Skip to main content
Security

THORChain Founder’s Wallet Drained by Social Engineering Attack

A compromised personal MetaMask wallet, accessed via social engineering, underscores critical user-side private key risk.
September 23, 20253 min

The image displays a close-up of an intricate circuit board, featuring silver metallic blocks interspersed with glowing blue light emanating from beneath. A central, cube-like component is partially covered in snow, with a white, spherical object, also frosted, attached to its side
The image showcases a high-precision hardware component, featuring a prominent brushed metal cylinder partially enveloped by a translucent blue casing. Below this, a dark, wavy-edged interface is meticulously framed by polished metallic accents, set against a muted grey background

Briefing

On September 18, 2025, John-Paul Thorbjornsen, the founder of THORChain, became the victim of a sophisticated social engineering attack that resulted in the compromise of his personal MetaMask wallet. The incident led to the theft of approximately $1.35 million in digital assets, specifically Kyber Network and THORSwap tokens. This exploit highlights the persistent vulnerability of individual digital asset holders to advanced phishing tactics, even within the leadership of prominent DeFi protocols. The stolen funds were subsequently moved into Ethereum, prompting THORSwap to issue an on-chain bounty for their return.

The image showcases a high-tech device, featuring a prominent, faceted blue gem-like component embedded within a brushed metallic and transparent casing. A slender metallic rod runs alongside, emphasizing precision engineering and sleek design

Context

Prior to this incident, the broader Web3 ecosystem has faced a continuous onslaught of social engineering attacks, targeting not just end-users but also high-profile individuals within projects. These attacks frequently leverage compromised communication channels or deceptive links to gain unauthorized access to private keys or seed phrases. The prevailing attack surface often includes personal digital environments, where even robust protocol-level security cannot protect against individual operational security failures.

A detailed view presents a complex, cubic technological device featuring intricate blue and black components, surrounded by interconnected cables. The central element on top is a blue circular dial with a distinct logo, suggesting a high-level control or identification mechanism

Analysis

The attack was executed through a social engineering vector, where the perpetrator sent a fake Zoom link from a friend’s compromised Telegram account. This deceptive maneuver tricked the victim into unknowingly granting access to multiple older private-key wallets. Once compromised, the attackers exfiltrated approximately $1.03 million in Kyber Network tokens and $320,000 in THORSwap tokens.

The funds were then consolidated and transferred to Ethereum, indicating a planned laundering attempt. This method bypasses smart contract security by directly targeting the user’s private key management.

The image showcases a detailed view of a translucent, frosted white and vibrant blue mechanical component, highlighting its intricate internal structure and smooth exterior. The focus is on the interplay of light and shadow across its precise, engineered surfaces, with a prominent blue ring providing a striking color contrast

Parameters

  • Protocol Affected ∞ N/A (Personal Wallet Compromise)
  • Victim ∞ John-Paul Thorbjornsen (THORChain Founder)
  • Attack Vector ∞ Social Engineering, Private Key Compromise
  • Financial Impact ∞ $1.35 Million
  • Assets Stolen ∞ Kyber Network Tokens ($1.03M), THORSwap Tokens ($320K)
  • Blockchain Involved ∞ Ethereum (for fund movement)
  • Date of Incident ∞ September 18, 2025
  • Threat Actor Attribution ∞ Linked to North Korean hackers

A close-up view reveals a polished, metallic object, possibly a hardware wallet, partially encased within a vibrant blue, translucent framework. The entire structure is visibly covered in a layer of white frost, creating a striking contrast and suggesting extreme cold

Outlook

Immediate mitigation for users involves heightened vigilance against unsolicited links and a rigorous adherence to multi-factor authentication and hardware wallet usage for all high-value digital assets. Protocols should reinforce educational campaigns on personal operational security for their teams and community members, emphasizing that even sophisticated smart contract audits cannot prevent private key compromise. This incident will likely drive further adoption of advanced phishing detection tools and secure communication protocols within the Web3 space, establishing new best practices for safeguarding individual digital identities.

The compromise of a prominent founder’s personal wallet underscores that human-factor vulnerabilities remain a critical and often underestimated vector for significant digital asset theft, demanding a systemic re-evaluation of individual operational security across the ecosystem.

Signal Acquired from ∞ bankinfosecurity.com

Micro Crypto News Feeds

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

operational security

Definition ∞ Operational security, often abbreviated as OpSec, is a process that involves protecting sensitive information from adversaries.

network

Definition ∞ A network is a system of interconnected computers or devices capable of communication and resource sharing.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

compromise

Definition ∞ A 'compromise' in the digital asset space refers to an agreement reached between differing parties, often involving concessions on key points.

private key compromise

Definition ∞ A private key compromise occurs when the secret cryptographic key that controls access to a cryptocurrency wallet is obtained by an unauthorized party.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

blockchain

Definition ∞ A blockchain is a distributed, immutable ledger that records transactions across numerous interconnected computers.

digital assets

Definition ∞ Digital assets are any form of property that exists in a digital or electronic format and is capable of being owned and transferred.

Tags:

Tags: