A personal wallet said to belong to a THORChain co-founder has been exploited, leading to a loss of more than $1.2 million, according to security tracker Peckshield. The protocol has dismissed earlier reports on social platforms that claimed the breach affected its whole network. Web3 security platform ExVul Defender posted on X Friday that the attacker began moving funds two days ago. They reportedly sourced initial liquidity from a mixer before interacting with the THORChain network, making their first transactions at 06:41:47 AM UTC on Wednesday. Correction: This incident involved a user's personal wallet being exploited, and is not related to @THORChain . 🙏 https://t.co/mACcL1WkPt — THORChain (@THORChain) September 12, 2025 On Etherscan, the wallet address, in conjunction with THORChain, has issued three bounty offers within two days of the hack, but so far, the attacker has not replied. ZachXBT: Victim is THORChain co-founder JP Replying to PeckShield alert’s X post, blockchain security sleuth ZachXBT identified the victim as John-Paul Thorbjornsen, also known as JP, co-founder of both THORChain and wallet application Vultisig. The wallet likely belongs to @jpthor who had a private wallet compromised due to a fake meeting scam a few days ago. JP is one of the people whose has greatly benefited financially from the laundering of DPRK hacks/exploits. So it’s a bit poetic he got rekt here by DPRK. pic.twitter.com/T57RRJ0bbf — ZachXBT (@zachxbt) September 12, 2025 According to ZachXBT, JP’s personal wallet was drained of about $1.35 million during a Telegram meeting call scam orchestrated by North Korean hackers on Tuesday. JP, and platforms linked to him, have previously been linked to financial benefits from laundering activity tied to DPRK-linked hacks , including the $1.5 billion in Ethereum tokens Bybit exploit executed in late February. “JP is one of the people who has greatly benefited financially from the laundering of DPRK hacks and exploits,” ZachXBT wrote. “So it’s a bit poetic he got rekt here by DPRK.” Blockchain records from September 9 reveal a series of fund movements from the theft address, which could have been an attempt to obscure the trail of funds. The first transfer involved 6,233,015 THORChain tokens, which were moved out of the compromised wallet three days ago. Almost immediately afterward, another transaction placed 6,233,180 tokens into an address flagged as “Fake_Phishing1347722,” a label associated with laundering and phishing-related obfuscation. Still within the day, the attacker moved 6,333,180 tokens through THORChain, followed by another 6,333,333 tokens, possibly cycling large sums onto different addresses, alongside a smaller payment of 1,250,000 tokens was sent. The largest cluster of stolen funds, amounting to 2,778,345 tokens, eventually landed in the Kyber protocol, likely exchanged to create layers of separation from the original source. Currently, the majority of stolen funds worth $1.218 million have been sitting at 0x7abc09ab94d6015053f8f41b01614bb6d1cc7647 , ZachXBT said in his investigations Telegram channel. Did THORChain benefit from the Bybit hack laundering? Data from Arkham Intelligence shows hackers behind the Bybit attack moved at least 209,384 ETH, worth about $480 million, into Bitcoin. This was more than 50% of the estimated 400,000 ETH stolen from the exchange. Blockchain researchers tracked close to $1.2 billion in illicit crypto, about 85% of the Bybit hack lost funds, moving through THORChain. Within the first few days of the incident, at least $240 million of the Bybit proceeds were washed through THORChain and swapped into BTC, Arkham reported. Some competitors worked with authorities to restrict suspicious transactions, but THORChain’s operators did little to naught to block addresses, despite formal requests from the FBI and other agencies. Wallet applications built on the network, including Asgardex and Vultisig continued to process the activity without interruption. Blockchain security firms suggested that the network’s validators and wallet developers, many of whom are publicly identifiable and operate in jurisdictions with strict anti-money laundering requirements, claimed fees of more than $12 million for laundering the funds. “The protocol keeps running and swapping despite chaos. It’s doing great, actually,” Thorbjornsen said, supposedly defending its operations. At the time, THORChain recorded its largest-ever single day of trading, with more than $737 million worth of tokens swapped across the network. Get up to $30,050 in trading rewards when you join Bybit today
