THORChain co-founder (JP) was hit by a $1 million wallet exploit, where the attackers (DPRK-linked) hacked JP’s friend’s Telegram and lured him into clicking a malicious link, through which they gained access to his encrypted keychains containing forgotten MetaMask keys. It was revealed that the attacker drained approximately $1.35 million worth of assets from a wallet JP had forgotten about.

ZachXBT Confirms THORChain’s Co-Founder As the Victim

Blockchain security investigator ZachXBT identified the victim as John-Paul Thorbjornsen, also known as JP, who is the co-founder of THORChain and wallet application Vultsig. According to ZachXBT, JP’s personal wallet (not the THORChain protocol itself) was hacked after he fell for a Telegram phishing arnaque involving a fake meeting and a deepfake impersonation. ZachXBT confirmé this in a reply to PeckShieldAlert’s post about THORChain’s personal wallet exploit, which claimed $1.2 million was stolen.

Eventually, JP also confirmé that he had indeed been scammed and explained the whole incident. He stated that the attackers first hacked his friend’s Telegram and then invited him to a Zoom call, where a deepfake was used to increase authenticity. JP clicked the link during the call but did not notice any suspicious commands or requests. He believes that the hackers gained access to his encrypted iCloud keychains or his Chrome profile on his Mac, where the MetaMask keys were stored. JP further added that no password request was found, and most likely the hackers were able to exploit a major security flaw.

Thorswap Issues Bounty Offer of THORChain’s Founder Wallet Exploit

THORSwap issued a series of bounty offers following the exploit of THORChain’s co-founder’s wallet. To recover the stolen funds, LookonChain flagged an on-chain message sent to the exploiter’s wallet. Logged on Etherscan, the note offered a bounty for returning the stolen THOR tokens within 72 hours, assuring that no legal action would be taken if the hackers complied and shared contact details with the THORSwap team.

Controversies Surrounding the Attack

ZachXBT further noted, around the time he discovered JP’s wallet hack, that JP and THORChain had previously profited from laundering DPRK-linked stolen cryptos, such as the $1.5 billion Bybit hack earlier in May 2025. Over 85% of Bybit’s ETH reportedly flowed through THORChain, and the network allegedly earned about $12 million in fees while enabling laundering.

ZachXBT called this event ironic, since JP himself profited from laundering tied to DPRK exploits and has now become the victim of the same exploiters from whom he had previously benefited.

Leçon apprise

The attack caused major losses to the co-founder of THORChain due to a Telegram phishing attack, and now their team is working to retrieve his $1.35 million worth of THOR tokens and return the assets to the rightful owner. Despite having gained advantages and profits from DPRK-linked hackers, JP fell into the trap of the same exploiters, an ironic twist, according to critics.

Highlighting the recent hacking incident, JP stressed that private keys grow riskier the longer they are stored and urged users not to back them up in iCloud, Google Drive, or similar services. Furthermore, he recommended two-factor authentication on a separate device to reduce exposure. By this, the lesson is learned and the wisdom has been spread throughout observers.