Thorchain Co-founder Targeted in North Korean Hack – But a Deeper Story Emerges

September 12, 2025 – In a dramatic turn of events, John-Paul Torbi Johnsen, co-founder of the decentralized liquidity protocol Thorchain, has been the target of a sophisticated hacking attack attributed to the notorious North Korean Lazarus Group. While Thorchain assures users that platform funds remain secure, the incident has ignited a firestorm of controversy surrounding the platform’s past dealings with illicit cryptocurrency flows, raising serious questions about ethical boundaries in the DeFi space. This is a breaking news story with significant implications for the future of cryptocurrency security and regulation. We’re following this story closely for updates – stay tuned to archyde.com for the latest.

Personal Funds Compromised, Platform Secure

Initial reports indicated a direct attack on Thorchain itself. However, the platform swiftly clarified that its company wallets were unaffected. John-Paul Torbi Johnsen confirmed that the breach targeted his personal funds, specifically an older MetaMask wallet he had “completely forgotten about.” According to Torbi Johnsen’s public statement on X (formerly Twitter), the hackers gained access to his encrypted iCloud + keychain, allowing them to drain the wallet. Remarkably, despite also utilizing iCloud, his multi-signature (multisig) wallets remained untouched, highlighting the importance of robust security practices.

“They had access to my encrypted entire iCloud + keychain. Ironically – only the private keys (radioactive) were vulnerable. Vultisig wallets were untouched, despite also using iCloud,” Torbi Johnsen posted. This underscores a critical lesson for all cryptocurrency holders: even seemingly forgotten or less-used wallets can become targets.

The Lazarus Group and a History of Crypto Heists

The Lazarus Group, a state-sponsored hacking organization linked to North Korea, has been a persistent threat to the cryptocurrency industry for years. Known for elaborate phishing schemes and sophisticated malware, the group is believed to be responsible for some of the largest crypto heists on record. Recent activity has been particularly intense, with numerous “GoPro File events” – a term used to describe large-scale data breaches – reported in recent days. Their tactics often involve gaining access to personal devices and cloud storage to steal private keys.

Thorchain’s Controversial Past: Washing Stolen Funds?

The hack against Torbi Johnsen has reopened a contentious debate about Thorchain’s past. Prominent cryptocurrency investigator ZACHXBT publicly criticized the platform, alleging that Thorchain played a role in laundering funds stolen in the Bybit hack – one of the most successful cryptocurrency robberies to date. ZACHXBT pointed to previous suspicions of Thorchain facilitating the laundering of stolen funds and framed the current hack as a consequence of attracting “financially profitable profits” from illicit sources.

Adding fuel to the fire, a past interview with Torbi Johnsen resurfaced, in which he appeared to defend the right of North Korea to exploit security vulnerabilities to move cryptocurrencies. He stated, “[북한]Is the right to have sovereignty. If you can exploit security loopholes and move cryptocurrencies… It is their efforts. In my opinion, they are not in essence of doing wrong things.” He also confirmed that Thorchain had earned between $5 million and $10 million by handling funds linked to the Bybit hack.

The Ethical Dilemma of DeFi and Illicit Funds

This incident highlights a fundamental challenge facing the decentralized finance (DeFi) space: how to balance the principles of permissionless access with the need to combat financial crime. While DeFi protocols aim to be open and accessible to all, this openness can also be exploited by malicious actors. The question of whether platforms should actively screen transactions for illicit origins – and risk censorship – or remain neutral and potentially facilitate money laundering remains a hotly debated topic. Understanding the nuances of SEO and Google News indexing is crucial for staying informed about these evolving discussions.

The incident also underscores the importance of robust personal security practices, including the use of hardware wallets, strong passwords, and multi-factor authentication. Even with advanced security measures in place, users must remain vigilant against phishing attacks and other social engineering tactics. The Lazarus Group’s success in compromising Torbi Johnsen’s iCloud account serves as a stark reminder that even seemingly secure cloud services can be vulnerable.

As cryptocurrency detectives like ZACHXBT continue to face increasing challenges in tracking and recovering stolen funds, the need for greater collaboration between law enforcement, security researchers, and the cryptocurrency industry is more critical than ever. The future of DeFi depends on building a secure and trustworthy ecosystem that can withstand the ever-evolving threats posed by sophisticated hacking groups like the Lazarus Group. Stay informed with archyde.com for ongoing coverage of this developing story and expert analysis on the latest cryptocurrency security threats.