While a hack grabs headlines, what’s transpiring within the crypto industry right now is far more interesting from a (self) regulatory perspective. Last weekend, North Korea’s state-sponsored hacking group Lazarus stole a record-breaking $1.5B USD in ETH from ByBit. What happened next was a real-world stress test for the industry, but in particular, decentralised protocols, and the results were revealing. As expected, hackers swiftly sought to launder stolen funds through key ecosystem points i.e. exchanges, mixers, bridges, and swapping protocols. While some operators immediately responded to ByBit’s emergency, others refused, citing “decentralisation.”

Two leading cross-chain AMMs demonstrated polar opposite responses. Chainflip stepped up early and shut Lazarus down, refusing to facilitate what is not merely a monumental theft event, but a matter of national security and geopolitical significance. Meanwhile, THORChain did the opposite, becoming a highway for illicit fund movement, pocketing millions in fees along the way. This incident wasn’t just a case study in crypto security—it was a wake-up call for how the ecosystem and in particular DeFi protocols must balance decentralisation, compliance, and operational responsibility.

Funds Stolen: What Next?

The moment a hack occurs, it becomes a race—hackers vs. fund chasers. In Bybit’s case, within seconds of the $1.5 billion exploit, Lazarus had already begun moving stolen ETH, taking advantage of infrastructure designed for speed, anonymity, and liquidity. Their strategy follows a well-worn path: funds are quickly routed through DEXs and swapping protocols to break traceability, then funnelled across cross-chain bridges to escape the visibility of on-chain analytics tools. Some assets are mixed using privacy tools like Tornado Cash, while others are moved to CEXs with weak compliance controls, where they can be converted into fiat or other crypto assets before disappearing entirely. These ecosystem nexus points—CEXs, DEXs, bridges, and mixers—represent the last real opportunities for stolen funds to be frozen or intercepted. If fund chasers don’t reach these points first, recovery becomes nearly impossible.

What Chainflip Did

Chainflip responded swiftly to the Lazarus hack, taking proactive measures to prevent their protocol from becoming a laundering route. Initially they disabled ETH swaps to block laundering attempts, but when Lazarus pivoted to USDC and BTC, they took the drastic step of shutting down all swaps entirely. While at the time, unpopular, this decision ensured that no assets could be moved through Chainflip, effectively locking out an escape route for stolen funds. Acting fast, Chainflip alerted their liquidity providers, urging them to pull liquidity from the platform—a move that successfully prevented Lazarus from swapping and escaping with volume. They also implemented broker-level screening tools for network participants to flag and communicate suspicious transactions. Despite facing criticism for not being “fully decentralized,” in reality, “no protocol is completely decentralized at this stage,” Shaun Janse van Vurren, Head of Communications at Chainflip said when we asked him about it. Chainflip defended its actions, emphasizing the need for responsible intervention in extraordinary situations; 

Shaun nails the issue on the head. This isn’t just a hack. Funds stolen represent 5% of North Korea’s GDP. This is state sponsored cybercrime involving theft of funds that will inevitably go to fund nuclear and military programs for a highly militarized, authoritarian state. One that operates as a geopolitical outlier, leveraging nuclear weapons development, cyber warfare, and strategic alliances with adversarial nations to counterbalance international sanctions and maintain regime survival amid global isolation.

Chainflip’s response is a blueprint for responsible crypto netizenship: they supported ByBit swiftly, publicly explained their shutdown decision, coordinated with on chain crypto sleuth @zachxbt and cooperated with the FBI’s investigation, emerging relatively unscathed from the ordeal. Unlike ThorChain, which was slow to act and only responded after pressure from authorities, Chainflip took decisive self-regulatory action, preventing Lazarus from exploiting their protocol. Their response underscores a broader industry challenge—whether decentralization should be an excuse for inaction or if protocols must take responsibility for preventing bad actors from abusing their systems.

