Security

THORChain Founder’s Wallet Drained by Social Engineering Attack

A compromised personal MetaMask wallet, accessed via social engineering, underscores critical user-side private key risk.
September 23, 20253 min

A central metallic, ribbed mechanism interacts with a transparent, flexible material, revealing clusters of deep blue, faceted structures on either side. The neutral grey background highlights the intricate interaction between the components
The image displays a high-fidelity rendering of a transparent device, revealing complex internal blue components and a prominent brushed metal surface. The device's outer shell is clear, showcasing the intricate design of its inner workings

Briefing

On September 18, 2025, John-Paul Thorbjornsen, the founder of THORChain, became the victim of a sophisticated social engineering attack that resulted in the compromise of his personal MetaMask wallet. The incident led to the theft of approximately $1.35 million in digital assets, specifically Kyber Network and THORSwap tokens. This exploit highlights the persistent vulnerability of individual digital asset holders to advanced phishing tactics, even within the leadership of prominent DeFi protocols. The stolen funds were subsequently moved into Ethereum, prompting THORSwap to issue an on-chain bounty for their return.

The image showcases a high-tech device, featuring a prominent, faceted blue gem-like component embedded within a brushed metallic and transparent casing. A slender metallic rod runs alongside, emphasizing precision engineering and sleek design

Context

Prior to this incident, the broader Web3 ecosystem has faced a continuous onslaught of social engineering attacks, targeting not just end-users but also high-profile individuals within projects. These attacks frequently leverage compromised communication channels or deceptive links to gain unauthorized access to private keys or seed phrases. The prevailing attack surface often includes personal digital environments, where even robust protocol-level security cannot protect against individual operational security failures.

A sleek, high-tech portable device is presented at an angle, featuring a prominent translucent blue top panel. This panel reveals an array of intricate mechanical gears, ruby bearings, and a central textured circular component, all encased within a polished silver frame

Analysis

The attack was executed through a social engineering vector, where the perpetrator sent a fake Zoom link from a friend’s compromised Telegram account. This deceptive maneuver tricked the victim into unknowingly granting access to multiple older private-key wallets. Once compromised, the attackers exfiltrated approximately $1.03 million in Kyber Network tokens and $320,000 in THORSwap tokens.

The funds were then consolidated and transferred to Ethereum, indicating a planned laundering attempt. This method bypasses smart contract security by directly targeting the user’s private key management.

A close-up view highlights a futuristic in-ear monitor, featuring a translucent deep blue inner casing with intricate internal components and clear outer shell. Polished silver metallic connectors are visible, contrasting against the blue and transparent materials, set against a soft grey background

Parameters

  • Protocol Affected → N/A (Personal Wallet Compromise)
  • Victim → John-Paul Thorbjornsen (THORChain Founder)
  • Attack Vector → Social Engineering, Private Key Compromise
  • Financial Impact → $1.35 Million
  • Assets Stolen → Kyber Network Tokens ($1.03M), THORSwap Tokens ($320K)
  • Blockchain Involved → Ethereum (for fund movement)
  • Date of Incident → September 18, 2025
  • Threat Actor Attribution → Linked to North Korean hackers

A central spiky cluster of translucent blue crystalline elements and white spheres, emanating from a white core, is visually depicted. Thin metallic wires extend, connecting to two smooth white spherical objects on either side

Outlook

Immediate mitigation for users involves heightened vigilance against unsolicited links and a rigorous adherence to multi-factor authentication and hardware wallet usage for all high-value digital assets. Protocols should reinforce educational campaigns on personal operational security for their teams and community members, emphasizing that even sophisticated smart contract audits cannot prevent private key compromise. This incident will likely drive further adoption of advanced phishing detection tools and secure communication protocols within the Web3 space, establishing new best practices for safeguarding individual digital identities.

The compromise of a prominent founder’s personal wallet underscores that human-factor vulnerabilities remain a critical and often underestimated vector for significant digital asset theft, demanding a systemic re-evaluation of individual operational security across the ecosystem.

Signal Acquired from → bankinfosecurity.com

Micro Crypto News Feeds

social engineering

Definition ∞ Social engineering is a non-technical method of influencing people to give up confidential information or perform actions that benefit the attacker.

operational security

Definition ∞ Operational security, often abbreviated as OpSec, is a process that involves protecting sensitive information from adversaries.

network

Definition ∞ A network is a system of interconnected computers or devices capable of communication and resource sharing.

smart contract

Definition ∞ A Smart Contract is a self-executing contract with the terms of the agreement directly written into code.

compromise

Definition ∞ A 'compromise' in the digital asset space refers to an agreement reached between differing parties, often involving concessions on key points.

private key compromise

Definition ∞ A private key compromise occurs when the secret cryptographic key that controls access to a cryptocurrency wallet is obtained by an unauthorized party.

assets

Definition ∞ A digital asset represents a unit of value recorded on a blockchain or similar distributed ledger technology.

blockchain

Definition ∞ A blockchain is a distributed, immutable ledger that records transactions across numerous interconnected computers.

digital assets

Definition ∞ Digital assets are any form of property that exists in a digital or electronic format and is capable of being owned and transferred.

Tags:

Tags: