THORChain Co-Founder JP Thor Loses $1.3M in Hack

September 12, 2025 – THORChain co-founder JP Thor has lost about $1.3 million in a targeted hack, only months after publicly defending North Korea’s state-backed hackers as “sovereign actors.” Investigators believe the Lazarus Group may be behind the attack, which drained Thor’s personal MetaMask wallet on September 10.

Thor said on X (formerly Twitter) that the breach began when a friend’s Telegram account was hijacked. He received a phishing link disguised as a Zoom invite, which led to a deepfake video call. Attackers used an unpatched browser exploit to steal encrypted iCloud data and keychain credentials without alerting him. His multi-signature Vultisig wallets stayed secure; only a single key share was exposed.

A Deepfake and Zero-Day Breach

In a twist laced with dark irony, THORChain co-founder JP Thor who recently defended North Korea’s state-backed hackers as exercising “sovereign rights” has fallen prey to what experts believe is a Lazarus Group attack. On September 10, hackers drained about $1.3 million from Thor’s personal MetaMask wallet through a targeted social engineering scam.

Investigators say the assault used a deepfake Zoom call and a phishing link sent from a hijacked Telegram account. Once Thor clicked, a browser zero-day exploit siphoned his iCloud data and keychain credentials without alerting him. “It felt like a ghost in the machine,” Thor posted on X (formerly Twitter). His multi-signature Vultisig wallets stayed safe since the breach only exposed one key.

Market Reaction and Clarifications

Initial reports from PeckShield misread the breach as a protocol exploit, briefly shaking markets. $RUNE, THORChain’s token, dipped 5% before recovering when the team clarified the event was personal. Fees on the network surged 125% in the hour after the alert, likely due to increased scrutiny or opportunistic trades. Three bounties were offered to the attacker, but none have been claimed.

Loading chart...

Past Comments Resurface

The drama deepened because of Thor’s June 2025 appearance in the documentary “How North Korea Pulled Off the World’s Biggest Robbery.” The film analyzed DPRK’s $1.5 billion Bybit hack, allegedly by Lazarus. Thor, real name John-Paul Thorbjornsen—argued in the program that exploiting loopholes was not inherently wrong. He also admitted THORChain processed $1.2 billion in stolen funds, though he denied personal gains.

Lessons on Security and Philosophy

Blockchain sleuth ZachXBT called the hack “poetic,” noting Thor had benefited indirectly from Lazarus flows before suffering similar tactics. The method—deepfakes combined with zero-day exploits mirrors the group’s past operations, including the Bangladesh Bank raid. Thor, who helped launch THORChain in 2018, now warns users to abandon single-key wallets. He said the event shows how innovation attracts predators, demanding ever-stronger defenses. Whether the breach softens or hardens his sovereignty stance remains unclear.

The Talk

Real voices. Real reactions.

KOLsMediaCommunity

These are some of @jpthor’s comments on DPRK in his recent interview, and @benbybit labeled him and Thorchain as money launderers. It’s already crazy that North Korea used your protocol to move stolen funds… but what’s even crazier is seeing l defending their activities. https://t.co/c8XVw3RAr0

Specter

@SpecterAnalyst

about 6 hours ago

@PeckShieldAlert @THORChain The wallet likely belongs to @jpthor who had a private wallet compromised due to a fake meeting scam a few days ago. JP is one of the people whose has greatly benefited financially from the laundering of DPRK hacks/exploits. So it’s a bit poetic he got rekt here by DPRK. https://t.co/T57RRJ0bbf

"#PeckShieldAlert A @thorchain user's personal wallet was exploited, resulting in a loss of ~$1.2M https://t.co/R385BRHoHu"— @

ZachXBT

@zachxbt

about 8 hours ago

🚨BREAKING: @jpthor, co-founder of THORChain & Vultisig, was scammed out of ~$1.3M in a fake conference call by North Korean hackers. Ironically, as @zachxbt notes, those same hackers have used his projects to move stolen funds. What do you think about this?👇 https://t.co/QpqGTXfGqI

cryptothedoggy

@cryptothedoggy

about 5 hours ago