Skip to main content
17 September, 2024

Delta Primes DeFi Platform Suffers $6 Million Security Breach: North Korea Suspected

17 September, 2024

Delta Primes DeFi Platform Loses $6 Million in Security Breach: Is North Korea Involved?

The decentralized finance (DeFi) platform Delta Primes experienced a significant security breach on Monday, impacting its users. The attack resulted in the theft of $6 million from the project’s liquidity pools and is currently under investigation. However, on-chain investigators are raising suspicions that North Korean hackers may be behind the incident, suggesting it could be part of a larger-scale scheme.

On Monday morning, cybersecurity platform Cyvers Alerts alerted the community about the ongoing attack on the Delta Primes DeFi borrowing protocol. Initial reports from Cyvers indicated the detection of multiple suspicious transactions linked to the project on the Arbitrum chain. These transactions pointed to the possibility that the DeFi protocol’s team had lost control of their private key, leading to an initial loss of $4.5 million from the DPUSDC, DPARB, and DPBTCb pools. The suspicious address used to drain the funds promptly swapped the USDC for Ethereum (ETH).

Within an hour, Cyvers provided further details, revealing that the attackers had seemingly altered the protocol’s proxy, directing it towards a malicious address. Other reports described how this malicious contract could artificially inflate the hacker’s deposited amount across all pools. The attackers managed to siphon another $1.48 million from the pools before Delta Prime’s team regained control.

Two hours after the initial reports emerged, the DeFi platform acknowledged the incident in a public statement. The post confirmed that Delta Prime Blue, operating on the Arbitrum chain, had been attacked and drained for $5.98 million. The team attributed the attack to a compromised private key, emphasizing that the cause was still under investigation. However, they reassured users that Delta Prime Red, deployed on Avalanche, remained unaffected, explaining that its implementation relied solely on multi-signature wallets and cold storage.

The post also highlighted that the risk had been contained, assuring the community that the DeFi protocol’s insurance pool would cover potential losses: “The risk is contained, we’re working on asset-retrieval and the insurance pool will cover any potential losses where possible / necessary. Additionally, we’re looking into other ways to reduce user losses to a minimum.”

North Korean Hackers as Potential Culprits

Despite the swift response from Delta Primes, some users expressed concerns regarding the incident. When questioned about the lack of timelocks for Delta Prime Blue, the team explained: “This is exactly what timelocks are for. The switch from this hot & non-timelocked owner to a cold timelocked owner should have been done on Arbitrum like it was on Avalanche (and like other initial owners on Arbi).”

One community member criticized the team for not implementing the same security measures on both Delta Prime Blue and Red, stating there was no excuse for the disparity. Moreover, on-chain investigator ZachXBT suggested a potential connection to a broader issue. A month prior, Zach had assisted another team with a crypto hack investigation, uncovering evidence of over 25 projects unknowingly employing North Korean IT workers under fake identities as developers.

In a recent revelation, the crypto detective pointed out that Delta Primes was among the teams he had alerted about these North Korean IT workers in August. He further observed that the method used to exploit Delta Prime bore striking similarities to the hack he had previously assisted with.

As of this writing, Delta Prime’s team has yet to address the potential link to North Korean hackers. However, they have indicated their focus on recovering the stolen funds, stating that “the event isn’t over yet.”

The incident underscores the ongoing security challenges facing the DeFi space and highlights the critical need for robust security measures to protect user funds. Further investigations are expected to shed more light on the attack’s origins and the potential involvement of North Korean hackers.