Addresses identified as belonging to North Korean hackers have laundered $200K in crypto through MetaMask. This type of swap comes with high fees, but can be an exit point for hackers.
A list of addresses linked to previous North Korean hacker exploits has surfaced in a series of MetaMask swaps. The addresses only swapped $200K in crypto assets, leaving $1,985 in swap fees. The MetaMask router is among the high-fee tools to swap crypto, but can be fast and accessible for hackers to obscure the origin of funds or avoid token freezing.
While the sum was small, the event itself was ominous, given the perception that DPRK hackers don’t trade, but test. Hacking activity slowed down in the second half of 2024, but there are still signs of mixing and trying to conceal funds.
The MetaMask discovery follows another episode of hacker addresses using Web3 services, DEXs and the wallet’s native router. Recently, inflows from hacker addresses were discovered on the Hyperliquid bridge. The perpetual futures DEX was not exploited in any way, but the event was also considered a test for moving funds. Some consider Hyperliquid to be still at risk, due to its limited validator points that can be exploited.
MetaMask itself has not been compromised and has remained a secure wallet, barring personal mistakes. Taylor Monahan, @tayvano, also noted the wallet has been targeted in multiple ways by North Korean hackers, who are always looking for ways to unlock stored crypto.
“MetaMask is and always has been concerned…We track DPRK carefully because they are the single largest threat to crypto companies. We also track every other crypto threat actors bc DPRK is largest but not the only threat,” said @tayvano in a recent X post.
North Korean hackers avoid USDC as lockable asset
While slowing down their exploits, North Korean hackers have been swapping funds and moving between chains.
The list of wallets that used MetaMask swaps also has a long history of using various decentralized protocols. The wallets swap between Ethereum (ETH) and stablecoins USDT and USDC.
Both stablecoins are, in theory, freezable assets, but especially USDC. For that reason, the wallets always swap back to ETH or other tokens, or move to the Arbitrum chain for some of the tasks. The wallets never keep a USDC balance for long, despite the highly active usage of the token.
The two addresses were highly active, interacting with ENS accounts, OpenSea users and web3 protocols. The swaps continued in the past few hours, again with the main task of moving funds on a relatively small scale.
0x52263cAEc2e144C3A84cc16d014157360Ac85A89
0x070cA92f568037d351666b3918a0F6ba7ad20ED1
The wallet activities and their counterparties connect to some of the most active recent protocols, meme tokens, NFTs and other assets. However, most of the activity centers around swapping into stablecoins as a temporary step.
Wallet activity raises more concerns about the safety of Hyperliquid
The recent swaps were relatively minor, with transactions under $500. However, some of the wallet counterparties showed interactions with DEXs and DeFi hubs, often transacting with the Hyperliquid bridge.
The alleged hacker wallet histories also contain interactions with Hyperliquid from the past few hours and days. For now, the protocol has not been attacked directly, but some consider it another tool for mixing funds or trading to obscure the origin of tokens. The Hyperliquid bridge is the biggest concern for attacks, since the hub’s value grew exponentially. The bridge holds more than $2B, and may not be sufficiently protected, according to @tayvano.
For now, there is no other direct link between the MetaMask swap users and a potential attack against the bridge. The MetaMask swaps may be a part of general activity to move between assets with minimal tracking.
North Korean hackers reportedly doubled their haul in 2024, potentially taking up to $1.3B from the crypto market. Most of the activity was concentrated in the first half of the year, with major hacks slowing down in the last quarter.
From Zero to Web3 Pro: Your 90-Day Career Launch Plan
