CertiK analyzes a November 2024 DeltaPrime exploit that stole about $4.8 million across Arbitrum and Avalanche. The attacker combined two arbitrary-input flaws: one let borrowed WBTC move through the swap adapter to an attacker-controlled contract while repayment accounting stayed unchanged, and the other abused the TraderJoeV2ArbitrumFacet claim mechanism to recover ETH collateral. Funds were split across Arbitrum and Avalanche wallets, with some Avalanche proceeds staked and some Arbitrum WBTC bridged to Ethereum. The source does not attribute the incident to DPRK activity, so the summary should be treated as Web3 exploit context rather than Lazarus-specific attribution.