THORChain has been called a money laundering protocol — a label no decentralized finance (DeFi) project wants unless it’s prepared to have regulators breathing down its neck.
Its supporters have fended off the criticism by championing decentralization, while its critics point to recent activities that showed some of the protocol’s centralized tendencies.
After exploiting Bybit for $1.4 billion, the North Korean state-backed hackers behind the attack, known as the Lazarus Group, flocked to THORChain, making it their top choice to convert stolen funds from Ether (ETH) to Bitcoin (BTC). Lazarus finished converting its Ether within just 10 days of the hack.
The controversy has triggered internal conflict, governance cracks and developer resignations, exposing a deeper issue and question: Can DeFi remain neutral when criminals exploit it at scale?
THORChain is not a mixer
THORChain is a decentralized swap protocol, so some say it’s unfair to call it a laundering machine, as the output is traceable. It’s not like a mixer, whose purpose is to conceal cryptocurrency fund trails — though the reasons for using mixers vary between users, with some simply wanting to preserve their privacy and others using them for illicit purposes.
Federico Paesano, investigations lead at Crystal Intelligence, argued in a LinkedIn post that it is misleading to state that the North Korean hackers “laundered” the Bybit hack proceeds.
“So far, there’s been no concealment, only conversion. The stolen ETH have been swapped for BTC using various providers, but every swap is fully traceable. This isn’t laundering; it’s just asset movement across blockchains.”
Tracing funds swapped to Bitcoin is time-consuming, but not impossible. Source: Federico Paesano
Hackers also moved funds through Uniswap and OKX DEX, yet THORChain has become the focal point of scrutiny due to the sheer volume of funds that passed through it. In a March 4 X post, Bybit CEO Ben Zhou said that 72% of the stolen funds (361,255 ETH) had flowed through THORChain, far surpassing activity on other DeFi services.
Over $1 billion in Ether from the Bybit theft was traced to THORChain. Source: Coldfire/Dune Analytics
A truly decentralized platform’s strength lies in its neutrality and censorship-resistance, which are foundational to blockchain’s value proposition, according to Rachel Lin, CEO of decentralized exchange SynFutures.
“The line between decentralization and responsibility can evolve with technology,” Lin told Cointelegraph. “While human intervention contradicts decentralization’s ethos, protocol-level innovations could automate safeguards against illicit activity.”
Related: From Sony to Bybit: How Lazarus Group became crypto’s supervillain
THORChain collected at least $5 million in fees from these transactions, a windfall for a project already struggling with financial instability. This financial benefit has further fueled criticism, with some questioning whether THORChain’s reluctance to intervene was ideological or simply a matter of self-preservation.
Source: Yogi (Screenshot cropped by Cointelegraph for visibility)
Governance cracks show when decentralization becomes a shield
The controversy sparked a dilemma on whether THORChain should act. In an attempt to block the hackers, three validators voted to halt ETH trading, effectively closing off their swapping route. However, four validators quickly voted to overturn the decision.
This exposed a contradiction in THORChain’s governance model. The protocol claims to be absolutely decentralized, yet it had previously intervened to pause its lending feature due to insolvency risks (swaps still remained operational).
Some crypto community members called out THORChain’s actions as selective decentralization, where governance intervention only occurs when it serves the protocol’s own interests.
Source: Dan Dadybayo
The backlash was immediate. Pluto, a key THORChain developer, resigned. Another developer, TCB, who identified themselves as one of the three validators who voted to halt Ether trades, hinted at leaving unless governance issues were addressed.
Meanwhile, blockchain investigator ZachXBT called out Asgardex, a THORChain-based decentralized exchange, for not returning fees earned from hackers, while other protocols reportedly refunded ill-gotten gains.
THORChain founder John-Paul Thorbjornsen responded by claiming that centralized exchanges pocket millions from facilitating illicit transactions unless pressured by authorities.
“This pisses me off. Do we get ETH and BTC nodes to give back their transaction fees? What about GETH or BTCCore devs – who write the software, funded by grants/donations?” asked Thorbjornsen.
Source: ZachXBT
THORChain’s growing regulatory risks, as previously demonstrated by privacy tools
For now, THORChain has avoided any direct enforcement actions from governments, but history suggests that DeFi protocols facilitating illicit finance may not escape scrutiny forever. Tornado Cash, a well-known crypto mixer, was sanctioned by the US Treasury in 2022 after being used to launder billions of dollars, though it was later overturned by a US court. Similarly, Railgun came under FBI scrutiny in 2023 after North Korean hackers used it to move $60 million in stolen Ether.
Related: Tornado Cash developer Alexey Pertsev leaves prison custody
Railgun presents a unique case, as it’s marketed as a privacy protocol rather than a mixer or a DEX. But the distinction still draws comparisons to THORChain, given that privacy protocols frequently face criticism for potentially enabling illicit activities.
“Critics often claim that privacy-focused projects enable crime, but in reality, protecting financial privacy is a fundamental right and a cornerstone of decentralized innovation,” Chen Feng, head of research at Autonomys and associate professor and research chair in blockchain at the University of British Columbia’s Okanagan Campus, told Cointelegraph.
“Technologies like ZK-proofs and trusted execution environments can secure user data without obscuring illicit activity entirely. Through optional transparency measures and robust onchain forensics, suspicious patterns can still be detected. The goal is to strike a balance: empower users with privacy while ensuring the system has built-in safeguards to discourage and trace illicit use.”
Lin of SynFutures said continued illicit use of decentralized protocols would “absolutely” lead to drastic measures from authorities.
“Governments will likely escalate measures if they perceive decentralized protocols as systemic risks. This could include sanctioning protocol addresses, pressuring infrastructure providers, blacklisting entire networks or going after the builders,” she said.
Rising pressure against THORChain
THORChain supporters argue it is being unfairly singled out, as hackers have also used other DeFi protocols. But regulators tend to focus on the biggest enablers, and THORChain processed the vast majority of the stolen funds from the Bybit hack. This makes it an easy target for enforcement actions ranging from Office of Foreign Assets Control (OFAC) sanctions to developer prosecutions.
“When the huge majority of your flows are stolen funds from north korea for the biggest money heist in human history, it will become a national security issue, this isn’t a game anymore,” TCB wrote on X.
“The threshold you want to be credibly decentralized you need a network of 1000+ unique validators. There is a reason why @Chainflip fixed this issue on the network level so quickly and all front end are applying censorship.”
If regulators decide to crack down, the consequences could be severe. Sanctions on THORChain’s validators, front-end service, and liquidity providers could cripple its ecosystem, while major exchanges might delist RUNE (RUNE), cutting off its access to liquidity.
There is also the possibility of legal action against developers, as seen in the Tornado Cash case, or pressure to introduce compliance measures like sanctioned address filtering — something that would contradict THORChain’s decentralized ethos and alienate its core user base.
THORChain’s entanglement with North Korean hackers has put it at a crossroads. The protocol must decide whether to take action now or risk having regulators step in to make that decision for them.
For now, the protocol remains firm in its laissez-faire approach, but history suggests DeFi projects that ignore illicit activity don’t stay untouchable forever.
Magazine: THORChain founder and his plan to ‘vampire attack’ all of DeFi
