North Korean Hackers Use THORChain to Convert Stolen Funds

North Korean state-backed hackers known as the Lazarus Group have chosen THORChain as their primary platform to convert $1.4 billion in stolen Ether from Bybit. The group completed the conversion within just 10 days of the hack, moving 72% of the stolen funds through the decentralized swap protocol.
The situation has created internal conflict within THORChain's decentralized autonomous organization (DAO). Three validators voted to halt ETH trading to block the hackers, but four validators quickly overturned this decision. This governance clash exposed fundamental weaknesses in the project's DAO structure and voting mechanisms, leading to the resignation of key developer Pluto, while another developer, TCB, threatened to leave unless governance issues were addressed.
Critics point out an inconsistency in THORChain's DAO governance model. While the protocol's governance refused to intervene against the hackers citing decentralization principles, it had previously paused its lending feature due to insolvency risks. This has led to accusations of "selective decentralization" where DAO governance intervention only occurs when it serves the protocol's financial interests, raising questions about true decentralized decision-making.
The THORChain case follows a concerning pattern in DeFi governance. Recently, TRON DAO Reserve shut down USDD stablecoin's governance portal despite continuing to claim community-driven status. The portal was used only once before removal, with major decisions including USDD 2.0 launch and collateral changes made without community input.
THORChain collected approximately $5 million in fees from processing these transactions. Blockchain investigator ZachXBT criticized Asgardex, a THORChain-based exchange, for not returning fees earned from hackers, while noting other protocols had refunded ill-gotten gains.
Some experts defend THORChain, noting it's a swap protocol rather than a mixer. Federico Paesano of Crystal Intelligence argued that the activity represents "conversion" rather than "laundering" since every swap remains fully traceable across blockchains.
The incident raises larger questions about the future of DAOs and DeFi governance. These include:
- Whether truly decentralized autonomous organizations can or should intervene against criminal activity
- How DAO governance structures balance neutrality with increasing regulatory pressure
- What innovations in DAO voting mechanisms might allow automated safeguards without compromising decentralization
- Whether DAOs need more formalized emergency response procedures for security threats
THORChain's DAO now faces potential regulatory risks that could test the limits of decentralized governance. Similar platforms like Tornado Cash and Railgun faced government action after being used by North Korean hackers. Experts warn that continued processing of illicit funds could lead to sanctions against validators, front-end services, and liquidity providers, or even legal action against DAO participants and developers who hold governance tokens.