THORChain Developer Departs Amid Bybit Asset Laundering Scandal

The lead developer of the THORChain protocol, known as Pluto, has announced his departure. This move follows the cancellation of a vote regarding the blocking of transactions by the Lazarus Group hackers, involved in the recent Bybit breach.

**Moving on from THORChain**

Validators, developers, members of the community: effectively immediately, I will no longer be contributing to THORChain. I will remain available to Nine Realms as long as I am needed and to ensure an orderly hand-off of my responsibilities. It has…

— Pluto (9R) (@Pluto9r) February 27, 2025

“From this moment, I will no longer be involved in the work on THORChain,” the programmer wrote.

He added that he would remain available during the handover of responsibilities.

Commenting on Pluto’s decision, a validator under the pseudonym TCB also expressed readiness to leave if the protocol does not take measures to stop the flow of illicit funds. The node operator was one of three participants who voted for the block.

Halting a chain is an operational setting. It requires 3 node votes to be effective. 4 for be reversed. The vote was reverted within minutes. Decentralization in action.

I don’t run a node, so I don’t get to vote.

I only wrote code: https://t.co/ffB3vJGK2u

— Oleg Petrov (@ol3gpetrov) February 27, 2025

“Halting a chain is an operational setting. It requires three votes to take effect. Four to cancel. The vote was canceled within minutes. Decentralization in action,” explained THORChain developer Oleg Petrov.

Alongside Pluto and TCB, the programmer advocated for blocking the hackers’ funds. He noted that he does not operate a node and could not participate in the management decision but created the necessary code.

The Lazarus Group actively used THORChain in laundering cryptocurrency stolen from the Bybit exchange, amounting to $1.46 billion. According to Lookonchain, the hackers sent approximately 270,000 ETH worth about $605 million into the protocol.

The #Bybit hacker is laundering funds via #THORChain!

So far, the #Bybit hacker has laundered 270K $ETH($605M, 54% of the stolen funds) and still holds 229,395 $ETH($514M). pic.twitter.com/NtcKUpxsxc

— Lookonchain (@lookonchain) February 28, 2025

One commentator rightly noted that the protocol does not launder funds but merely allows them to be exchanged. Further movement of assets can be tracked, he added. 

Daily swap volumes on THORChain surged following the Bybit attack. On February 26, the figure approached $860 million, reaching $705 million the next day.

The United States Federal Bureau of Investigation confirmed Lazarus’s involvement in the exchange hack. The agency published a list of the group’s Ethereum addresses and advised crypto platforms to refrain from interacting with these wallets.

“When the overwhelming majority of your flows are stolen North Korean funds from the largest heist in human history, it becomes a national security issue and stops being a game,” wrote TCB.

In another message, the validator noted that in the current situation, one cannot count on scaling the protocol through institutional capital inflows. Institutions will not allow their money to be mixed with illicit proceeds, he emphasized.

According to DeFi Llama, TVL in THORChain’s liquidity pools fell from a December peak of ~$446 million to $186 million at the time of writing.

Earlier in February, protocol validators approved a proposal to resolve the debt crisis of ~$200 million by converting obligations into a new token.