THORChain swaps real BTC for real ETH without a custodian — and that's also why it ended up moving Bybit's stolen ether.

How it works

THORChain is an independent Layer-1 built on the Cosmos SDK with CometBFT consensus. Validator nodes pool liquidity into multi-signature vaults secured by the GG20 Threshold Signature Scheme. A user sends a native asset — real BTC, real ETH, real LTC — to an inbound vault on the source chain; validators observe the deposit, sign an outbound transaction on the destination chain, and the user receives the asset they asked for. There are no wrapped tokens, no bridge IOUs, and no centralised custodian in the middle. The protocol's native asset, RUNE, bonds validators and pairs each pool. Fees follow a slip-based model that scales with trade size against pool depth. As of 2026 the network connects BTC, ETH, BCH, LTC, DOGE, BSC, Avalanche, Cosmos, Base, XRP and TRON.

KYC & privacy

There is no signup, no email, no account. The site markets itself as 'censorship-resistant' infrastructure and KYC has never been part of the user flow — front-ends connect a wallet and broadcast a swap to a vault address. Validators cannot withhold signatures on a per-user basis without a network-wide governance halt. The trade-off is that on-chain pseudonymity is the ceiling: source and destination addresses sit in two public ledgers and remain linkable to a competent chain analyst. This is the same property that let THORChain become the dominant non-custodial venue for laundering the February 2025 Bybit hack, when an attributed North Korean entity routed roughly $1.4 billion in stolen ETH to BTC across the network in days. Protocol architecture did not — and could not — intervene.

Strengths and limits

The strengths are protocol-shaped. Code is open source on github.com/thorchain and gitlab.com/thorchain/thornode; Code4rena ran a public audit competition in June 2024; halts are coordinated through validator consensus rather than a kill switch held by one operator. The limits are operational. THORChain has halted three times for code or vulnerability issues — the July 2021 ETH Router exploits drained roughly $16 million across two attacks, October 2022 halted on a non-determinism bug, and March 2023 stopped trading over a dependency vulnerability. In 2025 the network's savers-and-lenders module crystallised a roughly $200 million treasury deficit; the recovery is being financed through a newly minted TCY claim token, with TCY holders entitled to 10% of protocol revenue. The hack book is short on user-fund losses but long on insolvency overhang.

Verdict

THORChain remains the only mainstream venue where one wallet swaps real Bitcoin for real Ethereum without a KYC counter or a bridge custodian, and that property has held under fire — including fire its operators clearly did not want. But the lending hole, three operational halts, and the unfinished TCY repayment instrument keep this in the 'works, but read the receipts' tier.