North Korean Hackers Liquidated for $500K on DeFi Protocol HyperLiquid, But Some See It as a 'Worrying Sign'

While some would be happy to see some of the Lazarus Group's ill-gotten gains go down the drain, others see the activity as a potentially worrying sign.

North Korean hackers were liquidated for almost $500,000 on decentralized finance (DeFi) protocol HyperLiquid over the weekend, according to a post by MetaMask’s Taylor Monahan on X.

Monahan, who tracks Lazarus Group-linked addresses across the cryptosphere, flagged the activity on HyperLiquid, noting that “DPRK doesn’t trade. DPRK tests.”

The Lazarus Group, also known as the Bureau 121, is a North Korean state-sponsored advanced persistent threat (APT) group. The group is known for its involvement in several high-profile cyberattacks, including the 2014 Sony Pictures hack and the 2017 WannaCry ransomware attack.

HyperLiquid is a decentralized exchange (DEX) that runs on its own network, built on top of Arbitrum, an L2 that itself settles to Ethereum mainnet.

In order to provide the low latency needed for the CEX-like speed of the exchange, the network relies on just four validators.

According to DeFi developer Cygaar, compromising three of these four would allow infiltrators to extract the 2.3 billion USDC backing the network.

Such an event would be far from the first time the Lazarus Group has managed to pull off something like this,

In 2022, the majority of the Ronin Bridge’s validator set was compromised, leading to over $600 million lost, and in October, Radiant Capital lost $50 million when a threshold of three of 11 multisig signers were duped into signing a malicious transaction.

At the time, concerns were raised over the sheer amount of value secured by often-times relatively few signatures, such as Blast’s three of five multisig securing $1.45 billion.

Some have urged calm, noting that bridging such a large chunk of funds would give time to interrupt the process, and that the primary backing asset, USDC, can be frozen by its issuer, Circle. “Rolling-back” the Arbitrum network in the event of an emergency was even floated as a last resort.

However, others remain skeptical about both Circle’s response time, and Arbitrum’s willingness to roll-back “for anything less than an absolutely self-existential threat.”

A Dune dashboard monitoring USDC on Hyperliquid (by user hashed_official) shows current daily outflows of over 96 million USDC, though $2.24 billion remains in the bridge.

Since the generous launch of the HYPE token, HyperLiquid has been hailed as the darling of a resurgent DeFi sector.

In response to Monahan’s post, some HyperLiquid holders have taken to minimizing the concerns as FUD designed to sell security services, or even questioning the timing of the warning, which coincides with HYPE’s first major dip in a month of up-only.

Currently trading at around $28, HYPE had climbed since launch to an all-time high of $35 two days ago, according to data from CoinMarketCap.