THORChain is facing scrutiny after analysts linked the protocol to major laundering flows involving stolen crypto.
The latest claims show that funds from high-profile exploits, including FTX, Bybit, Balancer, and KelpDAO, moved through its swap infrastructure.
The debate has intensified because the protocol continued earning fees while attackers shifted assets across chains.
Hackers Use THORChain to Move Exploit Proceeds
On-chain analysts say THORChain has become a common route for attackers seeking to move stolen assets without using centralized exchanges.
The protocol allows direct cross-chain swaps and does not rely on intermediaries or know-your-customer checks.
That structure helps users move assets between networks, but it also creates openings for illicit transfers.
In several cases, stolen Ether moved into Bitcoin, where tracing becomes harder because of Bitcoin’s UTXO transaction model.
THORChain Dex Vol, Source: DefiLlama
The latest concern followed the KelpDAO exploit, where the attacker reportedly swapped 75,701 ETH, worth about $175 million, through THORChain.
Arkham Intelligence data showed the funds split across three wallets, each holding about 25,000 ETH. One wallet later fell to 3,800 ETH after most assets moved out.
THORChain Earns Fees as Illicit Flows Rise
Data cited by analysts showed THORChain generated about $910,000 in fees from the KelpDAO-related activity. That figure surpassed the protocol’s prior monthly fee total of around $709,000.
The activity also lifted network usage sharply. THORChain swap volume reportedly reached $540 million within 24 hours, while fees during that period stood near $660,000.
The pattern follows earlier laundering flows. The FTX exploiter moved about $124 million through the protocol, while the Balancer exploiter was linked to around $120 million.
The Bybit attack also placed THORChain under pressure after hackers tied to North Korea’s Lazarus Group stole roughly $1.5 billion in assets, including more than 400,000 ETH.
Analysts estimated that over 70% of the Bybit stolen assets passed through THORChain. That activity pushed daily volume above $700 million and generated between $3 million and $5.5 million in transaction fees.
Protocol Defends Its Neutral Design
THORChain defended its role by arguing that it operates as a neutral infrastructure. The protocol said it was modeled after Bitcoin and runs without a central controller, admin key, or small multisig group.
It also said 95 globally distributed nodes enforce its rules. According to the protocol, its code remains neutral because nodes apply the same rules to every transaction.
However, critics argue that neutrality does not remove the policy concern. They say THORChain is becoming a preferred cash-out layer for exploiters.
The issue grew sharper after the Arbitrum Security Council froze 30,766 ETH linked to the KelpDAO exploit, worth about $71 million. Soon after, the attacker accelerated fund movements, showing the tension between decentralized access and emergency intervention.
