After a security researcher warns that crypto trading platform Hyperliquid faces an elevated risk of getting targeted by North Korean hackers, users of prediction-betting site Polymarket spin up their own wagers on the likelihood.
Posted December 23, 2024 at 3:23 pm EST.
Hyperliquid, a blockchain project designed for trading that shot to the top of crypto headlines following last month’s airdrop of its new HYPE token, now appears in retreat as speculation surges on social media that it could be in the crosshairs of North Korean hackers.
The HYPE token price has tumbled in the past two days, and some $210 million of deposits in the stablecoin USDC has flowed off the platform, a record daily amount, according to a dashboard on the analytics platform Dune Analytics created by Hashed_Official. As of press time, remaining deposits stood at roughly $2.1 billion.
Some canny opportunists have even spun up a prediction market on Polymarket for users to bet on whether the project would be exploited before February. Current odds point to a 14% probability of that happening.
The speculation was touched off as Taylor Monahan, a developer at crypto wallet provider MetaMask, shared her worries on social media. CoinDesk noted the outflows in a story published earlier Monday.
Monahan indicated that wallet addresses identified as belonging to suspected North Koreans were actively using Hyperliquid – one of which was liquidated on Saturday when the price Ethereum’s cryptocurrency, ETH, dropped, resulting in a loss of about half a million dollars.
Read More: Polygon Community to Reject Proposal for Yield on Bridged Assets, but Beef With Aave Escalates
On Sunday, Monahan posted on X a screenshot of a message she says she wrote two weeks ago to the Hyperliquid team — as evidence that she had warned them of the elevated risk.
“I am quite concerned that you guys are at increased risk due to the fact we know that these specific threat actors are now intimately familiar with your platform,” Monahan wrote at the time, according to the screenshot. She emphasized that North Korean hackers are sophisticated, creative, and persistent.
In her recent post, Monahan shared 12 addresses she identified as likely belonging to North Koreans that are active on Hyperliquid. None of the addresses appear to be on a sanctions list administered by the U.S. Office of Foreign Assets Control, Unchained confirmed.
Monahan said she shared her concerns on X, because the Hyperliquid team had “ghosted” her, a colloquialism for not responding.
A pseudonymous developer for the Hyperliquid project, who goes by @iliensinc, wrote in the protocol’s Discord server early Monday that, “Hyperliquid Labs is aware of reports circulating regarding activity by supposed DPRK addresses.”
“There has been no DPRK exploit – or any exploit for that matter – of Hyperliquid,” according to the post. “All user funds are accounted for.”
Hyperliquid’s Security Set-Up
The validator set of the Hyperliquid blockchain secures the protocol’s EVM bridge, according to the protocol’s documentation. To trade on Hyperliquid, crypto users have to switch their wallet address to Arbitrum and deposit the stablecoin USDC into Hyperliquid’s bridging contract, which is less than two years old and has more than $2.1 billion at press time.
Mudit Gupta, chief information security officer at Polygon Labs, said on X, “Hyperliquid bridge is controlled by two 3-of-4 hot wallet multisigs, managed by a single binary. I’d advise them to increase this threshold and eliminate the single point of failure instead of attacking security researchers.”
Unchained was unable to confirm the details in the project’s documentation.
Adrian Hetman, head of triaging at bug bounty platform Immunefi, told Unchained in emailed comments that, “In any case, relying primarily on a 3/4 validator setup as the main protection for their bridge is highly risky.”
North Korean hackers previously have targeted bridge smart contracts to steal funds, notably in incidents involving the Ronin and Harmony bridges.
Some commenters on social media remarked that Monahan was spreading “FUD” – an acronym that stands for “fear, uncertainty, and doubt” – while others suggested that she was seeking attention for herself.
Monahan said she wouldn’t have aired the criticisms without first attempting to notify the Hyperliquid team.
“If there was any chance of them listening to me, I wouldn’t have tweeted and especially not in that way,” she wrote in a Telegram group chat with over 4,400 members.
“I would be sh-tting my pants right now,” Monahan wrote.
Hyperliquid’s @iliensinc said in the Discord post someone reached out to the team with security concerns but communicated using insults and profanity. “Given the level of professionalism displayed, Labs conferred instead with trusted parties,” per @iliensinc’s Discord announcement.
Hyperliquid didn’t respond to Unchained’s request for comment.
Samczsun, a pseudonymous researcher for the venture-capital firm Paradigm and founder of Security Alliance, said they were disappointed to see people attack Monahan in light of HYPE’s recent price downturn.
“I just wish people would give Tay the same grace they give others, because clearly they’re capable of it,” Samczsun wrote on X early Monday.
Various researchers and news outlets have reported this year on North Koreans increasingly infiltrating the crypto industry both as users and employees, beyond just their reputation as savvy hackers.
In two exploits this year – of WazirX and Radiant Capital – North Korean hackers allegedly profited for a total $285 million, making up 16% of all crypto losses in the past year, according to a report published by ImmuneFi on Monday.
The attacks highlight how North Korean hackers “continue to often target project infrastructure and leverage sophisticated social engineering operations to compromise systems,” according to the report.