The Rise of Vultisig: A Crypto Wallet with a Troubling Background
John-Paul Thorbjornsen, a former Australian Air Force pilot who transitioned into the world of cryptocurrency, has recently been at the forefront of promoting his innovative crypto wallet, “Vultisig.” This wallet is built on THORChain, a blockchain that Thorbjornsen himself founded to facilitate crypto swaps without the need for intermediaries. A key selling point of Vultisig is its enhanced security features, designed to make it more resistant to hacking attempts compared to its competitors.
However, the recent uptick in activity for Vultisig and the THORChain network has raised eyebrows among security experts, who have linked this surge to a disturbing source: North Korea’s notorious Lazarus hacking group. Following a staggering $1.4 billion hack of the crypto exchange Bybit in February — the largest cyber heist to date — THORChain has become increasingly central to North Korea’s laundering operations. Researchers have traced nearly $1.2 billion, or a staggering 85%, of the stolen funds through THORChain, making it a pivotal tool for the Kim regime in moving crypto across different blockchains.
In stark contrast to other blockchain services, the operators of THORChain have notably refused to block transactions associated with the Bybit heist, even in the face of requests from the FBI and various other government agencies. Wallets like Asgardex and Vultisig, which are commonly used by the public to transact on THORChain, have similarly remained unyielding in their stance.
According to estimates from blockchain security researchers who shared insights with CoinDesk, the primary wallet developers and validators associated with THORChain — many of whom are publicly identified and based in regions with stringent anti-money-laundering laws, including the United States — have reportedly earned over $12 million in transaction fees linked to this monumental heist. Thorbjornsen, who is more commonly known as JP Thor, asserts that he no longer plays an active role in the daily operations of THORChain, yet he continues to be its most prominent spokesperson. “The protocol is functioning and executing swaps despite the surrounding chaos,” he stated confidently to CoinDesk. “In fact, it’s thriving.”
Legal Implications and the Nature of Decentralization
The U.S. Office of Foreign Assets Control (OFAC) has previously sanctioned blockchain services that have been implicated in money laundering activities, such as the mixer app Tornado Cash, which was delisted following a court ruling, and Bitzlato, an exchange that faced legal repercussions. This raises significant questions for legal experts and the crypto community regarding whether THORChain, as a layer-1 blockchain, should be treated differently compared to these other services. This dilemma touches on a fundamental debate that confronts virtually all crypto platforms: the true level of decentralization.
Critics argue that THORChain does not embody decentralization to the same extent as well-established blockchains like Bitcoin and Ethereum, which have received comparatively less scrutiny for facilitating illicit transactions. “Supporters of THORChain claim it’s decentralized when it serves their interests, yet they profit from this Bybit hack,” stated blockchain security researcher Taylor Monahan. “It presents a very troubling image.”
Furthermore, the transaction fees generated by THORChain, particularly those accrued by its wallet applications maintained by smaller development teams, complicate the defense of the network’s legitimacy. According to a former official from the U.S. Treasury Department, “Anyone profiting from the fees related to the movement of stolen funds, which have been publicly linked to Lazarus and North Korea, may face OFAC issues.”
Even some of THORChain’s staunchest advocates have expressed growing concern. A developer known as “TCB” on X cautioned, “When the vast majority of your transaction flows originate from stolen funds linked to North Korea, this evolves into a national security concern. This is no longer just a game.”
The Bybit Hack: A Turning Point
The hack of Bybit in February was unprecedented, even by the standards of the Lazarus group — the elite North Korean cyber unit responsible for some of the largest crypto heists in the past decade. This breach occurred when Bybit’s founder was tricked into interacting with a compromised website, granting the hackers access to critical Ethereum wallets, resulting in the theft of $1.4 billion worth of ether (ETH).
Following the heist, North Korea’s seasoned launderers immediately began dispersing their record-smashing haul across a series of new crypto wallets — a strategic first step in a complex process aimed at converting illicit crypto into clean cash. “The Democratic People’s Republic of Korea (DPRK) employs advanced technical methods to launder cryptocurrency,” explained Andrew Fierman, the head of national security intelligence at Chainalysis. Their process involves routing the funds through numerous intermediary wallets and utilizing cross-chain bridges to move the stolen assets across various cryptocurrencies, including Bitcoin, Ethereum, Tron, Solana, and others.
THORChain played a crucial role in this bridging phase, serving as a conduit for swapping tokens across different blockchains, often repeatedly, to obfuscate the trail for investigators. “Before THORChain’s existence, there was no feasible way to swap from Ethereum to Bitcoin without the risk of being frozen,” remarked Monahan, a security researcher at MetaMask.
Regulatory Challenges and Community Response
In the immediate aftermath of the Bybit hack, THORChain experienced an unprecedented daily swap volume exceeding $529 million — its highest trading day ever, according to data from DeFiLlama. This surge in activity continued for several days, generating millions of dollars in fees for THORChain’s validators, liquidity providers, and wallet services.
