THORChain has been called a money laundering protocol — a label no decentralized finance (DeFi) project wants

Its supporters have fended off the criticism by championing decentralization, while its critics point to recent activities that showed some of the protocol's centralized tendencies.

A decentralized protocol is supposed to be neutral, but what happens when it becomes the preferred tool for state-backed hackers to loot Web3 projects and convert their stolen cryptocurrency?

This scenario has played out with THORChain, a decentralized exchange protocol that has become a hot topic in crypto circles after the Lazarus Group, a North Korean state-backed hacking collective, used it extensively to process and convert ether (ETH) stolen from Bybit.

The hackers’ exploits began in March 2024, when they infiltrated Bybit, a major cryptocurrency exchange, and stole an enormous sum of ether, valued at around $1.4 billion at the time.

After exploiting vulnerabilities in Bybit’s hot wallet, Lazarus Group hackers began transferring the stolen ether to a new address, kicking off a three-month saga tracking their movements.

After swiftly draining the ether to a mixer, hackers began converting it to Bitcoin (BTC) via various decentralized exchanges.

While the hackers also used Uniswap and OKX DEX, THORChain became the main focus due to the sheer volume of funds passing through it.

Bybit CEO Ben Zhou said in an X post on March 4 that 72% of the stolen funds—361,255 ETH—had passed through THORChain, far surpassing activity on other DeFi services.

Over $1 billion in Ether from the Bybit theft was traced to THORChain. Source: Coldfire/Dune Analytics

A truly decentralized platform’s strength lies in its neutrality and censorship-resistance, which are foundational to blockchain’s value proposition, according to Rachel Lin, CEO of decentralized exchange SynFutures.

“The line between decentralization and responsibility can evolve with technology,” Lin told Cointelegraph. “While human intervention contradicts decentralization’s ethos, protocol-level innovations could automate safeguards against illicit activity.”

However, protocol-level changes require community consensus, which can be difficult to achieve, especially in a decentralized protocol.

Moreover, any intervention by protocol maintainers could open a can of worms, as it would imply an obligation to intervene in future cases.

Hackers also used Asgardex to swap stolen cryptocurrency and collect a portion of the protocol’s fees. Source: Yogi (Screenshot cropped by Cointelegraph for visibility)

A snapshot of Asgardex’s UI. Credit: Asgardex

Last December, hackers used mixers like Tornado Cash to try and obfuscate the stolen funds, but the US Treasury later imposed sanctions on Tornado Cash for facilitating money laundering.

However, despite the attention on THORChain, it is worth noting that the protocol is not a mixer, and the output of its smart contracts remains traceable.

Hackers finished converting their ether to Bitcoin within 10 days, showcasing the efficiency of Web3 technologies when used for malicious purposes.

After swiftly draining the ether to a mixer, hackers began converting it to Bitcoin (BTC) via various decentralized exchanges.

While the hackers also used Uniswap and OKX DEX, THORChain became the main focus due to the sheer volume of funds passing through it.

Bybit CEO Ben Zhou said in an X post on March 4 that 72% of the stolen funds—361,255 ETH—had passed through THORChain, far surpassing activity on other DeFi services.

Over $1 billion in Ether from the Bybit theft was traced to THORChain. Source: Coldfire/Dune Analytics

A truly decentralized platform’s strength lies in its neutrality and censorship-resistance, which are foundational to blockchain’s value proposition, according to Rachel Lin, CEO of decentralized exchange SynFutures.

“The line between decentralization and responsibility can evolve with technology,” Lin told Cointelegraph. “While human intervention contradicts decentralization’s ethos, protocol-level innovations could automate safeguards against illicit activity.”

However, protocol-level changes require community consensus, which can be difficult to achieve, especially in a decentralized protocol.

Moreover, any intervention by protocol maintainers could open a can of worms, as it would imply an obligation to intervene in future cases.

Hackers also used Asgardex to swap stolen cryptocurrency and collect a portion of the protocol’s fees. Source: Yogi (Screenshot cropped by Cointelegraph for visibility)

Snapshot of Asgardex's UI. Credit: Asgardex

Last December, hackers used mixers like Tornado Cash to try and obfuscate the stolen funds, but the US Treasury later imposed sanctions on Tornado Cash for facilitating money laundering.

However, despite the attention on THORChain, it is worth noting that the protocol is not a mixer, and the output of its smart contracts remains traceable.

Hackers finished converting their ether to Bitcoin within 10 days, showcasing the efficiency of Web3 technologies when used for malicious purposes.