Welcome to the dark side of crypto’s permissionless dream

North Korea moves stolen billions

The North Korean Lazarus Group moved $1.2 billion in stolen Ethereum through the THORChain network following a massive hack of the Dubai-based Bybit exchange in February 2025. The FBI issued a public warning on February 26, 2024, urging crypto platforms to freeze accounts linked to the theft. While other exchanges complied, THORChain operators debated whether to block the transactions in a private Discord channel.

Node operators earned significant commissions from the laundering process. Internal logs show the network "extracted" $3 million in fees from the stolen funds in a single day. Jean-Paul Thorbjornsen, a prominent figure in the project, later estimated that THORChain earned between $5 million and $10 million from the heist total.

The network's design made it difficult for individual nodes to stop the flow of money without being penalized. THORChain automatically "churns" nodes every 2.5 days to maintain security. Operators who refused to validate the stolen transactions were booted from the system, while those who remained profited from the illegal volume.

The myth of decentralized control

THORChain claims to be a decentralized, permissionless network with no central leader. However, a "civil war" broke out in the developer Discord over whether to blackhole the Bybit funds. Some operators feared legal repercussions because their IP addresses were visible to law enforcement, while others argued they were not the "morality police."

The controversy centers on the "admin mimir" keys. These hard-coded keys allow specific individuals to override the network’s democratic voting system. Analysts found these keys have existed in the code for years, granting the power to pause the entire blockchain unilaterally.

Thorbjornsen claims he does not control these keys. He told investigators that he handed over his "leena" persona and administrative powers to other community members in 2021. Despite these claims, a video from Nine Realms, a developer group, explicitly named Thorbjornsen as the person who activated the keys to freeze the network.

Users lose millions in withdrawal freeze

On January 9, 2025, THORChain users discovered their accounts were frozen via a sudden administrative override. The THORFi program, which promised users "complete control" and self-custody of their assets, stopped all withdrawals. This move contradicted the project's marketing materials, which claimed only a user's private key could move their funds.

The freeze triggered a massive bank run once the network briefly reopened. Nodes eventually voted to freeze withdrawals permanently, trapping approximately $200 million in user capital. The project issued a new token called TCY (THORChain Yield) to compensate victims, but the token's value plummeted quickly.

• The TCY token currently trades at $0.16, far below its $1.00 target peg.
• Total user losses from the January 23 freeze exceed $200 million.
• THORChain's "admin mimir" keys were reportedly removed from the code only after the freeze occurred.
• Creditors have filed a lawsuit naming Thorbjornsen as a primary defendant.

Retired veterans and retail investors who viewed THORChain as a safer alternative to centralized platforms like Celsius lost their life savings. Many users expected a 1% passive yield but instead saw their native Bitcoin converted into failing ecosystem tokens. Law enforcement agencies, including the FBI and SEC, have received multiple reports from defrauded creditors.

From secret avatar to flamboyant CEO

Thorbjornsen spent years operating under the pseudonym "leena" with an AI-generated female avatar. He revealed his true identity in March 2024 as an Australian man in his mid-30s. Since then, he has adopted a high-profile persona, frequently posting videos of himself piloting a $3.5 million Aston Martin helicopter.

His background includes a rural Catholic upbringing and a stint in the Australian Air Force. He entered the crypto space in 2013 and previously launched CanYa, a decentralized marketplace that raised AU$12 million before failing in 2018. He then pivoted to the liquidity project that became THORChain.

Thorbjornsen now refers to himself as the "Chief Energy Officer" and the "master of the memes." He claims his wealth comes from early Bitcoin investments rather than THORChain's profits. However, critics point to his outsized influence over the network's social media accounts and node operators as evidence of centralization.

The irony of the North Korean hack

In a bizarre turn of events, Thorbjornsen himself became a victim of the Lazarus Group. In September, hackers used a malicious Zoom link to install remote-access software on his computer. The attackers drained his email accounts, crypto wallets, and a Bitcoin-based retirement fund.

The hack cost Thorbjornsen at least $1.2 million. On-chain sleuths like ZachXBT traced the stolen funds directly back to North Korean entities. This is the same group that used Thorbjornsen’s network to launder $1.2 billion earlier in the year.

Thorbjornsen maintains that he is just a "guy who’s had a bad year." He claims he has liquidated most of his assets due to a divorce and ongoing legal threats. He currently spends much of his time in Singapore, a jurisdiction known for its complex extradition history regarding money-laundering cases.

Global regulators increase the pressure

Governments are beginning to retaliate against the infrastructure that supports Lazarus Group operations. German authorities recently shuttered eXch, a service suspected of using THORChain to process stolen Bybit funds. Security experts argue that THORChain’s refusal to block transactions directly enabled North Korea’s laundering process.

Australia is also tightening its grip on the sector. The Department of Home Affairs confirmed that regulatory powers will expand in March 2026 to cover transfers between different types of cryptocurrency. This change aims to close the loopholes that allow "permissionless" bridges to operate without oversight.

Thorbjornsen continues to defend the protocol as "open-source infrastructure" comparable to a casino. He argues that users should expect to lose their money when participating in high-risk crypto projects. As $500 million of the Bybit funds remains unaccounted for, the pressure on THORChain’s leadership continues to mount.