- North Korea turns to DeFi to launder funds from the $1.4 billion Bybit hack.
- In response, protocols implement measures to block illicit activity.
- But some warn that these actions risk undermining DeFi’s core principle of permissionlessness.
The team at Chainflip had already called it a day and went out for drinks when crypto exchange Bybit was hit by a record $1.4 billion heist.
Initially, they weren’t too worried that the hacker would use Chainflip, a smaller decentralised crypto exchange, to transfer the stolen funds.
That all changed when later that evening they found out that the Lazarus Group, the state-sponsored North Korean hackers, were behind the attack.
“They know us,” Shaun van Vuuren, Chainflip’s head of marketing, told DL News in an interview, recounting the event. “They’re gonna use us, we are always their prime target.”
And use Chainflip they did. Lazarus started funneling stolen crypto through the exchange mere hours after the theft.
We’ve detected activity from the @Bybit_Official exploiter attempting to swap USDC through our front end.
— CHAINFLIP LABS (@Chainflip) February 22, 2025
As a precaution, we’ve temporarily put our front end/swapping app into maintenance mode, and swaps are currently disabled.
DeFi protocols like Chainflip exist in a regulatory grey area, and aren’t subject to the EU’s Markets in Crypto Assets regulation that came into force in 2023.
The Berlin-based startup needed to make a big decision — and fast.
Stay true to crypto’s core tenet of decentralisation and let Lazarus use Chainflip as part of its complex laundering activities, or try to stop the hermit kingdom in its tracks.
“We saw an opportunity here where we could just say, ‘fuck it’ — we’re not going to be a part of this,” Van Vuuren said.
Chainflip told its liquidity providers to pull their funds and later upgraded the exchange’s Ethereum version with measures in place to help block Lazarus and other bad actors from using it.
Now, those who use or integrate the exchange can scan transactions and tell the network to reject them if they come from Lazarus or other bad actors.
Van Vuuren said Chainflip had to sacrifice some of its decentralisation in the short term to do this, but that it is working towards becoming more decentralised again in the future.
DeFi sacrilege
For some, however, Chainflip’s actions are sacrilegious.
Decentralisation diehards say that efforts to block Lazarus will set DeFi on a path that erodes its permissionless nature.
Blocking some transactions and not others is a slippery slope toward recreating the walled traditional financial system DeFi wants to differentiate itself from, they say.
Chainflip’s solution isn’t perfect either. On Thursday, the exchange said it had paused its Solana and Arbitrum versions after Lazarus attempted to send funds through those blockchains, too.
It’s not just Chainflip grappling with this issue.
Thorchain, a bigger Chainflip competitor, has been unable to stop North Korea from laundering the funds it stole from Bybit. Its community is deeply divided on the issue, according to interviews with top contributors and chat logs viewed by DL News.
Unlike Chainflip, where the firm behind the exchange can help guide its users, Thorchain has no central authority, and is instead run by a distributed network of validators. If the validators don’t agree to changes, they can’t be implemented.
So far, wallets linked to Lazarus have used Thorchain to swap over $742 million worth of cryptocurrencies stolen from Bybit, according to analysis by Taylor Monahan, the lead security researcher at the crypto wallet MetaMask.
Lazarus’ laundering
The Lazarus Group has stolen billions of dollars worth of crypto from exchanges, DeFi protocols, and individual users in recent years.
The group usually attempts to convert stolen crypto into Bitcoin because it is the easiest asset to swap for cash.
Chainflip and Thorchain are a top choice for North Korean hackers because they are the only DeFi venues with enough liquidity to swap large amounts of other cryptocurrencies into Bitcoin.
DeFi protocols like Chainflip and Thorchain are made up of the underlying blockchain code that executes transactions, and a website that lets users easily interact with the code and submit transactions, known in the industry as a front end.
Chainflip works with crypto security firm Elliptic to block crypto addresses associated with North Korea from using its front end. Thorchain doesn’t have an official front end, but many associated projects that provide front ends for it also block North Korea from using them.
Blocking North Korea from using front ends helps slow laundering down, but it doesn’t stop it entirely.
Lazarus can still bypass the blocks by interacting with the protocol code directly, or through a third-party front end that doesn’t block its crypto wallets, as shown by the amount of funds laundered through Thorchain since the Bybit hack.
That’s why Chainflip has taken extra measures to let its stakeholders flag Lazarus’s transactions to stop the network processing them.
Thorchain’s schism
But on Thorchain, the community has been unable to agree on implementing similar measures.
There’s a growing rift between those who advocate for changing the protocol’s code to prevent North Korean money laundering and those who see censoring transactions on the protocol level as untenable.
On Thursday, some Thorchain validators attempted to halt the protocol’s Ethereum version to stop North Korea laundering funds. While the halt was initially implemented, it was reversed after 30 minutes, signalling a divide between validators.
“Thorchain front ends have already been blocking transactions for years,” Michael Perklin, a Thorchain community member, said in the project’s Discord, arguing against blocking Lazarus’s transactions on the protocol level. “That’s their job — not the protocol’s.”
“Setting the precedent of halting an entire chain to stop the flow of illicit funds is going to lead to never ending stoppages,” another Thorchain community member said on X. “Thorchain should track and report transactions as much as possible, but not halt an entire chain to stop them.”
Pluto, a prominent pseudonymous Thorchain developer, stepped away from the project soon after the halt was reversed.
Possible solution
One solution is that Thorchain validators could all agree to configure their software to ignore transactions from bad actors like Lazarus.
This way, bad actors wouldn’t be able to use Thorchain, and validators wouldn’t have to decide whether to accept or reject transactions because they wouldn’t even know they had been asked to make one.
“It’s like going up to a bank teller and handing them $5,000, and they can’t even see that you’re there, essentially,” a Thorchain developer who asked not to be named told DL News.
“I think that’s the best solution to this problem,” the same developer said. “There’s definitely people against it, and there’s definitely people for it.”
Yet with Thorchain already having enabled Lazarus to swap millions of crypto, the change, if successful, may come too late to have a meaningful impact this time.
Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.