THORChain earned $5M processing Lazarus funds — complicity or code?

THORChain processed $1.2 billion stolen from Bybit by the Lazarus Group and collected $5 million in fees. It refused to return them. Three validators voted to halt ETH trading — four reversed it within 30 minutes. The lead developer resigned. The KelpDAO hacker converted another $175 million into Bitcoin through the same protocol. THORChain has not been hacked — it works exactly as designed. And that is DeFi's most uncomfortable question: can a decentralized protocol be complicit if it refuses to censor stolen funds by a nation-state?

This article analyzes how THORChain has become Lazarus's primary laundering rail, why its validators refused to act, what Pluto's resignation meant, and why this case defines the future of censorship resistance in DeFi.

What is THORChain and why did Lazarus choose it?

THORChain is not a bridge or a mixer. It is a decentralized liquidity protocol that enables native cross-chain swaps — real ETH for real BTC, without wrapped tokens, without an intermediary custodian, without KYC. The technical difference matters: a bridge like Wormhole issues a synthetic token (wETH on Solana) backed by custodied funds. If the custodian freezes the reserve, the synthetic token loses its value. THORChain does not work that way.

The protocol uses bilateral liquidity pools: each pool contains the native asset (BTC, ETH, AVAX) paired with RUNE, the network's native token. Liquidity providers (LPs) deposit real assets on both sides of the pool. When a user swaps ETH to BTC, the protocol executes two internal operations: ETH → RUNE in one pool, RUNE → BTC in another. The result is native BTC on the Bitcoin chain — not a token that someone can freeze.

For Lazarus, this architecture is perfect: once the stolen ETH is converted to native BTC, no entity — neither Tether, nor Circle, nor any exchange — can freeze those funds. A Bitcoin UTXO has no centralized issuer. It's like converting marked bills into melted gold bars: the trail blurs at the moment of the swap.

THORChain has ~120 validator nodes that process transactions according to the protocol's rules. They do not review the origin of funds. They have no compliance function. The system was explicitly designed not to discriminate — and that is exactly what Lazarus needed.

How did Lazarus use THORChain to launder $1.2 billion from Bybit?

On February 21, 2025, the Lazarus Group stole $1.46 billion from Bybit — the largest crypto hack in history. 85% of the funds were laundered through THORChain.

The operation was systematic: Lazarus fragmented the funds into multiple wallets, executed ETH to BTC swaps in batches to avoid depleting pool liquidity, and distributed the resulting BTC to hundreds of addresses. In one week, $605 million passed through THORChain. In total, over $1.2 billion.

THORChain collected ~$5 million in swap fees. These fees were automatically distributed among liquidity providers (LPs) and validator nodes — the people who provide capital and process transactions. There is no treasurer, no corporate account: fees flow directly to protocol participants.

When the community proposed returning the fees generated by Lazarus, the proposal failed. The technical argument: it is not possible to separate which portion of an LP's fees came from Lazarus swaps versus legitimate swaps. The philosophical argument: returning fees creates a precedent for retroactive censorship. If you return today because the FBI asks, tomorrow you return because China demands it.

Why did validators vote NOT to censor?

On February 26, 2025 — five days after the hack — three THORChain validators voted to pause ETH trading on the network and block Lazarus's flows. Four validators voted against it. The pause was reversed in 30 minutes.

The argument of those who voted NO:

• "THORChain was built in Bitcoin's image — decentralized and censorship-resistant." If you censor today for Lazarus, tomorrow you censor by government order. The precedent destroys the thesis.
• "We are not judges." Validators process transactions according to protocol rules. They do not have the function of deciding which transactions are legitimate. If the code allows the swap, the swap is executed.
• "If we censor, legitimate users suffer." Pausing ETH trading affects everyone — not just Lazarus. Thousands of users with legitimate swaps are blocked.

The argument of those who voted YES:

• "We are facilitating a nation-state to fund weapons of mass destruction." 40% of North Korea's WMD program is funded by stolen crypto.
• "Censorship resistance does not mean active complicity." There is a difference between being unable to censor (Bitcoin) and being able to but refusing (THORChain has a pause mechanism — it simply chose not to use it).

Why are THORChain developers leaving the project?

Pluto, THORChain's unofficial lead developer, announced his resignation immediately after the vote reversal. His message was clear: he built THORChain to be censorship-resistant, not to be the laundering infrastructure for a nation-state. TCB, another core developer, indicated he would also leave if measures against illicit flows were not implemented.

The crisis revealed a fracture that goes beyond THORChain. The cypherpunk developers who designed these protocols had a vision: money free from state control, financial privacy as a right, censorship resistance as a principle. But when that principle materializes into $1.2 billion laundered for North Korea's nuclear program, the abstraction becomes a concrete consequence.

