John-Paul Thorbjornsen, a former Royal Australian Air Force pilot turned cryptocurrency entrepreneur, has been the focus of attention in recent weeks due to his promotion of “Vultisig,” a new crypto wallet he has developed. Built on THORChain, a blockchain platform he also developed to facilitate direct cryptocurrency swaps, Vultisig promises higher security than other wallets in the market. However, the recent spike in activity on the THORChain network, and by extension Vultisig, has been traced by security experts to an alarming source – North Korea’s infamous Lazarus hacking group.
The Lazarus group was responsible for the recent hack of Bybit, a cryptocurrency exchange platform, where a staggering $1.4 billion was stolen in what is now deemed the largest cyber heist in history. A significant portion of the stolen funds, approximately 85% or $1.2 billion, was traced through the THORChain network. This has led to the speculation that the Kim Jong Un-led regime is using THORChain as a primary tool to move crypto funds across different blockchains.
Despite requests from the FBI and other government agencies to block the transactions connected to the Bybit heist, THORChain’s operators have refused to comply. THORChain wallets such as Asgardex and Vultisig, which are the primary tools people use to transact on the network, also remain unaffected. This has raised concerns among blockchain security researchers who estimate that THORChain’s wallet developers and validators have raked in over $12 million in fees related to the heist.
Thorbjornsen, also known as JP Thor, claims he has no longer involved in the daily operations of THORChain, despite being its most visible advocate. “The protocol keeps running and swapping despite chaos. It’s doing great, actually,” he said in an interview with CoinDesk.
The U.S. Office of Foreign Assets Control (OFAC) has previously sanctioned blockchain services linked to money laundering, such as Tornado Cash and Bitzlato. However, the question now arises whether THORChain should be treated in the same way. Critics argue that THORChain isn’t as decentralized as its supporters claim, given the large profits its supporters are making from the Bybit hack.
In addition, THORChain’s transaction fees, especially those earned by its wallet apps, add another layer of complexity to its defense. As a former U.S. Treasury Department official points out, “Anybody making money on fees related to the movement of hacked funds that have already been publicly attributed to Lazarus and North Korea potentially has an OFAC issue.”
Even some of THORChain’s biggest supporters have expressed concerns. A THORChain developer known as “TCB” warned, “When the huge majority of your flows are stolen funds from North Korea for the biggest money heist in human history, it will become a national security issue.”
The Bybit hack in February was a significant event, even by the standards of the Lazarus group, which is known for its large-scale crypto heists. The hackers managed to gain access to Bybit’s primary Ethereum wallets after tricking Bybit’s founder into interacting with a compromised website. The stolen funds were then swiftly moved across a series of fresh crypto wallets in a complex money-laundering operation. THORChain played a crucial role in this operation, serving as a bridge for swapping tokens across different blockchains.
On February 27, the FBI released a list of DPRK-linked blockchain addresses and urged various entities to block transactions linked to these addresses. However, THORChain did not comply, further raising concerns within its community.
Thorbjornsen and other supporters argue that THORChain should be treated like other decentralized protocols such as Bitcoin or Ethereum, which did not block transactions following the Bybit heist. However, critics point out that THORChain isn’t as decentralized as it claims to be.
