Hyperliquidate

Hyperliquid - DPRK

read this article also in:

en

North Korean hackers don't take holidays.

While crypto traders were hanging their stockings with care, Tayvano spotted DPRK-linked addresses testing Hyperliquid's defenses - a protocol with over $2 billion in TVL secured by just four validators.

Memories of Ronin's $624M hack still haunt the industry, where compromising five out of nine validators was enough to drain the bridge.

Hyperliquid's setup currently has 4 validators and requires only three signatures to control billions.

The warnings sparked widespread panic, sending HYPE tumbling 21% and triggering over $210 million in outflows.

Hyperliquid's team dismissed the concerns, claiming "no vulnerabilities have been shared by any party."

Santa might be checking his list twice, but DPRK hackers are scanning for a different kind of chimney to slide down this Christmas - one that leads straight to Hyperliquid's bridge contract.

Could somebody be getting coal in their stocking this holiday season?

Credit: Defi Llama, Mudit Gupta, Decrypt, ZachXBT, Tayvano, Viktor Bunin, Hyperliquid, Nass Eddequiouaq, CoinTelegraph, Radiant Capital, Hudson Jameson, Samczsun, Laura Shin, David Phelps

ZachXBT may have caught this one early - the Radiant Capital attacker, fresh from their $50 million October heist, was casually trading on Hyperliquid.

Not just small trades either - they managed to profit $600k going long on ETH.

Fast forward to December 23rd - Tayvano sounds the alarm after discovering multiple DPRK-linked addresses actively trading on the platform.

These weren't just random trades - they bore all the hallmarks of North Korean hackers testing system boundaries and scanning for vulnerabilities.

After leading security at MEW/MyCrypto before joining MetaMask, Tayvano has spent several years helping protect users and projects from crypto's most sophisticated threats.

Her warnings about hacks and scams have saved countless users from losses, earning her recognition as one of crypto's foremost security experts.

As Viktor Bunin noted: "My wife and I have been targeted by North Korea multiple times... Tayvano is the first person I turn to and she has been nothing but incredible at every turn. If she's proactively trying to protect you... Take the help."

Hyperliquid's response on Discord landed like a lump of coal in the community stocking: "There has been no DPRK exploit – or any exploit for that matter – of Hyperliquid. All user funds are accounted for."

Rather than engage with one of crypto's most respected security experts warning about potential billion-dollar vulnerabilities, Hyperliquid's supporters mocked her tone and dismissed her concerns as attention-seeking FUD.

One asshat even claimed she was trying to hack her way to getting hired.

Clearly the hype crowd and security crowd don’t run in the same circles.

When state-sponsored hackers are probing your protocol, perhaps ridicule isn't the wisest defense strategy.

Security experts weren't buying the holiday cheer.

Former a16z security lead Nass Eddequiouaq's assessment was particularly grim - his "gut instinct" suggested the hackers were already inside Hyperliquid's infrastructure, methodically learning how to maximize their eventual exploit.

When North Korean hackers start testing your protocol's defenses during the holidays, do you deck the halls with better security or brush it off as FUD?

Hole in the Stocking

Four validators stand between billions in user funds and a state-sponsored hacking group that's already stolen $1.34 billion in 2024 alone.

Three signatures to move any amount - a security setup that would make even the Grinch's heart grow three sizes from sheer opportunity.

The architecture speaks for itself: "Hyperliquid bridge is controlled by two 3-of-4 hot wallet multisigs, managed by a single binary."

A single point of failure protecting a mountain of assets taller than Mount Crumpit.

Should the worst-case scenario unfold, the backup plans look dangerously thin.

According to ZachXBT, good luck getting Circle to freeze assets outside of 9-5 ET, and Arbitrum's security council could vote to roll back the chain is the nuclear option that nobody wants in their stocking.

Meanwhile, Hyperliquid’s Discord hinted at expansion to 16 validators "soon" - a gift the community hopes arrives before DPRK hackers do.

But even with more validators, questions linger about the team's operational security after Radiant Capital's October nightmare, where a simple PDF attachment led to a $50 million breach.

How many validators does it take to protect a fortune, when your opponent's shopping list includes zero-days and their work hours run 24/7?

Their idea of a bug bounty program? A 'open-ticket' button on Discord.

The only security documentation? Buried in a single page of a GitHub repo - not their website, not their docs. No rewards structure, no clear process, no formal program.

"When North Korean hackers are testing your protocol, is 'file a ticket on Discord' really your first line of defense?

You’re a Mean One, Mr. Grinch

Fresh off a wildly successful $1.6 billion airdrop that saw HYPE's market cap rocket past $11 billion, Hyperliquid seemed unstoppable.

HYPE holders didn't wait for Santa to check his list twice.

The token plunged 21% as news spread, while users rushed to withdraw over $210 million from the protocol - the largest single-day outflow in Hyperliquid's history.

Some defenders claimed this was merely a "psyop" designed to harm Hyperliquid's reputation.

Others pointed to DPRK's widespread use of DeFi protocols as evidence that their presence didn't necessarily signal malicious intent.

But security researchers weren't swayed by holiday hopium.

After being dismissed with "insults and profanity," Tayvano simply muted the conversation, noting "this isn't a thing that is up for debate... HL either acts to harden their system. Or they don't."

When your protocol's running on four validators and the world's most sophisticated crypto thieves may be testing your defenses, maybe it's time to stop being such a Grinch about security?

Security experts don't raise alarms lightly, especially during the holidays.

When one of crypto's most battle-tested security experts raises red flags, the community rallies.

From Samczsun to Laura Shin to David Phelps - veterans across the space emphasized a simple truth: when Tayvano warns you about DPRK, you listen.

As David Phelps noted: "pro tip: the correct way to respond to one of the top security minds telling you she’d like to give you her time because of extreme concerns that north korea is deep inside your $30B platform is not to tell her that you don’t like her tone."

Yet Hyperliquid chose hype over security, dismissing urgent warnings while billions hang in the balance.

DPRK hackers spent 2024 perfecting their craft, siphoning $1.34 billion through increasingly sophisticated attacks.

Radiant Capital learned the hard way - a single PDF unleashed their nightmare before Christmas.

Every click, every validator, every overlooked warning brings billion-dollar protocols closer to becoming the next cautionary tale.

Hyperliquid's rush for speed and performance left them standing under the mistletoe with just four validators.

Their supposed expansion to sixteen might come too late - DPRK hackers aren't known for their patience.

Banking on Circle's 9-5 ET office hours or Arbitrum's rollback capabilities seems more wishful thinking than proper security strategy.

When state-sponsored hackers pick your protocol for their Christmas list, will your security measures be there to greet them, or will you be a ghost of protocols past?

share this article

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.