THORChain’s “Neutrality” Defense Fails on Its Own Terms

More on the “can we” vs. “should we” interdict topic. This time focused on the recent laundering of about $80 million from the KelpDAO hack through THORChain, who claims neutrality as true DeFi.

Neutrality is not the absence of a headquarters. Neutrality is the absence of meaningful discretion. And that is exactly where THORChain’s public defense starts to fall apart.

After the $1.5 billion Bybit theft, the FBI did not treat DeFi infrastructure as powerless bystanders. It said North Korea’s TraderTraitor actors were responsible and expressly urged DeFi services, along with exchanges, bridges, RPC providers, and analytics firms, to block transactions tied to the laundering addresses. TRM later reported that by early March 2025 the vast majority of the stolen ETH had been bridged into Bitcoin, mostly through services using THORChain. More recent Bloomberg/Cyvers reporting tied to the Kelp DAO exploit says roughly $175 million in stolen assets was shifted into new wallets and routed through platforms including THORChain, Umbra, and BitTorrent.

In my opinion, THORChain’s defense is just moral rhetoric. In their opinion, it is a factual claim: we built a permissionless system, we do not control it, therefore we are not responsible for what bad actors do with it.

But THORChain’s own documentation describes a system with multiple, explicit control surfaces. Assets are held in threshold-signed vaults, and releasing funds requires a supermajority of validators to sign. Governance through Mimir allows validators to change operational parameters with a small number of votes and economic parameters with roughly a two-thirds supermajority. Node operators can halt trading when they detect malicious activity; a single node can pause trading for up to an hour; unauthorized transaction detection can automatically pause chain-specific trading; and THORChain’s own emergency docs describe make pause as the “big red button that stops everything.” Its developer docs also spell out trading halts, signing halts, chain halts, LP pauses, and outbound queueing. 

That is not “no control.” That is distributed control. And distributed control is still control.

This is the central analytical mistake in the neutrality argument. THORChain tries to collapse “no single admin key” into “no meaningful agency anywhere in the system.” Those are not the same proposition. Plenty of systems are not centrally controlled by one person and still have real governance, emergency-response authority, parameter-setting power, and the technical ability to slow, stop, or refuse certain flows. Once those levers exist, “hands off” stops being a law-of-nature argument and becomes a governance choice.

That distinction is exactly why Van Loon v. Treasury is not the shield THORChain’s defenders want it to be. The Fifth Circuit did not hold that all decentralized protocols are legally neutral. It held that OFAC exceeded its statutory authority as to Tornado Cash’s immutable smart contracts because those contracts could not be owned or controlled by Tornado Cash once they were made immutable. The court emphasized that the developers had effectively revoked any continuing role, and that unlike the owner of a vending machine, they could not “unplug” the immutable contracts. THORChain’s own docs describe the opposite condition: validators can halt trading, halt signing, halt chains, queue outbounds, change parameters, and coordinate emergency responses. In other words, Van Loon helps where control has truly been surrendered. THORChain’s own architecture is evidence that control has been distributed, not eliminated.

That is also why the better legal frame is not “code versus regulation.” It is software publication versus operation of a value-transfer service. FinCEN has made that distinction for years. Its 2019 guidance says an anonymizing services provider that accepts value and retransmits it in a way designed to mask the source is a money transmitter, while an anonymizing software provider is not. That is a critical line. Writing or publishing software is one thing. Operating, governing, maintaining, and monetizing a system that accepts and transmits value as a service is another. The more a project looks like the latter, the weaker the “we merely wrote code” defense becomes.

That same line shows up in the case law and prosecutions. In United States v. Harmon, the court held that Helix qualified as an unlicensed money transmitting business because its core business was receiving customers’ bitcoin and transmitting it to another location or person in order to mask the original source. That is real case law, and it matters because it rejects the idea that a bitcoin-based obfuscation service escapes money-transmission analysis simply because it is native to crypto. Likewise, after Van Loon narrowed OFAC’s sanctions theory against Tornado Cash’s immutable contracts and Treasury later removed those sanctions, DOJ still secured Roman Storm’s conviction on the conspiracy to operate an unlicensed money-transmitting business count. And in the Samourai matter, the founders pleaded guilty and were later sentenced to prison for knowingly transmitting more than $237 million in criminal proceeds through a money-transmitting business. The legal lesson is not that all code is illegal. It is that “code” stops doing the work once prosecutors and courts see operation, knowledge, transmission, and monetization. 

