TLDR
- THORSwap offers bounty for return of $1.2M stolen from THORChain founder’s wallet.
- The wallet was likely exploited by North Korean hackers, draining $1.35M in assets.
- THORSwap CEO Paper X confirms no protocol was exploited in the incident.
- ZachXBT links the attack to North Korean hackers, highlighting vulnerabilities in crypto security.
THORSwap, a decentralized exchange (DEX) aggregator, has issued a bounty offer following a $1.2 million exploit of a personal wallet tied to THORChain founder John-Paul Thorbjornsen. The exploit was flagged by PeckShield, a blockchain security company, and caused a significant stir in the crypto community. The attack, which initially seemed to target THORChain as a protocol, was later clarified as a breach of an individual’s wallet, not the THORChain network itself.
According to an onchain message sent to the hacker, THORSwap offered a reward for the return of the stolen funds, promising no legal action if the assets were returned within 72 hours. The message, posted publicly on X (formerly Twitter), read: “Bounty offer: Return $THOR for reward. Contact @thorswap.finance or THORSwap discord for OTC deal.”
Exploit Likely Involves THORChain Founder
The breach is believed to have affected John-Paul Thorbjornsen, the co-founder of THORChain. Blockchain analyst ZachXBT was quick to link the hack to North Korean hackers, stating that $1.35 million was stolen from Thorbjornsen’s wallet, likely through a Telegram scam involving a deepfake Zoom call.
The attack involved a social engineering strategy where a hacked Telegram account tricked Thorbjornsen into clicking a malicious link, leading to the theft.
Thorbjornsen revealed that the MetaMask wallet linked to the attack had been left unprotected, stored in a logged-out Chrome profile. The wallet contained both staked assets and personal funds, which were likely overlooked until the attack unfolded. He speculated that 0-day exploits may have been used to access his iCloud Keychain or Chrome profile, pointing to vulnerabilities in common security practices.
THORSwap Confirms No Protocol Exploitation
In a follow-up clarification, THORSwap confirmed that no part of the THORChain protocol had been exploited during the attack. According to Paper X, the CEO of THORSwap, the incident was related to a user’s personal wallet and did not affect the THORChain or THORSwap infrastructure.
This clarification helped to calm concerns among users who feared a vulnerability in the THORChain network.
While the stolen funds were traced to an address starting with 0x7Ab, THORSwap’s focus shifted to recovering the $1.2 million worth of stolen assets, specifically $1.03 million in Kyber Network tokens and $320,000 in THORSwap tokens. The bounty offer was an attempt to incentivize the hacker to return the stolen assets without facing legal consequences.
Broader Implications for Crypto Security
This incident has raised concerns about the security of personal wallets and the growing sophistication of crypto scams. The attack on Thorbjornsen is just one of many breaches linked to social engineering and phishing tactics.
As the crypto industry matures, attacks of this nature are becoming more frequent, and experts are urging users to adopt more secure practices.
Thorbjornsen’s advice to avoid storing sensitive keys on cloud services like iCloud or Google Drive has sparked discussions about the future of crypto security. He stressed the importance of using multi-device threshold signature wallets, such as Vultisig, to protect assets more securely.
