- Thorchain played a role in Lazarus Group's $1.4 billion laundering spree.
- Node operators who kept the network running made millions in fees.
- The situation demonstrates the tension between creating decentralised financial products and preventing the facilitation of criminal activity.
When it became apparent that North Korean hackers were using Thorchain to launder $1.4 billion stolen from crypto exchange Bybit last month, it triggered a clash among the platform’s operators.
One group was appalled and pushed to shut off the network until they had the situation under control.
But others who were dedicated to upholding the network’s decentralisation — a common aspiration for blockchain projects — wanted to keep it running, no matter who was using it, or for what purpose.
The latter group won out.
Over the following week, North Korean hackers the Lazarus Group used Thorchain in the laundering of $900 million worth of crypto, according to an analysis by Taylor Monahan, the lead security researcher at the crypto wallet MetaMask.
And the node operators — volunteers who process the transactions — pocketed millions in fees.
Now, the network, which specialises in swaps between incompatible blockchains, is facing a barrage of criticism.
Thorchain’s dilemma demonstrates the tension between creating decentralised financial products and preventing the facilitation of criminal activity.
The episode also casts a spotlight on the question of whether inaction amounts to knowingly aiding in the laundering of stolen funds for a pariah state that flaunts international law.
Between 2007 and 2023, Lazarus Group hacks have cost crypto firms and DeFi projects over $3.4 billion, per a DL News calculation.
The hacker group stole an additional 40% of that amount in just the Bybit hack. North Korea uses the money from crypto thefts to advance its nuclear missile programme.
Then there is the potential legal exposure.
“Thorchain’s decentralised nature does not fully insulate it from the legal ramifications of facilitating illicit transactions,” Yuriy Brisov, a partner at crypto legal consulting firm D&A Partners, told DL News.
Privacy protocol Tornado Cash showed what can happen when authorities try to enforce sanctions in crypto.
One of the protocol’s developers, Alexey Pertsev, was sentenced by a Dutch court in May to a five year prison sentence.
Two more of the protocol’s developers are awaiting trial in the US.
There’s no indication that Thorchain or its node operators are under investigation in any jurisdiction for its role in handling proceeds from the Bybit hack.
But if the authorities responsible for enforcing sanctions decided to make a move, they could go after node operators — many of whom are publicly known and reside in the US.
They knowingly kept the network running despite it handling hundreds of millions of dollars worth of transactions for North Korea, onchain records show.
The Bybit heist has already become the stuff of crypto lore given its scale and the brazenness of the laundering operation that occurred in its immediate aftermath.
On February 21, North Korean hackers hit crypto exchange Bybit for $1.4 billion by compromising the exchange’s wallet provider, Safe Wallet.
As part of Lazarus’ laundering efforts it used DeFi exchanges, including Thorchain, to swap the stolen Ether tokens into Bitcoin and other crypto assets.
Thorchain’s rift
About 100 volunteer operators run the Thorchain network and process transactions.
To make changes which would stop Lazarus Group from using Thorchain, a majority of these node operators have to agree on taking action.
On February 26, five days after the Bybit hack, some of Thorchain’s node operators paused trading on its Ethereum version, which Lazarus was primarily using, a Thorchain developer who wished to remain anonymous, told DL News.
But within 30 minutes the pause was overturned by other node operators who wanted to keep the network running.
Conversations in the Thorchain Discord — a messaging app — show a divide between node operators who wanted to pause the network and those who did not.
It’s not the first time Thorchain’s node operators have shut off the network. In January, they temporarily paused the network’s lending markets to avoid insolvency.
Thorchain is decentralised and has no central point of authority — it comprises individual operators similar to Bitcoin or Ethereum. Many of its operators and supporters say the chain has no responsibility to decide who can or cannot use it.
As a result, there is no one who can comment on behalf of the network.
“Node operators on Thorchain are not unlike node operators on other chains,” John-Paul Thorbjornsen, a prominent Thorchain community member who was part of the network’s original developer team, told DL News.
“They are not there to form an opinion on who should use the chain.”
After the pause was reversed, Pluto, a pseudonymous Thorchain developer who backed the pause, stepped away from the project.
Pluto did not respond to a request for comment.
Thorbjornsen said node operators aren’t worried about legal action. They can now run a patch to filter out sanctioned crypto addresses, he said.
Yet by March 4, Lazarus had used Thorchain in the laundering of most of the crypto stolen from the Bybit hack.
Monahan, the MetaMask researcher, said she believes Thorchain should have done more to halt the Lazarus activity.
“Kim Jong Un sends his deepest gratitude to Thorchain, Asgardex, and eXch,” Monahan said on X, referring to two other exchanges that use Thorchain to facilitate transactions.
Profit motive
Node operators have a big incentive for maintaining Thorchain’s decentralised model: fees. Those who chose to keep the network running took in around $5.5 million combined from Lazarus’ transactions.
Thorbjornsen said that operators would have had to halt the entire network and not process any swaps at all to stop Lazarus.
Anyone needing swaps would have gone to Thorchain’s competitors like Maya Protocol or another centralised service, he said.
The fact that node operators profited from Lazarus Group’s laundering raises difficult legal questions.
Riccardo Spagni, former lead maintainer of Monero, told DL News that he believes part of the reason US authorities came after Tornado Cash’s developers was because they made money from Lazarus’ use of the Tornado Cash protocol.
Other anonymising crypto protocols which don’t directly enrich their developers, like Monero, have not yet drawn the ire of the authorities, despite their use among criminals.
State of flux
Thorchain’s laundering debacle comes at a time when crypto enforcement is in a state of flux.
The US sanctioned the Tornado Cash protocol due to its use by North Korean money launderers, while two of its developers, Roman Storm and Roman Semenov, are facing criminal charges.
Storm’s trial is set to begin April 14.
And last year, a Dutch court convicted Pertsev, another Tornado Cash developer, for money laundering because he failed to prevent bad actors from laundering illicit proceeds through the protocol.
The court rejected Pertsev’s argument that the protocol’s smart contracts are automated so he should not be held liable.
Yet at the same time, the new administration under President Donald Trump is taking a much more lenient approach to crypto regulation.
Since Trump took office in January, the Securities and Exchange Commission has dropped several cases against crypto firms, including Ripple and Coinbase.
In November, a US court overturned sanctions against Tornado Cash. The sanctions were removed on March 21.
The court’s opinion, which was regarded as a significant win for the crypto industry, may embolden those who believe decentralised blockchain protocols are exempt from the law.
However, the criminal cases against Storm and Semenov allege the pair knowingly allowed Lazarus to launder funds through Tornado Cash and “turned a blind eye to the illicit activity.”
That means Thorchain’s operators could, in theory, face similar action.
Thorchain’s involvement in swapping stolen Bybit hack funds raises “parallel concerns” with Lazarus’ use of Tornado Cash, Brisov, the crypto lawyer, said.
Perennial issue
How sanctions violations intersect with DeFi protocols is likely to be an issue for the foreseeable future.
Lazarus Group’s crypto thefts are increasing in size and frequency, with the $1.4 billion Bybit hack being its biggest heist yet.
Some DeFi protocols are willing to take a hit to their decentralisation in the short term to combat money laundering.
Yet many more side with Thorchain in their belief that decentralised protocols shouldn’t choose who can or cannot use them.
And until laws and authorities force DeFi protocols to adopt preventative measures or face legal consequences, it’s safe to say North Korea will continue plundering crypto to top up its coffers.
Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.
