On April 18, 2026, Kelp DAO suffered a $290 million asset robbery. Despite Arbitrum's timely freezing of over 30,000 ETH from the hacker's account and the DeFi United alliance's initiation of a rescue plan and coverage of bad debts, a neglected detail is chilling: the hacker still exchanged the remaining 75,701 ETH (approximately $175 million) for native Bitcoin through THORChain, completely escaping the monitoring of the Ethereum ecosystem. This is not an isolated incident. Nowadays, THORChain has quietly emerged as the "ultimate hub" for hacker money laundering - from FTX exploiters, Bybit hackers to Balancer exploiters, top attackers in recent years have used it as their final withdrawal route. When traditional interception and freezing mechanisms are helpless in the face of native cross-chain technology, this cross-chain giant, which claims to be "permissionless and unpackaged assets," has become a "free channel" for hacker funds while bringing about a liquidity revolution.

The migration of hackers' money laundering routes is not an overnight process, but an iterative evolution under continuous regulatory crackdowns. The core trajectory clearly emerges as "Tornado Cash → Sinbad.io → Brief return to Tornado Cash → Massive shift to THORChain". It all started with the US Treasury Department's Office of Foreign Assets Control (OFAC) sanctioning Tornado Cash in August 2022. At that time, the protocol was identified as an "illegal financial tool" that had facilitated money laundering exceeding $7 billion, including theft funds from the North Korean Lazarus Group. It was illegal for US citizens or entities to interact with the protocol. After the sanction, the Lazarus Group quickly shifted to the Bitcoin mixer Sinbad.io, only to face a blow in November 2023 when the platform was shut down by US authorities. With no other choice, they briefly returned to Tornado Cash in early 2024 - after all, this decentralized smart contract protocol cannot be physically shut down.

The real turning point occurred in 2025: Bybit suffered the largest cryptocurrency theft in history, amounting to $1.4 billion. THORChain emerged on an unprecedented scale, becoming the core infrastructure for money laundering for the Lazarus Group. Approximately $1.2 billion (85% of the stolen funds) flowed through this network. It is worth noting that in March 2025, the U.S. Department of the Treasury officially lifted sanctions on Tornado Cash, and the court determined that OFAC had no authority to sanction immutable smart contracts. However, by this time, hackers had already established a more efficient money laundering pipeline on THORChain, and Tornado Cash was completely replaced. The rise of THORChain is not only a natural result of regulatory crackdowns on other money laundering tools, but also stems from its inherent architectural characteristics, making it the "optimal choice" for hackers.

By examining seven major hacking cases from 2023 to 2026, we can clearly observe the evolution of THORChain's role: in the early cases of Atomic Wallet and FTX, it was merely one of the tools used by hackers; by the time of the Bybit case, it had become the absolute main force responsible for 85% of the fund laundering volume. Simultaneously, hackers' operational strategies have become increasingly sophisticated, evolving from the three-stage attack-dormancy-resurgence approach to the efficient model of simultaneously initiating attacks and money laundering seen in the Kelp DAO case. Exploiters of the Balancer vulnerability even twice adopted a five-month dormancy period to evade tracking. More concerning is that THORChain recently announced its intention to integrate with ZCash for native exchange, and the integration with Monero is nearing completion. This means that hackers will be able to further exchange privacy coins such as ZEC or XMR on the basis of ETH→BTC, completely severing on-chain tracking traces and making regulatory tracking even more challenging.

The core reason why THORChain has become a "natural breeding ground" for hackers to launder money lies in its unique technical architecture, which perfectly adapts to the needs of illegal fund transfers from positioning to mechanism. As an independent layer-1 blockchain built on the Cosmos SDK, its core positioning is as a "cross-chain version of Uniswap". However, unlike ordinary cross-chain bridges, it implements "native asset exchange" - without the need to package BTC into WBTC or ETH into synthetic tokens, users can directly exchange real assets, without intermediaries or trust dependencies throughout the process. This allows funds to easily flow between different chains, cutting off the tracking chain.

In its core operational mechanism, the native token RUNE plays the role of a universal hub. All liquidity pools within the protocol are paired with "a certain asset + RUNE" and maintain a 1:1 value ratio. When users conduct cross-chain exchanges, the essence is to first exchange the asset for RUNE, and then exchange it for the target asset, further enhancing the concealment of underlying operations. At the same time, THORChain adopts threshold signatures and node rotation mechanisms to ensure decentralization, with no single node able to control funds. The "stream exchange" function launched in 2023 has become a "weapon" for hackers - it can automatically split large amounts of illegal funds into multiple sub-transactions and execute them in a decentralized manner, reducing price slippage and concealing the flow of funds. This is more efficient than manually distributing funds.

Upon in-depth analysis, the massive shift of hackers towards THORChain stems from six major structural reasons, each of which strikes at the weak links in regulation and the industry. Firstly, the design of no KYC, no permission, and no blacklist highly aligns with THORChain's positioning as an "anti-censorship infrastructure". Technically, it does not restrict the use of any wallet address, and unlike Tornado Cash's design of "dedicated coin mixing anonymity", it aims to "solve cross-chain liquidity" with a lower regulatory targeting. Secondly, the native cross-chain capability can completely interrupt transaction tracking. After ETH is exchanged for BTC, the transaction history of the two independent blockchains cannot be tracked natively, and can only be inferred through heuristic methods. This is an advantage that coin mixers cannot achieve.

Thirdly, the support of liquidity with a sufficiently large scale, with billions of dollars in lock-up volume during peak periods, ensures that a single exchange of tens of millions of dollars will not produce significant slippage, avoiding being identified as abnormal transactions by monitoring systems. Small decentralized exchanges, on the other hand, are prone to leaving traces due to insufficient liquidity. Fourthly, incomplete decentralization constitutes a "grey area" - node operators partially disclose their identities and reside in regions with strict regulation, yet refuse to block illegal addresses on the grounds of "decentralization". This not only facilitates the use by hackers but also allows them to shirk legal responsibility. Fifthly, regulatory crackdowns, akin to "hitting the mole", continuously push money laundering demands to the next available tool. THORChain, as the largest and most liquid permissionless cross-chain protocol, naturally becomes the preferred choice. Sixthly, the economic incentives for node operators are tacitly approved - every exchange (including illegal funds) generates transaction fees. The circulation of stolen funds from Bybit has brought millions of dollars in revenue, and this incentive mechanism makes node operators reluctant to actively block illegal funds.

Nowadays, cross-chain bridges have replaced coin mixers as the primary money laundering infrastructure for hackers, with THORChain occupying a dominant position. Currently, there is no indication that THORChain or its node operators are being investigated for incidents such as the Bybit hack, but the risk is looming - many node operators are publicly identified and reside in the United States, and if the regulatory authorities take action, they will face significant legal pressure.

THORChain is standing at a historical juncture where Tornado Cash once stood, facing a fundamental question: Does decentralized financial infrastructure have the responsibility and capability to refuse to process illegal funds from sanctioned entities? As warned by THORChain community developers, when a majority of the platform's transaction traffic consists of stolen funds from major financial thefts, this is no longer an industry issue, but a national security issue. The experience of Tornado Cash developers has already set a precedent. If THORChain's node operators do not make a choice in time, they may ultimately follow the same path. This migration of hackers' money laundering routes also sounds an alarm for the entire cryptocurrency industry: the ultimate pursuit of decentralization cannot become an "umbrella" for illegal behavior. Finding a balance between safeguarding decentralization and preventing financial risks has become a core proposition that the industry urgently needs to address.