TL;DR

• THORSwap is offering a bounty after a personal wallet was exploited for $1.2M-$1.35M.
• Onchain analyst ZachXBT says the victim is THORChain founder John-Paul Thorbjornsen.
• Hackers linked to North Korea are suspected.
• THORChain and THORSwap protocols were not exploited.
• PeckShield and THORChain teams confirmed this was a targeted personal attack, not a protocol breach.

THORSwap has taken an unusual step in the wake of a major wallet hack - offering a direct bounty to the exploiter. The move comes after a personal wallet, reportedly belonging to THORChain founder John-Paul Thorbjornsen (better known as JP), was drained for roughly $1.35 million earlier this week.

Blockchain security firm PeckShield first flagged the attack, posting on X that approximately $1.2 million had been stolen. The team initially suggested THORChain itself may have been exploited before clarifying that this was a personal wallet incident - not a protocol breach.

Bounty Offer: "Return THOR for Reward"

THORSwap has repeatedly messaged the hacker onchain with a clear offer: return the stolen assets and walk away free.

The DEX aggregator's CEO, Paper X, added that the situation does not involve any vulnerability in THORSwap or THORChain smart contracts.

ZachXBT Identifies Victim as Founder

Crypto investigator ZachXBT quickly weighed in, claiming the wallet belongs to JP, THORChain's co founder.

"The wallet likely belongs to @jpthor who had a private wallet compromised due to a fake meeting scam a few days ago," ZachXBT wrote. 

He also noted the irony of the situation, pointing out JP's history of financial gain from DPRK-related laundering seizures - calling the attack "poetic."

Who's Behind the Attack?

Security researchers suspect North Korean state-backed hackers orchestrated the theft. The group has been increasingly targeting DeFi projects, bridges, and wallet owners using phishing campaigns disguised as "business meetings" or job offers - a tactic confirmed in multiple cases by security firms like SlowMist and CertiK.

No Impact on THORChain or Users

The key takeaway for users: THORChain and THORSwap remain secure.

• No smart contract exploits were involved.
• No funds from liquidity pools or users were impacted.
• The exploit was limited to an individual's private wallet.

Still, the hack highlights the risks of personal wallet compromises - a growing attack vector in crypto security.

Lessons for the Community

This incident underscores a crucial point: even seasoned founders can fall victim to social engineering.

• Always verify meeting requests and links - fake meeting scams are a top method for private key theft.
• Use multi-sig or hardware wallets for large holdings.
• Monitor onchain alerts from security firms like PeckShield or SlowMist.

What's Next?

THORSwap's bounty window is open for 72 hours from the last onchain message. If the hacker refuses, further steps could involve law enforcement or blockchain tracing efforts to freeze the funds.

This case will likely remain a hot topic in crypto security circles, as it combines high-profile targets, geopolitical intrigue, and the ongoing debate over bounties as a means of recovery.