THORSwap issues bounty offer tied to more than $1M exploit of THORChain founder's wallet

THORChain DEX aggregator THORSwap has made a series of repeated bounty offers to the exploiter of a user's personal wallet over the past few days, with the victim now confirmed to be THORChain founder John-Paul Thorbjornsen.

"Bounty offer: Return $THOR for reward. Contact contact @ thorswap.finance or THORSwap discord for OTC deal," the latest onchain message to the hacker on Friday morning reads. "No legal action will be taken if returned within 72 hours."

Blockchain security company PeckShield flagged the messages on X, initially suggesting the THORChain protocol itself had suffered an exploit of around $1.2 million. However, that post was subsequently corrected to confirm it was a user's personal wallet that had been exploited after clarification from the THORChain team. "This incident involved a user's personal wallet being exploited, and is not related to THORChain," the project said. "This is just a bounty requesting for return of stolen assets. No protocol (thorchain or thorswap) were exploited." THORSwap CEO "Paper X" added.

THORChain founder confirmed victim

Responding to PeckShield's post on X, onchain sleuth ZachXBT said the exploited wallet likely belongs to THORChain founder John-Paul Thorbjornsen, who had a personal wallet drained for $1.35 million by North Korean hackers on Tuesday.

The source of the attack came via a message from the hacked Telegram account of a friend of the THORChain founder containing a fake Zoom meeting link, Thorbjornsen acknowledged earlier this week. "Ok so this attack finally manifested itself," he followed up on Tuesday. "Had an old MetaMask cleaned out."

Thorbjornsen said the MetaMask wallet was only in another logged-out Chrome profile with its key stored in iCloud Keychain, yet attackers likely accessed one or both via a 0-day exploit — reinforcing his view that threshold signature wallets, which split key shares across devices, are the only real protection.

Thorbjornsen later confirmed to The Block that it was the same attack. "Multiple old private-key based wallets compromised by a sophisticated socially-engineered attack via Zoom links through a hacked friend's Telegram account," he said.

According to ZachXBT, the attacker stole approximately $1.03 million in Kyber Network tokens and $320,000 in THORSwap tokens. The theft address sent funds to the same "Exploiter 6" address that the onchain bounty messages were sent to. The majority of the stolen funds, matching PeckShield's $1.2 million figure, currently sit at an address beginning "0x7Ab," seemingly swapped to ETH, ZachXBT noted on his official Telegram channel.

Updated with comment from Thorbjornsen.