HyperLiquid Sees Record Withdrawals Amid Fears of North Korean Hacking, Team Denies Cyberattack Allegations

Suspicious Activity Sparks Security Concerns

Hyperliquid, a decentralized leveraged trading platform, faced a significant upheaval this week amid reports linking suspicious activities to the notorious Lazarus Group, a North Korean hacking entity. 

The platform's Total Value Locked (TVL) suffered a staggering $1.36 billion drop in just six days, falling from $3.44 billion on December 17 to $2.08 billion by December 23. 

Daily outflows peaked at $60–70 million USDC, representing around 3% of Hyperliquid’s bridged TVL, according to Tom Wan, Head of Data at Entropy Advisor. At the time of writing, a Dune dashboard by hashed_official indicates that daily outflows of USDC on Hyperliquid has exceeded 211 million, while $2.12 billion remains in the bridge. The platform’s native token, HYPE, mirrored these losses, plunging 20% from its earlier high of $35 to $26.54, with market capitalization dipping below $9 billion as investors retreated.

Hackers reportedly lost $700,000 during their probing activities, with a significant portion stemming from a failed Ethereum long position. Analysts like Taylor Monahan (Tayvano) noted that these losses were likely intentional sacrifices to test the platform's defenses, stating, “DPRK doesn’t trade. DPRK tests.” The Lazarus Group’s sophisticated approach—probing vulnerabilities before executing full-scale attacks—raises alarms for Hyperliquid and the broader DeFi community.

Adding to the concern is Hyperliquid’s reliance on only four validators. Cybersecurity expert Cygaar warned that compromising three of these validators could theoretically allow attackers to drain $2.3 billion in USDC. Comparisons were drawn to the $620 million Ronin Network hack, where a similar validator model was exploited. Although Hyperliquid depends on mechanisms like Circle freezing stolen funds and Arbitrum transaction rollbacks, critics argue that such measures are only effective if executed swiftly—an area historically prone to delays.

The Lazarus Group’s activities have broader implications, with Chainalysis reporting $1.34 billion stolen by North Korean hackers in 2024, marking a dramatic increase from $660 million the previous year. These thefts accounted for 61% of global crypto losses, fueling North Korea’s weapons programs. Major heists included $305 million from DMM Bitcoin in May and $235 million from WazirX in July. Cybersecurity experts like Taylor Monahan stressed the precision of these operations, describing them as “well-planned campaigns targeting the weakest links in the DeFi ecosystem.”

Community reactions to the Hyperliquid incident have been mixed. Some users dismissed the warnings as FUD, suggesting critics were exploiting the market dip to promote security services. Others emphasized the importance of vigilance, noting that consistent inflows and outflows indicate that confidence in Hyperliquid isn’t entirely eroded. However, concerns linger about the platform’s transparency and response strategy, with delays potentially exacerbating user apprehensions.

Despite the challenges, Hyperliquid remains the largest on-chain trading platform, boasting 271,000 users, $12.14 billion in total deposits, and $6.2 billion in daily trading volume. HYPE had previously seen remarkable growth, surging from $1.97 to $27.97 since its late-November token launch, solidifying its position as the 22nd largest cryptocurrency by market cap.