THORChain has been labeled a money laundering framework — a designation no decentralized finance (DeFi) initiative desires unless it is ready to face scrutiny from regulators.
Its advocates have pushed back against this criticism by highlighting decentralization, while detractors reference recent incidents that revealed some of the protocol’s centralized characteristics.
Following the exploitation of Bybit for $1.4 billion, the North Korean state-sponsored cybercriminals responsible for the breach, referred to as the Lazarus Group, gravitated toward THORChain, making it their preferred platform to exchange pilfered assets from Ether (ETH) into Bitcoin (BTC). Lazarus completed the conversion of its Ether in a mere 10 days following the hack.
This scandal has instigated internal discord, governance fractures, and developer exits, bringing to light a more profound issue and query: Can DeFi sustain neutrality when it is exploited by criminals on a large scale?
THORChain is not a mixer
THORChain functions as a decentralized exchange protocol, leading some to argue it is unjust to label it a laundering apparatus, as the outcomes are traceable. Unlike a mixer, intended to obscure cryptocurrency transaction trails — even though motivations for utilizing mixers vary among users, with some merely seeking to protect their privacy while others exploit them for illegal purposes.
Federico Paesano, lead investigator at Crystal Intelligence, contended in a LinkedIn post that it is misleading to assert that the North Korean hackers “laundered” the proceeds from the Bybit breach.
“Up to this point, there’s been no concealment, merely conversion. The stolen ETH have been exchanged for BTC using various providers, yet every exchange remains entirely traceable. This isn’t laundering; it’s simply asset movement across blockchains.”
Tracking funds converted to Bitcoin is laborious, but not unfeasible. Source: Federico Paesano
Cybercriminals also redirected assets via Uniswap and OKX DEX, yet THORChain has attracted the most scrutiny due to the significant amount of funds that traversed it. In a March 4 post on X, Bybit CEO Ben Zhou asserted that 72% of the misappropriated funds (361,255 ETH) had passed through THORChain, vastly exceeding transactions on other DeFi platforms.
More than $1 billion in Ether from the Bybit heist was traced back to THORChain. Source: Coldfire/Dune Analytics
The true strength of a decentralized platform is rooted in its neutrality and resistance to censorship, which are essential to the value proposition of blockchain, as noted by Rachel Lin, CEO of decentralized exchange SynFutures.
“The boundary between decentralization and accountability can shift with advancements in technology,” Lin informed Cointelegraph. “While human involvement contradicts the ethos of decentralization, innovations at the protocol level could automate protections against unlawful actions.”
Related: From Sony to Bybit: How Lazarus Group became crypto’s supervillain
THORChain accrued at least $5 million in fees from these dealings, a significant gain for a project already facing financial turbulence. This financial advantage has added to the criticism, leading some to question whether THORChain’s hesitance to act was driven by ideology or merely self-preservation.
Source: Yogi (Screenshot cropped by Cointelegraph for clarity)
Governance fractures reveal when decentralization becomes a facade
The scandal initiated a dilemma regarding whether THORChain ought to take action. In a bid to obstruct the hackers, three validators voted to suspend ETH trading, effectively closing their exchange pathway. Nevertheless, four validators swiftly voted to reverse that decision.
This highlighted a contradiction within THORChain’s governance framework. The protocol professes to be fully decentralized, yet it previously intervened to suspend its lending functionalities due to insolvency threats (swaps continued to be operational).
Several members of the cryptocurrency community criticized THORChain’s actions as selective decentralization, indicating that governance intervention occurs only when it aligns with the protocol’s interests.
Source: Dan Dadybayo
The backlash was swift. Pluto, a prominent developer within THORChain, resigned. Another developer, TCB, who identified as one of the three validators who voted to halt Ether transactions, implied they might depart unless governance concerns were resolved.
Meanwhile, blockchain investigator ZachXBT called out Asgardex, a decentralized exchange built on THORChain, fornot reimbursing earnings accrued from cybercriminals, while alternative protocols allegedly refunded misappropriated assets.
