John-Paul Thorbjornsen fell victim to phishing and lost access to his personal wallet

THORChain founder loses $1,2 million: hackers did their best

19.09.2025

332

3 min

On September 12, media reports appeared about the hacking of the THORChain protocol and the DEX aggregator THORswap. Suspicious transactions did indeed take place, but the projects were not victims of an attack. GetBlock AML Research explains who actually fell victim to the hackers.

Personal wallet hacked

The personal crypto wallet of one of THORChain’s co-founders was attacked. The victim of the hackers is believed to be John-Paul Thorbjornsen. As a result, the attackers managed to steal more than $1,2 million. However, the THORChain protocol itself stated that the network is operating normally, and the attack did not affect its infrastructure. The hackers used an anonymous service to obtain initial liquidity, after which they conducted their first transactions through the THORChain network.

Immediately after the incident, several offers were made from the address associated with the victim to pay a reward for the return of the stolen assets. However, there was no response from the attackers.

Offer to return stolen assets sent to hackers

Phishing via phone call

It is known that the attack took place during a fake call in the messenger organized by hackers. As a result, unauthorized access to the victim’s wallet was gained, and the funds were transferred to the attackers’ address.

The hackers began actively moving the stolen assets on September 9. First, more than 6,2 million THORChain tokens were withdrawn from the hacked wallet. Almost immediately after that, they were transferred to another address marked as phishing.

During the same day, the attackers carried out several more transactions. In total, they moved more than 6,3 million tokens in several operations and sent another 1,25 million tokens to a separate address. The largest portion of the stolen assets — more than 2,7 million tokens — ended up on the Kyber protocol, likely for exchange and to conceal the source.

Later, some of the funds were converted to ETH. In total, more than 1600 ETH were received, which were distributed among 161 wallets (approximately 10 ETH each). Some of these addresses have already transferred funds through the Tornado Cash service.

Visualization: MistTrack

Connection between the attackers’ address and Tornado Cash

At present, most of the stolen assets — about $1,2 million — continue to be stored at one of the addresses controlled by the attackers.

Subscribe to Getblock Magazine and stay up to date with the latest news from the world of cryptocurrencies and the digital economy