Hyperliquid Faces $250M in Net Outflows Amid Concerns Over North Korean Hackers

Crypto derivatives platform Hyperliquid has seen over $256 million in net outflows after security experts revealed that North Korean hackers, potentially linked to the state-sponsored Lazarus Group, had been trading on the platform. The news sent shockwaves through the crypto community, triggering fears of an exploit and sparking a massive sell-off.
On December 23, MetaMask security researcher Tay Monahan disclosed on X (formerly Twitter) that North Korean threat actors had been using Hyperliquid since at least October. Monahan’s warning raised alarms, with her post emphasizing that while North Korea may not actively trade, it is known to test platforms, raising concerns over potential vulnerabilities. “DPRK doesn’t trade. DPRK tests,” Monahan wrote, intensifying the focus on Hyperliquid’s security infrastructure.
In the 30 hours following Monahan’s post, Hyperliquid experienced significant outflows, with data from Dune Analytics showing a total of $256 million in net outflows. On December 23 alone, Hyperliquid saw its largest single-day outflow, with $502.7 million leaving the platform, while inflows remained relatively stable at $253.5 million.
Despite the turmoil, Hyperliquid responded on its official Discord server, reassuring users that no exploit had occurred on its platform. "We are aware of reports circulating regarding activity by supposed DPRK addresses. There has been no DPRK exploit—or any exploit for that matter—of Hyperliquid. All user funds are accounted for,” the platform said.
The revelation of North Korean involvement in the crypto space is not new. Hackers linked to the Democratic People’s Republic of Korea (DPRK) have been actively targeting the crypto industry. In 2023 alone, North Korean hackers, including the notorious Lazarus Group, have stolen over $1.3 billion in cryptocurrency, doubling their haul from the previous year. These funds are believed to support the North Korean regime, which has been largely isolated by international sanctions.
Monahan further claimed that Hyperliquid’s security infrastructure was highly centralized, depending on just four validators, which could be a potential weakness in the event of a coordinated attack. This observation sparked mixed reactions within the crypto community. Hyperliquid supporters accused Monahan of spreading unnecessary fear, while others, including developers and security researchers, defended her as a reputable security expert.
The news surrounding the possible security vulnerability also impacted Hyperliquid’s native token, HYPE. After reaching an all-time high of $35 on December 22, the token plummeted by 20%, trading around $28, according to TradingView data. Despite this, the broader crypto community remained divided, with some crypto experts cautioning against dismissing the warning as overblown.
Laurence Day, co-founder of Wildcat Labs, expressed concern over the potential impact of North Korean hackers. "You might not like the way Tay communicates, but at least we’re talking now. Kim [Jong Un’s] goons showing up is always at least a two-alarm fire," Day wrote, highlighting the seriousness of the situation. Day also noted that past encounters with Lazarus have demonstrated the group's sophistication and the risks associated with underestimating them.
In response to concerns about a potential exploit, pseudonymous developer Cygaar outlined two potential lines of defense that could mitigate the impact of an attack on Hyperliquid. First, USDC issuer Circle could blacklist compromised addresses, preventing stolen funds from being moved. “If they act quickly enough, they can prevent the attacker from trading out of the stolen USDC and effectively freeze the funds,” Cygaar explained.
Additionally, since Hyperliquid operates on the Arbitrum chain, it could theoretically roll back the chain to prevent the loss of funds. However, Day dismissed the possibility of an Arbitrum rollback, stating that such an action would only occur in the event of an "existential" threat to the chain itself.
As concerns continue to mount, Hyperliquid is under intense scrutiny from both users and security experts alike. While the platform insists that no exploit has occurred, the incident underscores the growing concerns around security in the decentralized finance (DeFi) space, especially in light of increasing North Korean involvement in cryptocurrency-related cybercrime. The coming weeks will likely reveal whether the fears are substantiated or if the platform can recover from this turbulence.
Disclaimer: The content on this website is for informational purposes only and does not constitute financial or investment advice. We do not endorse any project or product. Readers should conduct their own research and assume full responsibility for their decisions. We are not liable for any loss or damage arising from reliance on the information provided. Crypto investments carry risks.