THORChain is being flagged as a key route for hackers to move stolen funds

THORChain is under fresh scrutiny after on-chain analysts said the cross-chain swap protocol has become a favorite rail for moving stolen crypto from major hacks, including FTX, Bybit, Balancer, and KelpDAO. The protocol keeps leaning on the same defense: it’s neutral, permissionless, and “just the pipes.” Sure. But when the pipes keep carrying hacked ETH and laundered funds, people are going to start kicking the plumbing.

• Major laundering route: THORChain is being used repeatedly to move exploit-linked crypto.
• Big money: The Bybit theft alone reportedly saw more than $1.2 billion flow through the protocol.
• Fees keep coming: THORChain reportedly earned about $910,000 from the KelpDAO case alone.
• Decentralization defense: THORChain says there is no admin key, no single controller, and no 2-of-3 multisig.
• Bitcoin tracing gets harder: Some stolen funds were bridged into BTC, where tracking becomes more fragmented.

What THORChain actually does

THORChain is a cross-chain swap protocol, which means it lets users move assets between different blockchains without going through a centralized exchange. In simple terms, it’s built to let people swap value directly across chains. That is a very crypto-native idea, and in a sane world, it’s useful infrastructure.

It is also exactly the kind of infrastructure hackers love.

If a thief can move stolen crypto quickly across chains, break the trail, and land in a harder-to-trace asset, that’s a serious problem for investigators. And the more permissionless the system is, the less room there is for a central operator to hit the brakes. That’s the tradeoff. Decentralization is the point. It’s also, inconveniently, the loophole criminals sprint through when nobody’s looking.

The KelpDAO exploit and the THORChain fee machine

The latest flashpoint is the KelpDAO exploit, where roughly $175 million in stolen funds was moved in just 36 hours. On-chain researchers including Arkham Intelligence and Lookonchain tracked the flows across several wallets and found the attacker splitting the loot into three wallets, each holding around 25,000 ETH — roughly $57 million to $59 million apiece.

One wallet reportedly dropped from 25,000 ETH to about 3,800 ETH, meaning nearly 99% of the funds had already moved out. Lookonchain also said the attacker swapped all 75,701 ETH through THORChain. A portion of those funds was later bridged into Bitcoin, which is where tracing gets more annoying.

THORChain reportedly earned about $910,000 in fees from the KelpDAO incident alone, which was more than its previous month’s total of $709,000. During the same spike in activity, the protocol reportedly pulled in around $660,000 in fees in 24 hours, with swap volume reaching $540 million.

That’s the uncomfortable part: the protocol is making real money from flows tied to theft. Nobody is claiming every THORChain transaction is illicit. That would be lazy nonsense. But when the same venue keeps showing up in exploit after exploit, the “we’re neutral infrastructure” argument starts sounding less like a principle and more like a dodge with good PR.

Why hackers keep using it

Hackers like THORChain for the same reason many legitimate users do: it moves value across chains without a centralized chokepoint. No KYC gate. No exchange compliance desk. No one operator deciding whether a transaction gets frozen while lawyers and compliance officers sharpen their pencils.

That makes it useful for privacy-minded users and for people who just want efficient cross-chain swaps. It also makes it attractive for laundering stolen crypto. The difference is intent, but the same infrastructure serves both. That is the messy reality of permissionless finance: the tool doesn’t ask whether you’re a normal user, a DeFi degenerate, or somebody cashing out a six-figure hack with sweat on your keyboard.

Why Bitcoin matters in the laundering trail

Some of the stolen funds were moved into Bitcoin, and that matters because Bitcoin tracing can become more fragmented after a few hops. Bitcoin uses a UTXO model, which is different from Ethereum’s account-based setup. Instead of balances sitting in one continuous account, Bitcoin transactions spend and create discrete chunks of coin called unspent transaction outputs.

Plain English version: Bitcoin is still traceable, but the trail can become more complex when coins are split, recombined, and moved through multiple transactions. It’s not magic invisibility. It’s just more work for investigators — and criminals absolutely understand the value of making someone else’s job annoying.

That’s why “bridging into Bitcoin” is such a relevant move in these cases. Once funds leave the original chain and land in BTC, the trail often becomes more fragmented and harder to interpret cleanly, especially when it’s mixed with multiple wallets and swap routes.

The Bybit hack raised the alarm even higher

The biggest case tied to THORChain is the Bybit hack. The FBI linked that theft to the North Korean Lazarus Group, and estimates suggest more than 70% of the stolen assets flowed through THORChain. During that laundering wave, daily volumes on the protocol reportedly pushed above $700 million, and transaction fees were estimated at between $3 million and $5.5 million.

That is not a side hustle. That is a major revenue stream.