Treasury has been explicit on the broader policy point as well. In its DeFi illicit-finance risk assessment, Treasury said that whether a purported DeFi service is covered under the Bank Secrecy Act depends on the facts and circumstances, that a service’s claim to be “fully decentralized” does not determine its status, and that many decentralization claims may reflect “marketing more than reality.” Treasury also noted that illicit actors regularly use DEXs and cross-chain tools to convert stolen assets into more liquid or less traceable assets, or into assets compatible with other laundering tools. That is almost a description of what THORChain has repeatedly been used for. 

And then there is the part THORChain’s defenders least like to discuss: profit. THORChain’s own liquidity docs say large swaps pay higher slip-based fees and those fees go directly to liquidity providers. Its delay docs say users with higher fee-paying history can earn “clout,” which can reduce outbound delay. So when massive laundering flows hit the protocol, THORChain is not merely a passive road that criminals happen to drive on. It is a fee-extracting marketplace whose participants economically benefit from swap volume, including abnormal swap volume. That does not automatically establish liability. But it destroys the moral purity story. You do not get to say “we are neutral observers” while the protocol is explicitly designed to capture more revenue from larger swaps and reward high-fee usage. (THORChain Docs)

This is why the word neutrality is doing so much dishonest work in these debates. Open systems are not neutral merely because anyone can access them. A public road is not “neutral” if its operators knowingly wave through convoys of stolen goods while collecting tolls. A marketplace is not “neutral” if it has the ability to stop obviously tainted transactions, advertises itself as unable to do so, and pockets fees each time the tainted flow clears. Real neutrality requires genuine lack of discretion. THORChain’s own docs show discretion everywhere: in vault signing, in Mimir governance, in emergency pause functions, in per-chain halts, in signing halts, in outbound delays, and in validator coordination.

The strongest rebuttal, then, is not “all DeFi is illegal.” It is narrower and harder to answer: THORChain cannot plausibly claim helplessness. Its own architecture proves otherwise. The FBI’s Bybit advisory proves the government expects DeFi services to act when state-sponsored laundering is underway. Treasury’s DeFi assessment proves labels like “decentralized” and “neutral” do not settle the legal question. FinCEN’s guidance proves the law distinguishes tools from operated transmission services. Van Loon proves immutable, uncontrollable code is a special case, not a general safe harbor. Harmon, Storm, and Samourai prove that once knowledge, operation, fee capture, and transmission are in the picture, “we just wrote code” becomes a very weak defense. 

So what should THORChain do if it wants to stop pretending and start acting responsibly?

1. Adopt a formal exploit-response policy that uses the controls it already has: immediate trading and signing halts for freshly identified exploit flows, especially where law enforcement or multiple reputable analytics firms identify active laundering addresses. THORChain already has the architecture for that. 

2. Create a narrow, publicly auditable sanctions-and-exploit filter governed by validators through Mimir. This does not require blanket KYC or turning the protocol into a bank. It means using distributed governance to respond to specific, high-confidence taint signals: FBI-listed addresses, OFAC-listed wallets, active exploit destinations, and closely traced derivative wallets.

3. Segregate fees derived from sanctioned or clearly exploit-linked flows instead of distributing them as ordinary network revenue. Put them in escrow pending lawful disposition or victim-recovery processes. If the protocol insists it is neutral, it should at least stop profiting from the very flows it says it cannot control.

4. Publish incident reports and vote records each time emergency powers are or are not used. Neutrality claims should not survive on vibes. They should rise or fall on documented governance choices.

5. Stop hiding behind the idea that any mitigation equals centralization. THORChain already has emergency procedures, governance votes, delay mechanics, and chain-specific halt functions. The relevant question is not whether intervention is possible. It plainly is. The question is whether the people who govern the network are willing to use those powers when the beneficiaries are North Korean hackers and the losers are hack victims, counterparties, and the broader ecosystem.

6. 
   

That is the real issue.

Not whether THORChain is open source.

Not whether decentralization is valuable.

Not whether some measure of censorship resistance should exist.

The issue is whether a protocol that retains meaningful intervention tools, signs outflows with validator supermajorities, earns fees from large swaps, and has been repeatedly used as a laundering rail for major hacks can still describe itself as a passive, neutral bystander.

It can't.

Permissionless is not the same as powerless

Decentralized is not the same as ungoverned.

And “code is neutral” is not a legal defense when the people behind the system still have levers, still have knowledge, and still get paid.

My prediction: If THORChain wasn't in Switzerland, I would predict DOJ will be knocking on their door soon, just as they did with other similar protocol, however, this one may be more challenging.