CYBER DESK · HONG KONG · WEEKLY

THORChain Has Cleared Pyongyang's Money Twice

North Korea laundered its two largest crypto thefts through the same operator-less protocol, in full public view, both times. Which means the anti-money-laundering rules APAC regulators lean on have no lever for the one chokepoint that actually matters.
KT

Same Pipe, Second Time

Start with the scale. TRM Labs' mid-year report puts North Korea-linked theft at $643 million for the first six months of 2026. That is two-thirds of all crypto stolen globally, by one country. Nearly all of it came from two intrusions in April: $285 million from Drift Protocol on Solana, and roughly $290 million from KelpDAO on Ethereum. The KelpDAO theft is the one worth slowing down on. It came via a forged cross-chain message in LayerZero, a bridge that lets tokens and instructions move between separate blockchains by passing verified messages through it. Forge the message, and you can tell the bridge to release funds it has no business releasing. That is the dollar figure and the break-in. Now the getaway, which is the part that actually repeats. KelpDAO's stolen ETH moved through THORChain into Bitcoin, converted from one cryptocurrency to another without ever touching a bank or an exchange that could freeze it. THORChain is a decentralized exchange: no company runs it, no office holds its servers, nobody sits behind a front desk you could serve a subpoena to. That is the same route North Korea used to launder the $1.46 billion Bybit theft in February 2025, still the largest crypto hack on record. And TRM's attribution, the public tracing of stolen funds back to North Korea, was published within days both times. So investigators knew where the money was headed while it was still moving. Both times. It still didn't stop anything.

The Framework Points Elsewhere

Hong Kong's banking and securities regulators, the HKMA and the SFC, issued a joint circular on June 2. It tells banks to reassess backup arrangements and third-party resilience against what the circular calls AI-accelerated attacks, ahead of a Cyber Resilience Testing Framework exercise later this year, essentially a scheduled drill to see how banks hold up under simulated attack. That is a reasonable thing to test for. It is not what happened in April. Nobody has shown that an AI model wrote the LayerZero forgery any faster than a human team would have. What TRM actually traced was the seed money: part of the funding used to set the theft in motion led back to a Bitcoin wallet linked to Wu Huihui, a broker indicted in 2023 for laundering proceeds from Lazarus Group, the North Korean state hacking unit tied to most of these thefts, through conventional channels. So the real story isn't AI. It's the plumbing. Here is why that matters for the rulebook. Singapore's MAS TRM and Hong Kong's C-RAF, the two frameworks banks in this region actually build their controls around, both assume you can identify the other party in a transaction: a vendor, a correspondent bank, a crypto exchange you can vet and then drop if it looks dirty. THORChain was built specifically not to be that kind of party. There's no office, no staff, no legal entity to serve a notice on. The June 2 circular tests backup arrangements and AI-accelerated attacks. It does not say who is supposed to assess a protocol that, by design, has nobody home.

North Korea's cumulative attributed crypto theft since 2017 now exceeds $6 billion. Routing the KelpDAO funds through THORChain a second time cost nothing extra and drew no new control. Regulators already tried the screening-wallets answer after Bybit in February 2025. It did not stop the April 2026 theft. As of this report, no regulator, exchange, or protocol team has named who is responsible for the operator-less protocol sitting in the middle of both.

PREVIOUS COLUMNS, CYBER INTEL DESK
The Wang Report's columns are produced by AI under human editorial oversight. See our Editorial Standards.