What THORChain Did

THORChain’s failure to act decisively allowed hackers to launder over USD600 million, making it one of the biggest weak points in Lazaru's exploit. Unlike Chainflip, which self-regulated and blocked transactions immediately, THORChain only took action after receiving an FBI letter. While specific details of the FBI's communications with THORChain, Chainflip, and other ecosystem participants regarding the Bybit hack have not been publicly disclosed, such official letters typically contain urgent requests for cooperation. These requests often include immediate action to freeze any suspicious transactions, provision of detailed logs and records related to illicit activities, and implementation of enhanced monitoring to prevent further misuse of the platforms. So what stopped THORChain from acting decisively and promptly to prevent the laundering of stolen funds? The community voted against halting transactions, to block Lazarus' laundering attempts, and internal conflict led to a key developer resigning.

More concerning, however, is the lack of native screening tools, which allegedly allowed hackers to bypass external security checks and integrate directly with the protocol. THORChain’s hands-off approach has now turned into a serious reputational and legal crisis. From a legal perspective, THORChain’s node operators now face criminal liability risks. Node operators facilitated transactions tied to money laundering, even profiting from them, allegedly earning over $3 million in fees. 

@aixbt

Regulators may view THORChain and more precisely, its node operators as complicit in one of the most significant money laundering events in history. In most jurisdictions, AML regulations hold financial intermediaries, even decentralized ones, accountable for knowingly processing illicit funds. With public scrutiny of the crypto industry ever present, regulatory scrutiny on the rise and law enforcement agencies increasing their focus on DeFi protocols, node operators could face enforcement actions, fines, or even potential criminal liability if regulators determine they turned a blind eye to illegal activity. By failing to prevent the laundering of stolen funds in what has now become a national security and geopolitical issue, THORChain risks not only reputational damage but potential regulatory intervention that could threaten its long-term survival.

Takeaways

The key lessons from this incident are clear:

• Unfavourable Odds: Ultimately, time and resources are never on the side of those trying to recover stolen assets. Hackers often have pre-set scripts and automated transactions designed to fragment and move funds within seconds, while fund chasers must manually coordinate responses, contact exchanges, and analyze blockchain movements. Even a 30-minute delay can mean the difference between a successful freeze and total loss.
  
  

• No Good/Bad Actor List, yet: One of the industry’s biggest challenges is that there is no standardized, real-time and publicly available system for tracking and responding to hacks. More importantly, there is no public record of who helps and who doesn’t, leaving fund chasers to operate in the dark while hackers exploit known weaknesses in industry coordination. Bybit’s launch of HackBounty.com aims to change that. “There isn’t an information platform that aggregates everything about chasing stolen funds,” said ByBit CEO Ben Zhou. “Hackers bet on lag in response times, exhausting the patience of those chasing them. How do we solve this as an industry? We need to show endpoints, show a clock, and demonstrate how fast people are responding to requests for help. Then we can take legal or regulatory action to hold bad actors accountable.”
  
  

• Security matters, no matter who you are: 

  • If you’re building a DeFi protocol—take security seriously. Chainflip’s broker-level screening model is a blueprint worth following.

  • If you’re a liquidity provider—watch where your capital flows. Platforms that facilitate laundering put you at risk too.

  • If you’re an investor—assess security posture, not just decentralization. The THORChain mess could have been avoided.

  • If you’re a user—hold protocols accountable. Security is part of the trust equation in DeFi.

Best Practice = Good Netizenship: While keyboard activists demand decentralisation, the longevity and legitimacy of our industry trumps all. Chainflip demonstrated exemplary self-regulation at a critical moment, blocking Lazarus’ attempt to launder funds through their network. Meanwhile, THORChain’s node operators pocketed millions in fees from laundering stolen funds, raising serious ethical and legal questions. The industry cannot afford to sit on the sidelines—it’s time for a coordinated, transparent response to hacks that threaten it and everyone in it. 

If you have questions about how your protocol can improve its security measures, or how to minimise your liability exposure for facilitating money laundering, get in touch with us now.