The exodus of developers has a practical implication: the people who maintain the code, who fix bugs, who design security updates — are leaving the project. THORChain operates with ~120 nodes, but the code is maintained by a few dozen developers. If the most experienced leave, the protocol loses technical capacity while processing record volumes. It's a paradox: commercial success ($800 million in volume from the KelpDAO hack) coincides with the technical hollowing out of the project.

Why did the KelpDAO hacker choose THORChain to convert $175M into Bitcoin?

Yes. As of April 21, 2026, the KelpDAO attacker converted ~75,700 ETH (~$175 million) into Bitcoin via THORChain. This activity generated $800 million in trading volume for the protocol.

The sequence was: Arbitrum froze 30,766 ETH (~$71 million) in an attacker's wallet. The attacker responded by moving the rest — everything Arbitrum could not freeze — to Bitcoin via THORChain. Once in BTC, the funds are practically unrecoverable: Bitcoin has no freezing function, no centralized issuer, and swaps to Monero via THORChain would add an additional layer of privacy.

Lazarus's pattern in 2025-2026:

THORChain has become Lazarus's preferred laundering tool — not because it is compromised, but because it works exactly as promised: permissionless swaps, no KYC, no intermediary who can say "no."

How do other DEXs handle sanctioned addresses?

THORChain is not the only DEX that has faced the question of censorship. But it is the only one that actively voted NOT to censor after identifying illicit flows from a nation-state.

The key difference: Uniswap, 1inch, and dYdX implemented censorship at the frontend level — the layer users see — while keeping smart contracts open. It's a pragmatic compromise: they formally comply with OFAC without altering the underlying protocol. A technical user can bypass the block by using the contract directly, but most do not.

THORChain rejected even that cosmetic censorship. And there is a legitimate technical argument: in THORChain, cross-chain swaps do not pass through a web frontend controlled by a company. Users interact with the node network directly through wallets like THORSwap. The protocol does not have an entity that can be forced to implement OFAC filters — or at least, that's what its defenders argue.

What legal risk do THORChain validators face?

The most relevant precedent is Tornado Cash. In August 2022, OFAC sanctioned Tornado Cash — an Ethereum mixer — for facilitating the laundering of $7 billion, including funds from Lazarus. Alexey Pertsev, one of the developers, was sentenced in May 2024 by a Dutch court to 64 months in prison for money laundering.

The difference between Tornado Cash and THORChain is significant — but not necessarily favorable for THORChain:

• Tornado Cash had no active governance mechanism — it was an immutable contract. THORChain validators do have the ability to act and chose not to.
• THORChain nodes receive direct compensation — they collect fees for each swap, including those from Lazarus. That establishes an economic benefit for facilitating illicit transactions.
• OFAC has already established that DeFi protocols can be sanctioned — the "it's just code" argument lost legal force after Pertsev's conviction.

If OFAC decides to sanction THORChain, every identifiable node operator becomes a legal target. The CFTC already wants to regulate Hyperliquid — a protocol that has laundered nothing. How long will it take to look at THORChain, which has processed $1.4 billion in funds from a group the FBI has publicly identified?

Is THORChain complicit or is it simply code?

This is the question no one wants to answer — because the answer has implications for all of DeFi.

If THORChain is "just code", then it cannot be complicit. An internet router is not complicit when a criminal sends an email. A road is not complicit when a thief escapes in a car. Code has no intent. Validators execute rules defined by the protocol.

But THORChain is NOT just code. It has a pause mechanism. Validators can vote to halt trading of an asset. They did — and chose not to. That is not automatism: it is a human decision within a governance structure. If you can act and decide not to, the question of complicity is legitimate.

The most accurate analogy is not a road — it's a transfer company that sees a transaction marked "funds stolen by nation-state" in its system and decides to process it anyway because its policy says "we process everything without asking." In TradFi, that's called AML non-compliance. In DeFi, it's called "censorship resistance."

What does the THORChain case mean for censorship resistance in DeFi?

THORChain has brought to the forefront the dilemma that DeFi has avoided for years:

The DeFi centralization article analyzes how "decentralized" infrastructure has hidden centralized points. THORChain demonstrates the inverse problem: when something IS truly decentralized, there's no one to call when it's used to fund nuclear weapons.

Financial privacy is a right. But rights have limits when they clash with national security. THORChain has taken a stance — and that stance has consequences for the entire ecosystem. If regulators decide that THORChain validators are "money transmitters" who facilitated laundering for a sanctioned state, the precedent affects every node of every permissionless protocol in the world.

The most honest thing to say: THORChain works as designed. Lazarus uses it because it works. And the fact that it works exactly as promised — without exceptions, without moral judgment, without discrimination — is simultaneously its greatest virtue and its biggest problem.