The decentralized exchange (DEX) THORSwap temporarily put its interface into maintenance mode after identifying potentially illicit transactions.
Fellow THORChads,
A pressing and persistent concern has recently come to light: the potential movement of illicit funds through THORChain and, specifically, THORSwap. Such activities have no place on the THORSwap platform, and THORSwap stands firmly against any and all criminal…
— THORSwap ⚡ #BetterThanCEX (@THORSwap) October 6, 2023
“There is no place for such activity on the platform; THORSwap’s team firmly opposes any criminal actions,” the project team said.
The exchange had consulted with advisers, lawyers and law enforcement authorities beforehand.
THORSwap will remain in maintenance mode until a more permanent and reliable solution, ensuring permanent security and integrity of the platform, is implemented.
The developers took this decision after repeated reports that the FTX hacker and other criminals have been moving funds through the DEX.
Taylor Monahan, ConsenSys’s head of product, said that hackers tied to Russia and North Korea, as well as money-laundering actors, “love” THORSwap.
Welp, the hackers and money launderers—both the Russian/CIS region ones and North Korean ones—are loooooving @ThorChain lately.
In fact, in the last four months, ***more than 50%*** of the ETH -> to ThorSwap Router -> to BTC have been stolen funds. ?????
rip. pic.twitter.com/V4KscNilRA
— Tay ? (@tayvano_) October 1, 2023
According to her, in the last four months approximately 65% of ETH volumes converted to Bitcoin via the THORSwap Router were stolen funds.
According to THORChain Explorer, swap volume on the DEX rose significantly in September, reaching a record $355 million by October 5.
Monahan found about 34,583 ETH (~$57 million) allegedly linked to various hacks.
“And this is only the clearly stolen funds coming directly from thieves’ addresses. There are at least 3,300 ETH that are being laundered openly — for example, some funds came directly from Tornado Cash or Railgun,” she emphasized.
In particular, the “Accounts Drainer” from FTX transferred a total of 19,944 ETH (~$32 million), using six wallets.
Here\’s the hacks / stolen funds I identified so you can check my work:
1. FTX Accounts Drainer (Not DPRK)
Total: 19,944 ETH (~$32m)7,499 ETH in 4 Txn — 0x6e0e8dac46c3ebffd67887097dfda10d11dcbab6
4,749 ETH in 3 Txn — 0x68cc13a43da1e1ba7de3002df8a07665ea8b5f5f
3,999 ETH in 3…
— Tay ? (@tayvano_) October 1, 2023
Funds were sent to THORSwap after the hack Stake.com, which is linked to the Lazarus group from North Korea. In total, North Korean hackers transferred $21.2 million to the DEX in various digital assets.
Monahan said that cryptocurrencies related to attacks on Nirvana Finance and Atomic Wallet, as well as relatively minor hacks of private wallets, were sent to the platform.
“I am a big advocate of decentralized technologies and privacy. But many of these platforms, it seems, do not fully understand the value their product or service actually represents and for whom. It is terribly naive to pretend you are changing the world or broadening people’s opportunities if the vast majority of your ideas are used by thieves, money launderers, and authoritarian regimes,” Monahan concluded.
As a reminder, on August 8, OFAC added Tornado Cash to the sanctions list for suspected laundering of more than $7 billion in cryptocurrency. The service was used by the North Korean Lazarus Group.
Chainalysis estimates that over the platform’s lifetime, more than $3.5 billion has passed through it, of which up to $1.2 billion is directly linked to theft, hacks and other illicit operations.