THORSwap issues bounty offer tied to more than $1M exploit of THORChain founder's wallet: onchain analysts

THORChain DEX aggregator THORSwap has made a series of repeated bounty offers to the exploiter of a user's personal wallet over the past few days, with the victim likely to be THORChain founder John-Paul Thorbjornsen, according to ZachXBT.

"Bounty offer: Return $THOR for reward. Contact contact @ thorswap.finance or THORSwap discord for OTC deal," the latest onchain message to the hacker on Friday morning reads. "No legal action will be taken if returned within 72 hours."

Blockchain security company PeckShield flagged the messages on X, initially suggesting the THORChain protocol itself had suffered an exploit of around $1.2 million. However, that post was subsequently corrected to confirm it was a user's personal wallet that had been exploited after clarification from the THORChain team. "This incident involved a user's personal wallet being exploited, and is not related to THORChain," the project said . "This is just a bounty requesting for return of stolen assets. No protocol (thorchain or thorswap) were exploited." THORSwap CEO "Paper X" added .

THORChain founder likely victim

Responding to PeckShield's post on X, onchain sleuth ZachXBT said the exploited wallet likely belongs to THORChain founder John-Paul Thorbjornsen, who had a personal wallet drained for $1.35 million by North Korean hackers on Tuesday.

The source of the attack came via a message from the hacked Telegram account of a friend of the THORChain founder containing a fake Zoom meeting link, Thorbjornsen acknowledged earlier this week. "Ok so this attack finally manifested itself," he followed up on Tuesday. "Had an old MetaMask cleaned out."

Thorbjornsen said the MetaMask wallet was only in another logged-out Chrome profile with its key stored in iCloud Keychain, yet attackers likely accessed one or both via a 0-day exploit — reinforcing his view that threshold signature wallets, which split key shares across devices, are the only real protection.

According to ZachXBT, the attacker stole approximately $1.03 million in Kyber Network tokens and $320,000 in THORSwap tokens. The theft address sent funds to the same " Exploiter 6 " address that the onchain bounty messages were sent to. The majority of the stolen funds, matching PeckShield's $1.2 million figure, currently sit at an address beginning "0x7Ab," seemingly swapped to ETH, ZachXBT noted on his official Telegram channel.

The Block reached out to Thorbjornsen for comment.