DeltaPrime’s wallets have been compromised, leading to a loss of over $5.9 million. A hacker exploited the Arbitrum part of the protocol, hijacking an admin proxy and rerouting it to a malicious contract.

A hacker seizes control of DeltaPrime’s wallets

During European morning hours, Cyvers Alerts, a blockchain security platform, first raised alarms about the attack on DeltaPrime. The platform reported a hacker had taken over an admin wallet and was still draining multiple funds. At that time, about $4.5 million had already been lost and exchanged for $ETH.

🚨ALERT🚨@DeltaPrimeDefi has faced a security incident on their admin keys. Attacker had control on the private key of 0x40e4ff9e018462ce71fa34abdfa27b8c5e2b1afbthen he upgraded the proxy!So far $5.93M has been drained!Want to keep your company off our alerts radar? Learn… https://t.co/yOmNZJyp5l pic.twitter.com/lztFvXVmfI

— 🚨 Cyvers Alerts 🚨 (@CyversAlerts) September 16, 2024

In another post, Cyvers Alerts confirmed that over $5.93 million had been stolen, claiming the hacker seized control of the private key, 0x40e4ff9e018462ce71fa34abdfa27b8c5e2b1afb, before upgrading the proxy.

According to Chaofan Shan, the founder of Fuzzland, the hacker redirected funds from the admin proxy to a malicious contract identified as 0xD4CA224a176A59ed1a346FA86C3e921e01659E73. 

Shan stated that the malicious contract might “inflate” the hacker’s deposited sums in all pools, estimating a loss of $6 million for DeltaPrime.

This latest attack comes on the heels of a July hack that resulted in a $1 million loss affecting 13 different accounts. However, DeltaPrime was able to recover roughly $900,000 from that incident and used $100,000 from its stability pool to  compensate affected users.

ZachXBT links the attack to North Korea’s Lazarus Group

ZachXBT, a crypto investigator, commented on the latest DeltaPrime attack, citing similarities in the techniques used to those of North Korea’s Lazarus hackers, who have actively targeted and attacked DeFi protocols.

ZachXBT revealed that the attacker’s strategy involved transferring stolen assets between chains and funnelling large sums into privacy services like Tornado Cash, effectively concealing the origins of the funds.

In August 2024, he raised concerns over Lazarus group members who he pinged to have fabricated fake identities and earned jobs as IT workers and developers before sabotaging and stealing sensitive data.