The FTX exploiter also reportedly moved $124 million through THORChain, while the Balancer exploiter moved about $120 million. Put those together with the KelpDAO case, and the pattern is pretty hard to shrug off. THORChain keeps appearing as a preferred route for moving stolen crypto, not just as a random bystander in the background.

THORChain’s defense: neutral, permissionless, no gatekeeper

THORChain says it was modeled after Bitcoin, with a focus on permissionless access and censorship resistance. Its defenders argue that there is no single person or entity controlling the protocol, no admin key, and no 2-of-3 multisig. The network says it runs through 95 globally distributed nodes, which are meant to enforce the rules without centralized intervention.

“THORChain was modelled after Bitcoin, to be permissionless and censorship resistant.”

“There’s no single person or entity in control of the protocol. There’s no admin key.”

“There’s no 2-of-3 multisig.”

“Bitcoin is neutral because the code is neutral, and the nodes enforce it.”

“THORChain is neutral because the code is neutral, and the nodes enforce it.”

And to be fair, that defense is not nonsense. Neutral infrastructure is one of the core ideas behind decentralized systems. Bitcoin itself doesn’t ask why a transaction exists before it validates it. That neutrality is what gives it strength, resilience, and political bite.

But neutrality is not the same thing as innocence.

If a protocol repeatedly becomes a highway for stolen funds, it is completely fair to ask whether “we just move value” is an acceptable answer, or whether the ecosystem is hiding behind a philosophical slogan while criminals exploit the design at scale. Decentralization doesn’t disappear because someone points out that bad actors are using the network. It also doesn’t become a moral force field.

The enforcement side is getting more active

Not all of the KelpDAO-linked funds were left untouched. The Arbitrum Security Council froze 30,766 ETH tied to the exploit, worth around $71 million. That kind of emergency intervention can help claw back stolen assets, and for victims, it’s obviously better than watching everything vanish into the void.

There were also response efforts around the broader DeFi fallout. Lido reportedly donated 2,500 stETH, and Mantle proposed 30,000 ETH to Aave as a loan. Those moves show that parts of the crypto ecosystem can mobilize quickly when things blow up.

They also reveal a more awkward truth: when the fire starts, “decentralized” projects often rely on a fairly small circle of powerful actors, security councils, and governance bodies to stop the bleeding. That’s not automatically a bad thing. Sometimes emergency brakes are exactly what’s needed. But it does chip away at the fantasy that every DeFi system is purely autonomous and untouchable.

What this says about DeFi and crypto laundering

DeFi’s openness is both its superpower and its Achilles’ heel. The same cross-chain liquidity and fast settlement that make decentralized finance useful for regular users also make it useful for thieves looking to launder stolen crypto.

That does not mean the answer is to gut permissionless finance or pretend centralization is suddenly ethical because it’s easier to police. No thanks. Centralized chokepoints are often a scammy little paradise for gatekeepers, rent-seekers, and frozen-user nightmares. But pretending the abuse problem doesn’t exist is just as stupid.

The real question is what kind of tradeoffs the industry is willing to accept. If a protocol is truly decentralized, it may not be able to stop every suspicious transaction. If it adds controls, it may lose the very censorship resistance that made it valuable in the first place. That tension is not going away. It’s baked into the design.

THORChain is not alone in facing this dilemma, but its growing role in major exploit-linked flows makes it a particularly visible case study. The protocol may be neutral in the narrow technical sense. The market, regulators, victims, and investigators are under no obligation to treat that neutrality as a moral get-out-of-jail-free card.

Key questions and takeaways

Why is THORChain under scrutiny?

Because on-chain analysts say it has repeatedly been used to move stolen crypto from major hacks, including FTX, Bybit, Balancer, and KelpDAO.

What makes THORChain attractive to hackers?

It enables permissionless cross-chain swaps without a centralized gatekeeper, which helps thieves move funds faster and obscure the trail.

Why does Bitcoin matter in these flows?

Some stolen funds are bridged into Bitcoin, where the UTXO model can make tracing more fragmented and harder to follow across multiple hops.

Is THORChain itself being accused of stealing funds?

No. The concern is that its design and liquidity make it a preferred route for laundering stolen crypto after exploits.

Does decentralization excuse abuse?

No. Being decentralized may explain why a protocol can’t easily censor transactions, but it does not erase the reputational, ethical, or regulatory fallout.

Can emergency freezes help?

Yes, but only partly. Freezes can recover some assets, yet they can also push attackers to move faster and use even messier laundering routes.

What’s the bigger lesson here?

DeFi’s openness is powerful, but it also gives criminals a fast lane. Neutral infrastructure is not the same thing as harmless infrastructure.