Hackers Launder Hundreds of Millions Through THORChain

On-chain analysis shows multiple high-profile exploits routed stolen cryptocurrency through THORChain, enabling rapid swaps between blockchains while the network collected millions in fees.

Data tied to the recent KelpDAO exploit indicates 75,701 ETH-about $175 million-was moved through THORChain. The protocol collected roughly $910,000 in fees from that activity, exceeding its prior monthly fee total of $709,000. The stolen funds were split across three wallets of about 25,000 ETH each; one wallet’s balance fell to about 3,800 ETH after on-chain transfers, and a substantial portion of the moved funds were bridged into Bitcoin via THORChain.

Swap volume on THORChain reached roughly $540 million in a 24-hour period connected to the activity, generating about $660,000 in fees during that window. Other incidents previously routed through the protocol include roughly $124 million tied to the FTX exploiter, about $120 million from a Balancer exploit, and a February 2025 hack of the Bybit platform that involved approximately $1.5 billion in stolen assets, including more than 400,000 ETH. Analysts estimated that over 70% of the Bybit proceeds passed through THORChain, driving daily volumes above $700 million and producing transaction fees estimated between $3 million and $5.5 million at that time.

Network actions also affected flows. The Arbitrum Security Council froze 30,766 ETH-about $71 million-linked to the exploit. After that intervention, the exploiter increased transfers through alternative routes and used THORChain to bridge assets into Bitcoin. Tracing becomes more fragmented when funds move from account-based chains such as Ethereum into Bitcoin’s UTXO system, which makes on-chain investigation more complex.

THORChain posted that it was modeled after Bitcoin to be permissionless and censorship-resistant. The protocol stated there is no single person or entity in control, no admin key and no 2-of-3 multisig, and that 95 nodes distributed globally currently operate the network. The protocol described neutrality as arising from its code and node enforcement rather than from centralized control.

Responses from the wider crypto community included a proposed 30,000 ETH loan to Aave and a one-time donation of 2,500 stETH from another project to support remediation. Exchanges, security councils and on-chain investigators monitored the movement of funds.

Moving funds from account-based chains into Bitcoin can fragment traces and slow tracking. Ether’s price fell by about 3% in the 24 hours following the exploit activity, trading near $2,310 at one reported point.

THORChain has been involved in multiple large-scale fund movements and collected significant fees as stolen assets passed through its cross-chain rails.