Avg attacker reconnaissance time for peer-class protocols

Hyperliquid's assessment for RD-F-163 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

The DPRK October-to-December 2024 activity aligns with the USPD 78-day reconnaissance baseline. Taylor Monahan documented DPRK activity beginning in October 2024, approximately 60–78 days before the December 23, 2024 public disclosure. Trading losses (~$700k) are consistent with reconnaissance-phase mechanics testing: position sizing, liquidation mechanics, withdrawal timing. The JELLY incident (March 26, 2025) is a separate event — attacker manipulated Bybit CEX pricing to drive HLP vault losses — providing the attacker community with a proof-of-concept for oracle manipulation via CEX price feeds. Reconnaissance time for similar L1 perps exchanges: 30–90 days per hack database cluster data. Yellow: the December 2024 DPRK reconnaissance timeline passed without a confirmed strike, but the protocol class reconnaissance baseline remains relevant, and the JELLY attack pathway is the most realistic near-term attack template.

Sources #

URL
https://oakresearch.io/en/analyses/investigations/hyperliquid-jelly-attack-context-vulnerability-team-solutionretrieved 2026-04-28
URL
https://protos.com/are-north-korean-hackers-liquidated-on-hyperliquid-planning-something/retrieved 2026-04-28

Methodology #

Report the average number of days of attacker reconnaissance activity before a strike on peer-class protocols (lending/DEX/bridge/perps), sourced from the hack database.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol hyperliquid factor RD-F-163 score yellow collected_at 2026-04-28 13:58:49