Skip to content
Est. MMXXVIVol. VI · № 273RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 208Private Key Compromise

DeltaPrime Single-Key Compromise

DeltaPrime lost $6M on Arbitrum after a single private key was extracted; the team ran multi-sig on Avalanche but not Arbitrum. ZachXBT linked it to Lazarus.

Date
Victim
DeltaPrime
Chain(s)
Arbitrum
Status
Funds Stolen
Attribution
Suspected Lazarus Group (DPRK)

On September 16, 2024, the cross-chain DeFi borrowing protocol DeltaPrime lost approximately $6 million when an attacker compromised the single private key controlling the protocol's Arbitrum-side contracts. The team operated the same protocol on Avalanche behind a multi-sig with cold-storage segregation; the Avalanche deployment was untouched.

What happened

DeltaPrime's Arbitrum and Avalanche deployments shared the same protocol logic but had different operational security postures:

  • Avalanche side: multi-sig wallet, cold-storage of admin keys, separated signing path.
  • Arbitrum side: a single private key with full administrative authority over the contracts.

The attacker — whose laundering pattern was later linked by ZachXBT to North Korean operators — obtained the Arbitrum-side single key. The compromise vector was not publicly disclosed, but the on-chain evidence suggested standard endpoint-level malware on a key-holder's machine.

With the key in hand, the attacker:

  1. Took control of the privileged admin functions on the DeltaPrime Arbitrum contracts.
  2. Drained ~$6M in ARB, AVAX and stablecoin balances through forced withdrawal paths only the admin role could trigger.
  3. Bridged the proceeds out of Arbitrum and through standard Lazarus laundering routes.

The DeltaPrime team publicly confirmed that their Avalanche-side multi-sig + cold-storage architecture had specifically protected those contracts from being compromised by the same attacker — a clean A/B test of the value of operational-security investment.

Aftermath

  • DeltaPrime paused Arbitrum contracts and announced a compensation plan.
  • The team migrated Arbitrum to the same multi-sig + cold-storage model already in use on Avalanche.
  • A separate exploit on November 11, 2024 drained an additional $4.85M through a different bug class (unchecked logic in swapDebtParaSwap), affecting both chains this time. DeltaPrime never fully recovered.

Why it matters

DeltaPrime is one of the cleanest case studies for why deployment hygiene must travel with the protocol across chains. A multi-chain protocol deploying on a new network often replicates the contract code but not the off-chain operational security — the Safe multi-sig setup, the hardware-wallet signing flow, the rotation procedures — because those require human effort that doesn't fork as easily as Solidity.

The result, paid for in $6M of real customer funds, is that the chain with the laxer ops is the attack surface, and the attacker simply waits for it.

Sources & on-chain evidence

  1. [01]halborn.comhttps://www.halborn.com/blog/post/explained-the-deltaprime-hack-september-2024
  2. [02]coindesk.comhttps://www.coindesk.com/markets/2024/09/16/crypto-broker-deltaprime-drained-of-over-6m-amid-apparent-private-key-leak
  3. [03]cybersecuritynews.comhttps://cybersecuritynews.com/deltaprime-exploited/

Related filings