Security Concerns Arise from Reports of DPRK-Linked Wallets

Hyperliquid Labs, a decentralised platform for perpetual futures trading, has firmly denied claims of being exploited by wallets linked to North Korean hackers.

Concerns arose after MetaMask security expert Taylor Monahan reported that flagged wallets tied to North Korea had executed trades on Hyperliquid, resulting in liquidations exceeding $700,000—an uncharacteristically small amount for state-sponsored hackers.

The controversy escalated when Monahan suggested the activity was likely a reconnaissance effort, with hackers testing Hyperliquids defenses in preparation for a potential attack.

These fears triggered a wave of withdrawals, with over $194 million in USDC pulled from the platform on a single day, according to Hasheds Dune Analytics dashboard.

Monahan also highlighted the platform's vulnerability due to its highly centralised validator set, consisting of just four validators.

In a follow-up statement, Monahan urged Hyperliquid to take immediate steps to fortify its defenses, underscoring the urgency of addressing these security concerns.

A Possible Hyperliquid Hack?

Speculation about a potential Hyperliquid hack remains unsubstantiated, but if one were to occur, here is how it might unfold.

An attack on Hyperliquid’s bridge contract would require the compromise of three out of its four validators, achieving the necessary two-thirds quorum.

If successful, the hackers could attempt to move natively minted USDC on Arbitrum.

However, Circle, the USDC issuer, could theoretically freeze these funds—provided they receive and act upon court orders swiftly enough.

This legal process, often sluggish, might give experienced hackers the window needed to convert the stolen assets into uncensorable tokens like ETH.

Alternatively, they could swap the stolen USDC for Ethereum-native USDC.e tokens and transfer them to Ethereum's mainnet.

Matt Fiebach at Entropy Advisors explained:

“The only plausible path that would enable the Arbitrum security council as a line of defense would be if the hackers attempted to withdraw the funds through the canonical bridge, likely after swapping to ETH.”

He added:

“In this scenario, the elected Arbitrum Security would need to make the decision of whether effectively blocking this transfer was within their scope of 'addressing critical risks associated with the Arbitrum protocol and its ecosystem'.”

Liquidity limitations would also pose significant hurdles.

To offload $2 billion in stolen funds, hackers would need to spread transactions across various third-party bridges, incurring substantial slippage.

Prithvir Jhaveri, founder and CEO of Loch, a crypto portfolio analytics platform, has outlined the operational and regulatory risks Hyperliquid faces.

Jhaveri pointed to the vulnerabilities stemming from the platform's reliance on just four validators and highlighted potential regulatory breaches, including violations of US OFAC sanctions and SEC regulations.

These risks are amplified by Hyperliquid's interaction with entities in sanctioned regions and its potential classification as an unregistered broker.

Hyperliquid Denies Exploit Claims But Not All Convinced

Hyperliquid Labs has responded to recent allegations via its Discord channel, firmly denying any hack or exploit linked to DPRK-affiliated addresses.

Hyperliquid emphasized its commitment to operational security, citing a robust bug bounty programme and adherence to industry standards in blockchain analysis.

The team assured users that no vulnerabilities have been disclosed by security researchers or third parties, and all funds remain secure despite concerns over suspicious trading activity.

However, not everyone is convinced.

Nassim Eddequiouaq, a crypto developer and former head of information security for Andreessen Horowitz's crypto team, expressed concern, suggesting that North Korean hackers could already be inside Hyperliquid's infrastructure, strategising a more effective exploit.

While some in the crypto community echoed these warnings, others dismissed them as a “psyop” aimed at damaging Hyperliquid’s reputation.

Notably, Hyperliquid's founders have yet to respond to an offer by Monahan, a prominent security expert, to review the platform’s security standards at no cost.

Volatility of HYPE Token Stabilises After Brief Dip

The allegations surrounding Hyperliquid and subsequent market concerns triggered a sharp decline in its native token, HYPE, which dropped over 25% from $34 on Sunday to $25 by Monday.

However, reassurances from Hyperliquid Labs about the security of user funds helped stabilise the token.

At the time of writing, HYPE had risen slightly to $25.80, marking a 1.40% recovery in the last 24 hours, according to CoinMarketCap.

Despite the volatility, Hyperliquid retains its position as a leading provider of on-chain perpetual futures trading, commanding over 55% of the market.

While recent events have tested investor confidence, the platform's dominant market position appears to be restoring trust among stakeholders.

Validator Infrastructure's Security Risks

Blockchain experts warn that Hyperliquid, a rapidly emerging DeFi platform, harbours significant security vulnerabilities that could make it a prime target for North Korea's sophisticated hacking operations.

Built with a focus on transaction speed, Hyperliquid relies on just four validators, a structure that raises red flags.

Monahan suggested that these validators might even be operated on devices the platform's founders use for personal activities like social media and video calls.

This overlap increases the risk of phishing attacks that could hand control of the network—and its billions in assets—over to hackers.

Crypto developer Cygaar highlighted a particularly concerning vulnerability: Hyperliquid's bridge on Arbitrum One currently secures $2.3 billion in USDC.

With the platform’s two-thirds quorum requirement, compromising three validators would grant malicious actors access to the entire amount.

Experts have proposed potential safeguards, such as Circle, the issuer of USDC, blacklisting hacker-associated wallets to immobilise stolen funds.

Alternatively, the Arbitrum multi-signature security council could reverse malicious transactions, though this approach faces criticism for undermining decentralisation.

The stakes are high, and these risks spotlight the urgent need for enhanced security measures.