By Key Points
- THORChain co-founder John-Paul Thorbjornsen lost $1.3 million in a personal hack.
- North Korean scammers used a video call to access iCloud-stored keys.
- ZachXBT called the attack “poetic” due to THORChain’s laundering history.
- THORSwap is offering a bounty to recover the stolen funds.
The crypto world just witnessed another high-profile security breach—this time involving one of its own key players.
John-Paul Thorbjornsen, co-founder of decentralized exchange protocol THORChain, confirmed that he lost $1.3 million in personal funds due to a THORChain hack tied to North Korean cybercriminals.
Yes, an old metamask (which I had completely forgotten about) was drained. They had access to my encrypted entire iCloud + keychain.
Ironically – only the private keys (radioactive) were vulnerable. Vultisig wallets were untouched, despite also using iCloud.
They’re safe -… pic.twitter.com/TWw7AdCgPw
— JP (@jpthor) September 12, 2025
The exploit occurred after Thorbjornsen participated in a video call with individuals who posed as legitimate contacts. Using this method, a tactic often associated with Lazarus Group, North Korea’s infamous hacker collective, the attackers managed to gain access to outdated private keys stored on his iCloud account.
JP(@jpthor), the co-founder of THORChain and Vultisig, was scammed out of ~$1.3M by North Korean hackers in a conference call scam.
Ironically, according to @zachxbt, JP and his products have benefited from helping the North Korean hackers launder funds.https://t.co/5LhhHCl9EC pic.twitter.com/EKicttwa6L
— Lookonchain (@lookonchain) September 12, 2025
Thankfully, THORChain’s protocol and company funds remain secure, according to an official statement. Only Thorbjornsen’s personal wallets were compromised, while his multisig wallets stayed protected.
But the crypto community wasn’t entirely sympathetic. In fact, the hack stirred controversy due to THORChain’s historical involvement in laundering funds from previous attacks, many of which were also linked to North Korean groups.
If you’re interested in how stablecoins are impacting other ecosystems, take a look at SEI’s price surge amid stablecoin integrations.
Crypto Karma or Coincidence?
Prominent crypto sleuth ZachXBT was one of the first to comment publicly on the breach. His take? The incident felt “a bit poetic.”
The wallet likely belongs to @jpthor who had a private wallet compromised due to a fake meeting scam a few days ago.
JP is one of the people whose has greatly benefited financially from the laundering of DPRK hacks/exploits.
So it’s a bit poetic he got rekt here by DPRK. pic.twitter.com/T57RRJ0bbf
— ZachXBT (@zachxbt) September 12, 2025
That’s because THORChain has previously been accused of helping to facilitate the movement of stolen crypto, especially from the Bybit hack, one of North Korea’s most notorious cyberattacks.
In interviews that have since resurfaced, Thorbjornsen controversially defended North Korea’s involvement in the crypto ecosystem. He stated:
“North Korea has the right to be sovereign. If they exploit security loopholes and are able to move crypto… that is their effort. They’re not inherently doing anything wrong in my opinion.”
Also in a recent documentary about the Bybit hack in an interview he defended DPRK’s right to hack/exploit teams. pic.twitter.com/nBtum0Gccq
— ZachXBT (@zachxbt) September 12, 2025
That quote hasn’t aged well, especially in the wake of this THORChain hack. Thorbjornsen also admitted that THORChain earned between $5 million and $10 million in transaction fees for processing crypto linked to the Bybit exploit.
ZachXBT took the opportunity to remind his audience of this history. And while hacks like these are typically met with concern and urgency, the sentiment this time around has been noticeably different, less panic, more irony.
Even so, THORSwap, one of the platforms built on THORChain, has offered a bounty for anyone who can help track or recover the stolen funds. But it’s unclear whether any serious effort is being made by blockchain investigators, especially considering the backstory.
For updates on other notable developments in the ecosystem, check out our full crypto news coverage.
The Ongoing Surge in THORChain Hack Tactics
The method used in this THORChain hack is not new but is growing increasingly common. North Korean-affiliated groups have been exploiting human vulnerabilities, like video calls and social engineering techniques, to access crypto wallets.
The Lazarus Group, in particular, has shifted strategies from attacking centralized exchanges to targeting individuals. In many cases, personal security practices fall short of enterprise-level protection, making founders and developers prime targets.
What’s surprising is that someone as experienced as Thorbjornsen had private keys backed up to iCloud, a move considered extremely risky by most security experts. This oversight led directly to the loss of $1.3 million in various crypto assets.
This THORChain hack incident also highlights how decentralization can sometimes leave victims isolated. Since the funds were not connected to company wallets, there is no formal liability for THORChain to investigate or reimburse the stolen funds.
What makes this worse is the potential ripple effect on public trust. Even though protocol-level funds are safe, the optics of a co-founder getting hacked by the very actors he once justified could damage THORChain’s credibility in the eyes of new users.
To see how platforms are innovating securely in DeFi, check out the new Mirror Protocol token launch and its security-first approach.
What This Means for THORChain’s Future
This THORChain hack is more than just another crypto crime—it’s a test of community resilience, security practices, and ethical accountability.
For starters, the incident could serve as a wake-up call to other crypto founders who may be lax in personal security. Multisig wallets and cold storage are critical, but the human element remains a weak link that can unravel everything.
On a broader scale, the hack may re-open conversations around protocol-level responsibility. Should decentralized platforms implement better tracking for illicit funds? Or does this violate the ethos of decentralization?
In the case of THORChain, the protocol has already faced public scrutiny for enabling the laundering of stolen crypto assets, including those tied to hostile state actors.
This recent event might lead to greater pressure on the platform to introduce safeguards, or at least publicly distance itself from controversial past statements.
For instance, Circle’s new USDC minting model is one example of how centralization can offer transparency and risk mitigation, even if it comes with trade-offs.
Meanwhile, new listings like those in Coinbase’s expanding altcoin support show how mainstream players are tightening security as they onboard new tokens.
For now, there’s no confirmation that any of the stolen funds have been recovered. And with blockchain detectives like ZachXBT expressing little sympathy, it remains to be seen how aggressively this will be pursued.
One thing is clear: the THORChain hack has exposed more than just weak security, it’s shed light on the blurred lines between decentralization, financial freedom, and ethical accountability.
What is your reaction?
