THORChain Co-Founder Loses $1.3 Million in Sophisticated North Korean Crypto Hack

Highlights:

• North Korean hackers use deepfake video calls to steal millions from leading crypto executives this year.
• Hackers drained the THORChain founder’s wallet of $1.3 million after exploiting a fake Zoom meeting link.
• THORSwap has offered a bounty for the return of stolen funds with a 72-hour deadline and no legal action promised.

North Korean hackers carried out a calculated attack on THORChain’s co-founder and stole nearly $1.3 million. Blockchain security firm PeckShield first raised an alert, suggesting hackers might have compromised THORChain itself. However, project representatives quickly clarified that hackers had limited the breach to a personal wallet and left the protocol untouched.

The victim, co-founder John-Paul Thorbjornsen, confirmed the attack on X. He revealed hackers drained his personal wallet and shared screenshots of the incident. His post outlined how hackers gained entry and detailed the scale of the financial loss.

Old private keys stored in iCloud Keychain which were forgotten about and sniffed by some very enterprising actors.

Reminder: private keys stay radioactive forever. Don't use them.

Use multi-factor wallets like @vultisig (which in this case was perfectly safe).

All wallets… https://t.co/FYLnHWbUyI

— JP (@jpthor) September 12, 2025

Onchain analyst ZachXBT later confirmed that hackers stole around $1.03 million in Kyber Network assets and $320,000 in THORSwap tokens. Investigators tracked the money to an Ethereum address, where hackers exchanged it for ETH. Those reports verified that North Korean-affiliated hackers made another high-profile attack on a prominent crypto personality.

The wallet likely belongs to @jpthor who had a private wallet compromised due to a fake meeting scam a few days ago.

JP is one of the people whose has greatly benefited financially from the laundering of DPRK hacks/exploits.

So it’s a bit poetic he got rekt here by DPRK. pic.twitter.com/T57RRJ0bbf

— ZachXBT (@zachxbt) September 12, 2025

Hackers Breach THORChain Founder’s Wallet with Deepfakes and Exploits

Thorbjornsen explained that the attack began with a hacked Telegram account belonging to a trusted friend. The hacked account instructed him to attend a Zoom meeting. In the brief meeting, he was exposed to a deepfake video of his friend. The persuasive impersonation brought down his defenses, enabling attackers to execute a rogue script within minutes.

The bot silently downloaded files in his iCloud documents folder to a temporary file. This action gave attackers access to confidential data. From there, they identified his MetaMask wallet, which was linked to an inactive Chrome profile. The wallet key was stored in iCloud Keychain, a setup he had believed secure.

Hackers drained the wallet and triggered no warnings or administrator access requests. Thorbjornsen suggested they exploited an undisclosed zero-day vulnerability to extract the keys. He further noted that threshold signature wallets spreading key shares across devices might offer stronger protection against this intrusion.

This event forms part of a broader cycle of attacks on executives in the crypto industry. Hackers are more frequently using deepfakes, social engineering, and sophisticated malware. Meanwhile, security experts caution that people can no longer rely on familiar voices or faces as benchmarks of trust in online communication.

Bounty Offer to North Korean Crypto Hackers for Return of Stolen Funds

In response to the theft, THORSwap issued on-chain messages to the attacker’s wallet. The messages offered a reward if hackers returned the stolen money. They promised not to take legal action if hackers returned the assets within 72 hours. Victims increasingly use this practice as they try to negotiate and reclaim stolen assets from the attackers.

North Korean-affiliated cyber groups are still putting pressure on the industry. This year alone has already cost institutions and individuals billions of dollars in losses. Attack techniques are not limited to exchange breaches but include deepfake calls, counterfeited employment ads, and developer network intrusion.