Known-threat-actor cluster has touched protocol

Hyperliquid's assessment for RD-F-158 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

December 23, 2024: DPRK-attributed addresses (Lazarus Group affiliate per MetaMask security researcher Taylor Monahan, cross-referenced with on-chain analysis) deposited ETH ($476,489) and actively traded on Hyperliquid. DPRK wallets accrued ~$700k in trading losses. The cluster had touched the protocol as early as October 2024 per Monahan documentation. Hyperliquid Labs denied any exploit but did not deny the addresses were DPRK-linked. $60M+ USDC left the platform in community response. Protocol deployed screening tooling in response. At assessment date April 2026: last confirmed interaction is December 2024, beyond the 30-day window. Score yellow (not green): confirmed historical DPRK interaction permanently elevates the baseline risk for this protocol, and Hyperliquid remains one of the highest-value perps targets in DeFi at $4.73B TVL.

Sources #

URL
https://thedefiant.io/news/blockchains/hyperliquid-dips-on-north-korea-hack-fearsretrieved 2026-04-28
URL
https://www.coindesk.com/markets/2024/12/23/hyper-liquid-sees-record-60-m-in-usdc-flee-as-north-korea-said-to-be-probing-perpetuals-exchangeretrieved 2026-04-28
URL
https://beincrypto.com/north-korean-hackers-target-hyperliquid/retrieved 2026-04-28

Methodology #

Detect whether an address from the curator-maintained threat-actor cluster (past exploiters, labeled attacker families) interacted with this protocol in the last 30 days.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol hyperliquid factor RD-F-158 score yellow collected_at 2026-04-28 13:58:49