THORChain Hit by $10M Exploit: Investigator ZachXBT Links Attack to North Korea

Cross-chain liquidity protocol THORChain has reportedly been exploited for $10 million worth of cryptocurrency, according to investigator ZachXBT. In a post on his Telegram channel, ZachXBT revealed that fund movements suggest the protocol was likely targeted in an exploit.

In response, THORChain has paused its trading activity. As of now, neither THORChain’s official X account nor the account of its founder, John-Paul Thorbjornsen, has commented on the incident.

ZachXBT identified three theft addresses associated with the exploit:

• bc1ql4u94klk265lnfur2ujk9p6uh52f2a8jhf6f37
• 0x82fc0d5150f3548027e971ec04c065f3c93154eb
• 0xd477b69551f49c0519f9b18c55030676138890bd

ZachXBT’s findings were accompanied by a screenshot from THORChain’s developer Discord. Initially, he reported that approximately $7 million was stolen, but later updated the figure to $10 million.

While ZachXBT described the incident as a “likely” exploit, multiple crypto security firms have since confirmed the attack. PeckShieldAlert, a crypto security analyst, reported that the attacker stole $3 million worth of bitcoin and roughly $7 million in other cryptocurrencies from BNBChain, Ethereum, and Base.

Another investigator, tanuki42, claimed that the exploiter’s gas funds were supplied by the bridging protocol Wagyu xyz.

The exact cause of the exploit remains unclear.

THORChain’s Controversial Ties to North Korea

Earlier this week, crypto researcher meow mfer alleged that THORSwap, described by THORChain as its “leading multi-chain decentralized exchange aggregator,” hired a suspected North Korean IT worker. Meow mfer claimed the individual had three merged pull requests in the official swapkit/SwapKit repository, which powers THORSwap’s cross-chain swap infrastructure.

The researcher also noted that the individual was involved in building wallet integration code for THORSwap and possessed tools used for MEV extraction and concealment, commonly associated with North Korean operations.

Last year, THORSwap offered a bounty after Thorbjornsen’s personal wallet was drained of $1.2 million in crypto assets.

ZachXBT attributed the recent exploit to North Korea, stating:

"JP is one of the people whose has greatly benefited financially from the laundering of DPRK hacks/exploits."

He added:

"So it’s a bit poetic he got rekt here by DPRK."

ZachXBT’s tweet on September 12, 2025, linked the exploit to North Korea, referencing Thorbjornsen’s compromised private wallet due to a fake meeting scam.

Funds stolen in North Korea are often laundered through THORChain and its founders’ affiliated services, resulting in significant profits for the protocol.