THORChain is being flagged as a key route for hackers to move stolen funds

Meet the chain where hackers cash out; that’s how analysts are summing up THORChain. Fresh data again tied the protocol has dropped the debate into the light. In a post, the analyst pointed out that multiple high-profile exploits have routed funds through THORChain. Amid all the funds flowing out, the protocol continued to generate fees. 

The list of exploited funds being driven out from THORChain includes the FTX exploiter ($124 million), Bybit hacker ($1.2 billion+), and Balancer exploiter ($120 million). It also holds the name of the recent KelpDAO attack ($175 million in just 36 hours).

THORChain bags millions in fees

Data shows that THORChain reportedly generated around $910,000 in fees just from the KelpDAO incident. This exceeded its previous month’s total of $709,000. Meanwhile, the protocol has maintained a stance of neutrality, even as hundreds of millions in illicit funds pass through its rails.

According to data from Arkham Intelligence, the attacker split the stolen funds across three wallets. They were holding around 25,000 ETH (approx $57–59 million each). Only one of those wallets has actively begun laundering. Its balance dropped from 25,000 ETH to around 3,800 ETH.

A good portion of those funds has already been bridged into Bitcoin using THORChain. On-chain data shows that nearly 99% of the funds in that wallet have moved. This adds to a surge in protocol usage. Swap volume on THORChain reportedly hit $540 million in 24 hours. It helped the protocol generate about $660,000 in fees during that period.

Lookonchain reported that the KelpDAO hacker had swapped all 75,701 ETH (approx worth $175 million) through THORChain. Mantle has proposed providing 30,000 ETH (approx worth $70 million) to Aave as a loan. While Lido announces a one-time donation of 2,500 stETH (approx worth $5.8 million)

The approach from attackers looks pretty straightforward. THORChain allows cross-chain swaps without intermediaries or know-your-customer checks. This allows stolen assets to move quickly between ecosystems. It often happens from Ethereum to Bitcoin. This is where tracing becomes more fragmented due to the UTXO model. Ether price has dropped by almost 3% over the last 24 hours. ETH is trading at $2,310 at the press time.

The laundering activity picked up pace after intervention from the Arbitrum Security Council. It froze 30,766 ETH (approx $71 million) linked to the exploit. This move managed to restrict access to a portion of the funds, which required governance votes for any recovery.

THORChain defends neutrality

The freeze may have also pushed the attacker’s strategy. The exploiter began moving funds more aggressively soon after it. This highlights an ongoing tension in DeFi between intervention and decentralization. Protocol-level actions can limit damage, but they may also push attackers toward faster and more complex laundering routes.

This pattern is not new, as attackers often allow wallets to remain dormant for months before reactivating them. The delay in moving funds allows it to outlast initial tracking efforts from investigators

THORChain, in a post, stated that it was modeled after Bitcoin. This lets it be permissionless and censorship-resistant. It mentioned that there’s no single person or entity in control of the protocol, and there’s no admin key. It added that there’s no 2-of-3 multisig and there are 95 nodes spread globally that control the network.

THORChain was modelled after Bitcoin, to be permissionless and censorship resistant.

There’s no single person or entity in control of the protocol. There’s no admin key. There’s no 2-of-3 multisig. Currently, there’s 95 nodes spread globally that control the network. For the… pic.twitter.com/Za2Obrh9dO

— THORChain (@THORChain) April 21, 2026

The protocol stated that Bitcoin is neutral because the code is neutral, and the nodes enforce it. Similarly, THORChain is neutral because the code is neutral, and the nodes enforce it.

The protocol has been in headlines due to its large-scale exploits and fund links. This dates back to the February 2025 hack of Bybit. Attackers linked to the Lazarus Group stole roughly $1.5 billion in assets. This includes over 400,000 ETH. A major portion of those funds was laundered through THORChain. 

It is estimated that over 70% of the stolen assets flowed through the protocol. It led the protocol’s daily volumes to exceed $700 million at that time. The massive laundering activity generated over $3 million to $5.5 million in transaction fees for the protocol. The attackers were identified as the North Korean Lazarus Group by the FBI.

The crypto card with no spending limits. Get 3% cashback and instant mobile payments. Claim your Ether.fi card.