ThorChain (RUNE)

đź”´ High Risk

ThorChain (RUNE), a decentralized cross-chain liquidity protocol touted for enabling privacy-preserving native asset swaps across Bitcoin, Ethereum, and other blockchains, has emerged as a stark emblem of DeFi’s perilous collision with global anti-money laundering (AML) frameworks, particularly under intense scrutiny from Norwegian and U.S. regulators who classify it as a high-risk platform prone to illicit exploitation. The February 2025 Bybit hack—where North Korea’s Lazarus Group siphoned $1.4 billion in ETH—exposed ThorChain’s architecture as a near-perfect conduit for sanctions evasion, laundering over $900 million through 3,934 atomic swaps in mere days, with node operators pocketing $5.5 million in RUNE fees despite on-chain flags and an aborted pause vote reversal. This non-custodial model, reliant on anonymous volunteer nodes, threshold signatures, and RUNE-collateralized pools, inherently prioritizes permissionless access over transaction screening, enabling rapid obfuscation of state-sponsored cyber theft funds destined for DPRK nuclear ambitions—a blatant facilitation of money laundering that mocks U.S. Bank Secrecy Act mandates and Norway’s stringent FSA oversight. Far from a neutral tool, ThorChain’s deliberate inaction amid controversy—mirroring Tornado Cash’s sanctioned fate—underscores willful blindness driven by profit incentives, fueling regulatory backlash and potential OFAC/DOJ indictments against U.S.-based operators, while eroding DeFi’s legitimacy in jurisdictions demanding accountability over ideological decentralization. 

In February 2025, North Korea’s Lazarus Group exploited a Safe Wallet vulnerability to steal $1.4 billion in ETH from Bybit exchange on February 21. Within hours, hackers routed over $900 million through ThorChain’s cross-chain swaps, converting stolen ETH to native BTC and other assets across Ethereum, Bitcoin, BNB Chain, and more, using privacy-preserving atomic swaps paired 1:1 with RUNE tokens. ThorChain’s 100 volunteer node operators processed 3,934 bridge transactions in 115 hours—averaging $3.23 million hourly—despite on-chain flags identifying tainted funds linked to DPRK’s nuclear program.​

Countries Involved

Norway, United States

February 2025 (Bybit hack occurred February 21, 2025; laundering via ThorChain reported in subsequent weeks, with peak activity by early March 2025)

RUNE, ETH, BTC (cross-chain swaps)

Money laundering, sanctions evasion, facilitation of illicit fund flows from state-sponsored cyber theft

Lazarus Group (North Korean hackers), ThorChain node operators (volunteers processing transactions), THORSwap/Asgardex/eXch (ThorChain-based DEX interfaces), Bybit exchange (victim)

No (no politically exposed persons directly identified; state actors via North Korea’s regime)

ThorChain enabled privacy-preserving cross-chain atomic swaps, converting stolen ETH to BTC and other native assets without wrapped tokens or KYC, using threshold signature schemes (TSS) for vault security and AMM pools paired 1:1 with RUNE. Node operators processed $900M+ in swaps post-Bybit $1.4B hack, earning $5.5M fees despite awareness of tainted funds flagged on-chain. This non-custodial DeFi mechanism obscured origins via decentralized liquidity pools across Bitcoin, Ethereum, BNB Chain, and others, bypassing centralized exchange AML checks. Critics highlight deliberate inaction after initial pause vote reversal, mirroring Tornado Cash mixer tactics but via swaps, allowing Lazarus to launder most proceeds rapidly. In Norway and US contexts, this exposes regulatory gaps in DeFi, where permissionless access prioritizes over transaction screening, enabling high-risk flows regulators deem illegal under AML laws like US Bank Secrecy Act equivalents. Node bonding with RUNE incentivized continuity, proving profit motive over compliance in these jurisdictions’ scrutiny. (248 words)

$900 million (part of $1.4 billion Bybit hack; ThorChain handled bulk post-hack swaps by March 4, 2025)

On-chain records show Lazarus routing stolen ETH through ThorChain swaps immediately after February 21 Bybit compromise via Safe Wallet exploit. Taylor Monahan (MetaMask researcher) tracked $900M laundered, with node operators pocketing $5.5M RUNE fees from high-volume activity (e.g., $860M daily volume Feb 26). Initial node vote paused tainted swaps, but reversal—despite developer Pluto’s resignation—resumed processing, filtering only sanctioned addresses post-facto. Swaps exploited ThorChain’s cross-chain interoperability (BTC-ETH-BNB etc.), splitting flows to evade tracing, with RUNE collateral ensuring solvency but not blocking illicit use. US/Norway regulators view this as willful blindness, paralleling Tornado Cash sanctions, as operators (many US-based) prioritized decentralization over halting DPRK funds advancing nuclear programs. Volumes surged amid controversy, confirming protocol’s role in rapid obfuscation. (227 words)

No direct sanctions on ThorChain yet, but US OFAC precedent from Tornado Cash looms, targeting developers/operators for Lazarus facilitation. Post-event patch filters sanctioned addresses, but too late for Bybit funds. Norway’s FSA and US agencies (FinCEN, DOJ) flagged ThorChain as high-risk DeFi pre-incident; Trump admin’s laxer stance dropped some cases (e.g., Ripple), but criminal probes against knowing enablers persist (Storm/Semenov Tornado precedent). Node operators face potential exposure despite decentralization claims; founder Thorbjornsen denies liability, citing no sanctioned wallets used. Highlights DeFi-Nation state tension, with calls for global AML harmonization. (214 words)

ThorChain (RUNE)
Case Title / Operation Name:
ThorChain RUNE
Country(s) Involved:
Norway, United States
Platform / Exchange Used:
ThorChain (RUNE), THORSwap, Asgardex, eXch
Cryptocurrency Involved:

RUNE, ETH, BTC (cross-chain swaps)

Volume Laundered (USD est.):
$900 million
Wallet Addresses / TxIDs :
Lazarus Group wallets post-Bybit hack (Feb 21, 2025); 3,934 bridge txs tracked by Taylor Monahan
Method of Laundering:

Privacy-preserving atomic cross-chain swaps via AMM pools (ETH→BTC→BNB etc.); TSS vaults; node operators processed tainted funds despite pause vote reversal; $5.5M RUNE fees earned

Source of Funds:

$1.4B Bybit exchange hack (Safe Wallet exploit) by North Korea’s Lazarus Group, funding DPRK nuclear program

Associated Shell Companies:

N/A

PEPs or Individuals Involved:

No PEPs; Lazarus Group (DPRK state-sponsored); Developer “Pluto” resigned in protest

Law Enforcement / Regulatory Action:
FBI IC3 confirmed Lazarus role; US OFAC scrutiny (Tornado Cash precedent); Norway FSA high-risk DeFi flag; no ThorChain sanctions yet
Year of Occurrence:
2025
Ongoing Case:
Ongoing
AML Network Risk Rating:
đź”´ High Risk
Quick Links:
Popular Pages:
Disclaimer & Legal:
Facebook-f Twitter Youtube Pinterest-p Instagram Tiktok
© 2025 AML Network. – All Rights Reserved.