THORChain swap volume explodes past $1B after Bybit hack

THORChain, a crosschain swap protocol, is experiencing a surge in activity following the $1.4 billion exploit of cryptocurrency exchange Bybit.

On Feb. 26, the protocol processed $859.61 million in swaps, marking its highest-ever daily volume, according to data from THORChain Explorer. The momentum continued on Feb. 27, adding $210 million (and counting), pushing total swap volume past $1 billion in under 48 hours.

THORChain enables direct asset swaps across different blockchains, such as exchanging Ether (ETH) for Bitcoin (BTC).

Swapping stolen funds for Bitcoin has been a common tactic of the North Korean state-sponsored hacking group Lazarus. Blockchain analysts have previously reported that Lazarus often converts illicitly obtained digital assets into BTC to obscure their trail.

Related: THORChain approves plan to restructure $200M debt

THORChain’s chain of criticism

The surge comes amid ongoing controversy for THORChain. In January, it paused Bitcoin and Ether lending after accumulating about $200 million in liabilities, triggering a debt restructuring plan. While lending was frozen, swaps have remained active.

THORChain core dev Nine Realms engineer “Pluto” came to the defense while advocating for responsible measures to address illicit activity. Pluto acknowledged that illicit funds have flowed through THORChain but added that the team has taken steps to help wallet and integration partners implement screening services.

THORChain’s (RUNE) cryptocurrency has climbed 36.6% in the past week, CoinGecko data shows.

Bybit hacks good actors and bad actors

Bybit has launched a website to track the laundering of its stolen funds while offering a bounty to exchanges and entities that assist in freezing them. On Feb. 27, the site listed seven good actors and one bad actor, eXch.

No-Know Your Customer (KYC) swap service eXch has drawn criticism for refusing to freeze funds tied to the Bybit hack. EXch has denied laundering funds for North Korea.

Related: From Sony to Bybit: How Lazarus Group became crypto’s supervillain

The record-breaking Bybit exploit on Feb. 21 was attributed to North Korean state-sponsored hacking group Lazarus by ZachXBT, and later confirmed by the US Federal Bureau of Investigation.

Third-party forensic investigations found that Lazarus Group stole Ether from Bybit by compromising SafeWallet credentials. Reports from Sygnia and Verichains revealed that a Safe developer’s credentials were breached, allowing attackers to deceive signers into approving a malicious transaction. 

According to Sygnia, the attack stemmed from malicious JavaScript injected into SafeWallet’s AWS infrastructure. In response, SafeWallet developers rebuilt and reconfigured their infrastructure, implemented new security measures and rotated all credentials to prevent future attacks.

Magazine: THORChain founder and his plan to ‘vampire attack’ all of DeFi