB, another developer, who identified themselves as one of the three validators who voted to halt ETH trading, hinted at leaving unless governance issues were addressed.

ZachXBT, a prominent blockchain investigator, criticized Asgardex, a THORChain-based decentralized exchange, for not returning fees earned from the hackers, while other protocols reportedly refunded ill-gotten gains. THORChain founder John-Paul Thorbjornsen responded by claiming that centralized exchanges pocket millions by facilitating illicit transactions unless pressured by authorities. “Do we get ETH and BTC nodes to give back their transaction fees? What about GETH or BTCCore devs—who write the software, funded by grants/donations?”

The controversy escalated, with increasing regulatory risks for THORChain, demonstrated previously through privacy tools like Tornado Cash. Tornado Cash, a widely known crypto mixer, was sanctioned by the US Treasury in 2022 after being used to launder billions of dollars, though it was later overturned by a US court. Similarly, Railgun came under FBI scrutiny in 2023 after North Korean hackers used it to move $60 million in stolen Ether.

SynFutures’ Chen Feng highlighted the importance of balancing user privacy with built-in safeguards. “Critics often claim that privacy-focused projects enable crime, but in reality, protecting financial privacy is a fundamental right and a cornerstone of decentralized innovation,” he argued. “Technologies like ZK-proofs and trusted execution environments can secure user data without obscuring illicit activity entirely. Through optional transparency measures and robust on-chain forensics, suspicious patterns can still be detected. The goal is to strike a balance: empower users with privacy while ensuring the system has built-in safeguards to discourage and trace illicit use.”

Lin of SynFutures emphasized that continued illicit use of decentralized protocols would “absolutely” lead to escalated measures from authorities. “Governments will likely escalate measures if they perceive decentralized protocols as systemic risks. This could include sanctioning protocol addresses, pressuring infrastructure providers, blacklisting entire networks or going after the builders.”

If regulators decide to crack down, the consequences could be severe. Sanctions on THORChain’s validators, front-end service, and liquidity providers could cripple its ecosystem, while major exchanges might delist RUNE, cutting off its access to liquidity. There’s also the possibility of legal action against developers, as seen in the Tornado Cash case, or pressure to introduce compliance measures like sanctioned address filtering — something that would contradict THORChain’s decentralized ethos and alienate its core user base.

Ultimately, THORChain’s entanglement with North Korean hackers has placed it at a crossroads. The protocol must now decide whether to take action now or risk having regulators stepping in to make that decision for it. For now, the protocol remains firm in its laissez-faire approach, but history suggests DeFi projects that ignore illicit activity don’t stay untouchable forever.