THORChain Founder's Wallet Drained by Social Engineering Attack → Security

The image displays a sleek, translucent device with a central brushed metallic button, surrounded by a vibrant blue luminescence. The device's surface exhibits subtle reflections, highlighting its polished, futuristic design, set against a dark background

A close-up shot displays a highly detailed, silver-toned mechanical device nestled within a textured, deep blue material. The device features multiple intricate components, including a circular sensor and various ports, suggesting advanced functionality

Briefing

On September 18, 2025, John-Paul Thorbjornsen, the founder of THORChain, became the victim of a sophisticated social engineering attack that resulted in the compromise of his personal MetaMask wallet. The incident led to the theft of approximately $1.35 million in digital assets, specifically Kyber Network and THORSwap tokens. This exploit highlights the persistent vulnerability of individual digital asset holders to advanced phishing tactics, even within the leadership of prominent DeFi protocols. The stolen funds were subsequently moved into Ethereum, prompting THORSwap to issue an on-chain bounty for their return.

A close-up view presents a high-tech mechanical assembly, featuring a central metallic rod extending from a complex circular structure. This structure comprises a textured grey ring, reflective metallic segments, and translucent outer casing elements, all rendered in cool blue-grey tones

Context

Prior to this incident, the broader Web3 ecosystem has faced a continuous onslaught of social engineering attacks, targeting not just end-users but also high-profile individuals within projects. These attacks frequently leverage compromised communication channels or deceptive links to gain unauthorized access to private keys or seed phrases. The prevailing attack surface often includes personal digital environments, where even robust protocol-level security cannot protect against individual operational security failures.

A detailed perspective showcases precision-engineered metallic components intricately connected by a translucent, deep blue structural element, creating a visually striking and functional assembly. The brushed metal surfaces exhibit fine texture, contrasting with the smooth, glossy finish of the blue part, which appears to securely cradle or interlock with the silver elements

Analysis

The attack was executed through a social engineering vector, where the perpetrator sent a fake Zoom link from a friend’s compromised Telegram account. This deceptive maneuver tricked the victim into unknowingly granting access to multiple older private-key wallets. Once compromised, the attackers exfiltrated approximately $1.03 million in Kyber Network tokens and $320,000 in THORSwap tokens.

The funds were then consolidated and transferred to Ethereum, indicating a planned laundering attempt. This method bypasses smart contract security by directly targeting the user’s private key management.

A central metallic, ribbed mechanism interacts with a transparent, flexible material, revealing clusters of deep blue, faceted structures on either side. The neutral grey background highlights the intricate interaction between the components

Parameters

Protocol Affected → N/A (Personal Wallet Compromise)
Victim → John-Paul Thorbjornsen (THORChain Founder)
Attack Vector → Social Engineering, Private Key Compromise
Financial Impact → $1.35 Million
Assets Stolen → Kyber Network Tokens ($1.03M), THORSwap Tokens ($320K)
Blockchain Involved → Ethereum (for fund movement)
Date of Incident → September 18, 2025
Threat Actor Attribution → Linked to North Korean hackers

A clear sphere, encircled by a smooth white ring, reveals a vibrant, geometric blue core. This core, with its sharp facets and interconnected components, visually represents the intricate architecture of a blockchain, possibly illustrating a private key or a genesis block

Outlook

Immediate mitigation for users involves heightened vigilance against unsolicited links and a rigorous adherence to multi-factor authentication and hardware wallet usage for all high-value digital assets. Protocols should reinforce educational campaigns on personal operational security for their teams and community members, emphasizing that even sophisticated smart contract audits cannot prevent private key compromise. This incident will likely drive further adoption of advanced phishing detection tools and secure communication protocols within the Web3 space, establishing new best practices for safeguarding individual digital identities.

The compromise of a prominent founder’s personal wallet underscores that human-factor vulnerabilities remain a critical and often underestimated vector for significant digital asset theft, demanding a systemic re-evaluation of individual operational security across the ecosystem.

Signal Acquired from → bankinfosecurity.com