THORChain’s permissionless cross-chain swaps powered a record $800M+ volume surge and nearly $1M in fees as the Kelp DAO exploiter (suspected to be North Korean Lazarus Group) converted stolen Ether (ETH) to native Bitcoin (BTC) — here’s exactly how it happened and what it means for DeFi.
The Kelp DAO exploit, the largest DeFi hack of 2026 so far, didn’t end with the $292 million theft on April 18. What followed was a masterclass in cross-chain laundering that had everyone talking about THORChain.
THORChain became the talk of the town, all along with the attacker swapping nearly all of their 75,700 ETH (worth ~$175 million) into native Bitcoin. The primary tool? THORChain. The result? THORChain’s 24-hour swap volume exploded from a typical ~$20–$35 million to $394–$800 million+, generating roughly $910,000 in platform fees — one of the protocol’s biggest revenue days ever.
This isn’t the first time the suspected Lazarus Group has turned to THORChain. On-chain analysts and security firms have repeatedly flagged the North Korean state-sponsored hacking collective’s use of the protocol for laundering in past operations. The recent KelpDAO case is simply the latest high-profile example of how THORChain’s design makes it exceptionally effective for moving large sums of illicit funds across chains without KYC or centralized choke points.
If you’ve been wondering how THORChain actually works, and why hackers keep choosing it, this deep-dive explains everything.
Let’s Start With the Basics: What Is THORChain?
THORChain is a decentralized, non-custodial cross-chain liquidity protocol, built to enable native asset swaps between blockchains — no wrapped tokens, no bridges in the traditional sense, and no centralized intermediaries.
Unlike most decentralized exchanges (DEXs) that only work within a single chain (or rely on wrapped versions of assets like wBTC), THORChain lets you swap native Bitcoin (BTC) for native Ether (ETH), native Avalanche (AVAX) for native Solana (SOL), and dozens of other pairs directly.
At its core:
- RUNE is the native token and liquidity hub for THORChain.
- Liquidity is provided in continuous liquidity pools (CLPs) where every supported asset is paired with RUNE.
- Swaps happen in two steps under the hood: Asset A → RUNE, then RUNE → Asset B. Users never have to touch or hold RUNE themselves.
This architecture, combined with a network of vaults operated by THORChain nodes, creates true cross-chain liquidity without custodians.
Also Read: How to Use a DEX: The Basics of Swapping and Liquidity
How THORChain Works: A Step-by-Step Breakdown
Here’s exactly how a typical ETH-to-BTC swap (the one that the KelpDAO hacker used) works on THORChain:
- The user (or in this case, the hacker) deposits the native asset into a THORChain vault.
The hacker sends ETH to a THORChain-controlled vault address on Ethereum. No smart contract interaction on the destination chain is needed upfront.
- The THORChain network observes the deposit.
THORChain nodes monitor every supported chain in real time. Once the deposit is confirmed (with sufficient confirmations for security), the protocol triggers the swap.
- Internal swap via RUNE pools.
- The deposited ETH is swapped for RUNE in the ETH:RUNE liquidity pool.
- That RUNE is then immediately swapped for BTC in the BTC:RUNE liquidity pool. This happens atomically within the protocol’s continuous liquidity model.
- Native BTC is released on the Bitcoin network.
The output BTC is sent directly from a THORChain vault on Bitcoin to the user’s (or hacker’s) specified BTC address. The entire process is driven by swap memos — special instructions included in the deposit transaction.
- Refunds and slippage protection.
If anything fails (e.g., extreme slippage), the protocol automatically refunds the original asset minus fees.
The beauty (and, the advantage for illicit actors) is that THORChain is fully permissionless and censorship-resistant. There’s no single entity that can freeze funds or ask for ID. Liquidity providers earn fees from every swap, which is why the protocol saw such a massive revenue spike during the laundering activity.
Case Study: The KelpDAO Hacker’s THORChain Laundering Route
After draining ~116,500 rsETH (valued at ~$292 million at the time) via a LayerZero bridge exploit, the attacker:
- Converted the rsETH back into ETH.
- Split ~75,700 ETH across fresh wallets.
- Began routing the funds through THORChain, Umbra, and other privacy tools.
- Successfully swapped the vast majority into native BTC across hundreds of addresses .
On-chain sleuths, including ZachXBT, Arkham Intelligence, and analysts like Specter, tracked the flows in real time. Early batches of ~$1.5 million were spotted moving ETH → BTC via THORChain, but the operation quickly scaled. Within 36 hours, nearly the entire $175 million of ETH haul had been converted into BTC on Bitcoin, which can not be frozen.
Also Read: Kelp DAO Hacker Moves Funds to Bitcoin and It Cannot Be Frozen: Here’s Why
Why Did the Hacker Use THORChain?
The most straightforward answer: it offered the fastest, most private way to turn ETH into clean, native BTC that’s far easier to off-ramp or mix further. Centralized exchanges (CEXs) would have frozen the funds instantly and traditional bridges often have delays or monitoring. THORChain’s design made the laundering process fast and decentralized.
Notably, this is not the first time the Lazarus Group or any other hackers have leveraged THORChain. The North Korean state-backed hacking collective (also referred to as TraderTraitor in some reports) has a documented history of using the protocol for large-scale laundering operations, including during the massive 2025 Bybit hack where a significant portion of stolen ETH was converted to BTC via THORChain. The KelpDAO incident follows the same playbook.
What This Means for DeFi and the Broader Crypto Ecosystem
THORChain delivered exactly what it was built for — unstoppable and borderless liquidity. On the protocol, liquidity providers (LPs) and node operators earned nearly $1 million in fees in a single day, and RUNE price jumped sharply on the volume surge.
What is concerning is the “dark side” of permissionless DeFi, which this event clearly highlighted. When protocols are truly decentralized and censorship-resistant, they inevitably become tools for both legitimate users and bad actors. The optics of a suspected nation-state hacking group generating massive revenue for a DeFi protocol are challenging for the industry.
Looking ahead:
Following the Kelp DAO incident:
- Regulators are already watching cross-chain protocols closely.
- Security teams and on-chain analysts are getting better at tracking these flows in real time.
- DeFi projects are under renewed pressure to improve bridge security and verification (LayerZero has already pointed to KelpDAO’s single-verifier setup as a contributing factor).
Final Thoughts
The KelpDAO hacker’s rapid laundering of $175 million through THORChain is a stark reminder of both the power and the risks of a truly decentralized infrastructure. THORChain works beautifully for what it was designed to do — but that same design makes it a preferred tool for sophisticated actors like the Lazarus Group.
For everyday users and DeFi enthusiasts, understanding how these protocols operate is now more important than ever. Whether you’re swapping assets legitimately or simply trying to stay informed about rising security threats, THORChain’s mechanics are central to the future of cross-chain finance.
