TLDR
- THORChain processed $5.4 billion in swap volume following the $1.4 billion Bybit hack
- The protocol earned approximately $5.5 million in revenue from these transactions
- The North Korean Lazarus Group is suspected of being behind the Bybit hack
- A THORChain developer quit after a vote to block illicit funds was reversed
- Critics say THORChain helped launder stolen cryptocurrency without resistance
THORChain has generated over $5.5 million in revenue after processing more than $5.4 billion in swap volume. This activity spike came after the protocol was used to move funds stolen in the $1.4 billion Bybit hack.
The Bybit exchange was hacked for $1.4 billion worth of cryptocurrency on February 21. This breach is now considered the largest hack in cryptocurrency history.
Blockchain security firms have linked the hack to the North Korean state-affiliated Lazarus Group. The hackers have been moving the stolen funds through various channels.
THORChain, a decentralized protocol that allows users to swap cryptocurrencies across different blockchains, became a major channel for these transfers. The protocol processed a record $4.66 billion in swaps in the week ending March 2.
On a single day following the Bybit hack, THORChain’s swap volume exceeded $1 billion. This activity generated over $554,000 in income for the protocol in just 24 hours.
THORChain just helped North Korea launder $605 million. No KYC, no off switch, no resistance. Lazarus Group jacked Bybit for $1.5 billion in February 2025, then funneled the stolen ETH through THORChain like it was built for them. Over five days, $2.91 billion in volume ripped… https://t.co/LKtGFFsZaM
— Yogi (@HouseofYogiX) March 4, 2025
Blockchain analytics firm Nansen reported on the hackers’ methods. “Starting from the initial Bybit Exploiter wallet, funds were sent across a further stretching net of wallets,” Nansen explained in a report.
The hackers began interacting with third-party services from the second hop in their transaction chain. These services were used to swap and launder the stolen funds.
According to Nansen, “Entities with the most inflow volume from the hack include THORChain, Paraswap, Mantle, OK DEX and DODO.” THORChain received the highest volume among these services.
Onchain analyst EmberCN reported that the hackers have now laundered all 499,000 ETH ($1.39 billion) stolen from Bybit. This process took just 10 days to complete.
The Ethereum price dropped by 23% during this period. The value fell from $2,780 to $2,130 as the stolen funds were moved through the market.
THORChain has faced criticism for its role in these transactions. Crypto commentator Yogi wrote, “THORChain just helped North Korea launder $605 million. No KYC, no off switch, no resistance.”
The controversy led to internal conflict within the THORChain team. A core developer known as “Pluto” quit the protocol after a vote to block North Korean hacker-linked illicit funds was reversed.
Some critics argue that THORChain could have done more to prevent the movement of stolen funds.
“Other protocols have blocked dirty wallets without killing decentralization. THORChain had options—Elliptic, transaction monitoring—but ignored them,” Yogi stated.
Blockchain analytics firm Elliptic has flagged 11,084 cryptocurrency wallet addresses suspected of being linked to the Bybit exploit. This list is expected to grow as investigations continue.
Bybit CEO Ben Zhou confirmed on March 4 that $280 million of the stolen funds had “gone dark.” This means the money has been laundered and is no longer traceable on public blockchains.