On February 27, following the Bybit hack, the FBI issued a warning, disseminating a list of blockchain addresses linked to the DPRK and urging “private sector entities including RPC node operators, exchanges, bridges, blockchain analytics firms, DeFi services, and other virtual asset service providers to block transactions with or derived from these addresses.” By this time, many of the other crypto tools utilized by North Korea’s money launderers had already begun to restrict activities associated with the heist.
Tether, the largest stablecoin operator, froze $9 million linked to the hack, while Mantle, a layer-2 blockchain associated with Ethereum, froze an additional $41 million. One platform, a decentralized exchange operated by OKX, even paused its services entirely.
For a brief moment, it seemed that THORChain might also take similar action. In response to the FBI’s notice, a group of THORChain validators coordinated to halt Ethereum swaps on the protocol, a move intended to curb the outflow of illicit funds. However, this pause lasted only 30 minutes before it was rolled back due to significant community backlash.
“There is no definitive proof, nor can there be, that any signed and propagated transaction can be traced to a specific geographical location,” Thorbjornsen stated to CoinDesk, arguing that any alleged connections between THORChain and North Korea are merely speculative, given that users are not mandated to register their identities.
The reversal of the pause proved to be a pivotal moment for some in the THORChain community. “Effective immediately, I will no longer be contributing to THORChain,” the protocol’s lead developer, known as “Pluto,” announced in a post on X.
The Debate on Decentralization Continues
Thorbjornsen and his supporters maintain that THORChain should be regarded as a decentralized protocol, akin to Bitcoin or Ethereum, both of which did not block transactions following the Bybit hack. They point to a community of over 100 validators — computers tasked with verifying transactions — as evidence that no single entity exerts control over the system.
THORChain’s governance model is built around these validators, who stake the network’s native RUNE token to engage in consensus and reap rewards. In theory, significant protocol decisions require the endorsement of a supermajority of these validators, creating a distributed power structure that is resistant to centralized control.
Critics, however, argue that the network’s decentralization is overstated. For instance, in January, a single developer was able to pause the network during a liquidity crisis — a decision that should have necessitated consensus among validators if the system were genuinely decentralized. In previous instances where THORChain was implicated in North Korean laundering operations, “we were told they had no capacity to intervene regarding the illicit funds,” Monahan recounted. “Throughout that time, JP maintained a single private key that granted him control over the entire system.”
Thorbjornsen acknowledges that the chain was paused by an administrative keyholder at a critical juncture when THORChain was facing what he termed an “existential” threat. He clarified that the pause was initiated by a keyholder using the pseudonym “Leena.” Thorbjornsen established the Leena account early in THORChain’s development to protect his identity, but he asserts that it is no longer solely under his control, stating that someone else acted in accordance with acceptable security protocols to pause the chain.
For Thorbjornsen, the ongoing debate over admin key control misses the larger picture. “In Bitcoin’s early years, one could easily argue that it was entirely centralized,” he shared with CoinDesk, referencing an instance in 2010 when Satoshi upgraded the original blockchain to rectify a significant bug. “Decentralization is a gradual process that is earned over time through real-world application and proving its resilience,” he continued. “Events like the pause and subsequent unpause are all part of the journey toward decentralization.”
Vultisig’s Future and Continued Controversy
As of March 1, THORChain recorded its most significant trading day following the Bybit heist, surpassing $1 billion in swaps — a volume that would typically take the network an entire month to achieve. This surge translated into substantial earnings for THORChain’s infrastructure providers, including wallet services and validators who take a percentage of each transaction.
According to the blockchain forensics firm Chainalysis, THORChain node operators have accrued at least $12 million in fees tied to the Bybit heist, a figure the firm describes as “conservative.” Legal experts caution that these fees could ultimately pose significant legal challenges for THORChain’s operators. A former U.S. Treasury Department official highlighted the importance of determining “who is profiting: Is it a concentrated group of individuals, and is it evident that the funds are derived from bad actors?”
Wallet applications like Vultisig and Asgardex have come under particular scrutiny from legal and security experts, as “frontend” applications used to interact with blockchains are generally regarded as more centralized than the blockchains themselves. Asgardex, one of the more widely-used THORChain wallets, reportedly earned $1 million from transactions linked to the Bybit hack, according to Monahan. “The appeal of using Asgardex over other THORChain wallets lies in the desire for anonymity — users want to avoid tracking or filtering,” Thorbjornsen explained, although he asserts that he no longer has any operational or financial ties to Asgardex, which is open-source and could theoretically be modified by its users to operate without fees.
Nonetheless, he has actively promoted Vultisig, his newly launched hack-resistant wallet on the THORChain network. On March 20, Thorbjornsen proudly announced on X that the app had reached new heights in user engagement: “Vultisig swaps have generated $200k in revenue so far!” However, crypto investigator ZachXBT pointed out in response that “a significant portion of that revenue is being derived from the Bybit hack.” He noted, “Vultisig itself is not a blockchain; it operates a centralized interface for users to engage with protocols for a fee.”
Looking ahead, Vultisig is set to launch its official crypto token, VULT, on April 16. This token will be distributed for free to some of the wallet’s most dedicated users, indicating Thorbjornsen’s ongoing commitment to engaging and expanding his user base despite the surrounding controversies.