THORChain’s creator John-Paul Thorbjornsen reacted by asserting that centralized exchanges amass millions by enabling unlawful transactions unless coerced by regulators.
“This frustrates me. Do we demand ETH and BTC nodes to return their processing fees? What about GETH or BTCCore developers – who produce the software, funded by grants/donations?” inquired Thorbjornsen.
Source: ZachXBT
THORChain’s escalating regulatory dangers, as previously illustrated by privacy tools
At present, THORChain has evaded any direct enforcement measures from authorities, but historical trends imply that DeFi protocols facilitating illegal finance may not avoid scrutiny indefinitely. Tornado Cash, a prominent crypto mixer, was sanctioned by the US Treasury in 2022 following its use to clean billions of dollars, although it was subsequently reversed by a US court. In a similar vein, Railgun faced FBI scrutiny in 2023 after North Korean hackers utilized it to transfer $60 million in stolen Ether.
Related: Tornado Cash developer Alexey Pertsev released from prison custody
Railgun represents an intriguing case, as it is marketed as a privacy protocol rather than a mixer or a DEX. Yet the differentiation still draws parallels to THORChain, considering that privacy protocols frequently encounter criticism for potentially facilitating unlawful activities.
“Critics often assert that privacy-centric projects support crime, but in truth, safeguarding financial privacy is a fundamental right and a cornerstone of decentralized innovation,” Chen Feng, head of research at Autonomys and associate professor and research chair in blockchain at the University of British Columbia’s Okanagan Campus, expressed to Cointelegraph.
“Technologies like ZK-proofs and trusted execution environments can protect user information without completely obscuring illegal activities. Through optional transparency measures and comprehensive onchain forensics, suspicious behaviors can still be identified. The objective is to reach an equilibrium: empower users with privacy while ensuring the system incorporates safeguards to dissuade and track illicit usage.”
Lin of SynFutures stated that ongoing illegal use of decentralized protocols would “absolutely” compel authorities to take severe actions.
“Governments are likely to escalate measures if they view decentralized protocols as systemic threats. This could involve sanctioning protocol addresses, exerting pressure on infrastructure providers, blacklisting entire networks, or targeting the developers,” she remarked.
Increasing pressure against THORChain
THORChain backers contend it is being unjustly singled out, as hackers have exploited other DeFi protocols too. However, regulators typically concentrate on the largest facilitators, and THORChain processed a significant portion of the pilfered assets from the Bybit breach. This makes it a convenient target for enforcement measures, from Office of Foreign Assets Control (OFAC) sanctions to developer indictments.
“When the vast majority of your transactions involve misappropriated funds from North Korea for the largest money heist in human history, it escalates into a national security concern; this isn’t a frivolous matter anymore,” TCB wrote on X.
“To be credibly decentralized, you need a network of over 1000 unique validators. There’s a reason why @Chainflip quickly addressed this issue on the network level, and all front ends are implementing censorship.”
If regulators opt to intensify their actions, the repercussions could be severe. Sanctions on THORChain’s validators, front-end service, and liquidity providers could cripple its ecosystem, while large exchanges may delist RUNE (RUNE), cutting off its liquidity access.
There is also the potential for legal repercussions against developers, akin to those seen in the Tornado Cash case, or pressure to implement compliance measures such as sanctioned address filtering — a move that would contradict THORChain’s decentralized principles and alienate its core users.
THORChain’s association with North Korean hackers has placed it at a pivotal moment. The protocol faces the decision of whether to initiate action now or risk having regulators intervene to make those determinations in their stead.
Currently, the protocol remains steadfast in its laissez-faire approach, but history indicates that DeFi projects overlooking illegal activities do not remain invulnerable indefinitely.
Magazine: THORChain creator and his strategy to ‘vampire attack’ the entirety of DeFi