A phishing attack on HyperSwap: how scammers stole $12,000 through a fake account
The Hyperliquid ecosystem, despite its technological appeal, demonstrates a troubling vulnerability in user security. A recent incident, in which one asset holder lost approximately $12,000 on the decentralized exchange HyperSwap (operating on the HyperEVM layer), exposed a classic yet no less dangerous phishing scheme. The victim fell prey to a fraudulent link posted on social network X.
Anatomy of the Attack: From Spoofing to Theft
The scammers followed a well-rehearsed script. They created a duplicate account of the official HyperSwap page, altering the name by just a couple of characters. It was from this fake profile that a link was posted, supposedly leading to a free token distribution (airdrop). The user, not noticing the substitution, clicked on it and landed on a clone site visually indistinguishable from the real one.
The climax came when the victim connected their wallet and confirmed a transaction, believing they were participating in a legitimate eligibility check for free coins. In reality, this action granted the attackers permission (approve) to manage their stake in the liquidity pool. Externally, this confirmation was no different from standard operations on real services, allowing the attack to go unnoticed until the moment funds were debited.
Lightning-Fast Theft and Covering Tracks
The active phase of the theft took just two minutes — from 20:21 to 20:23 UTC on June 29, 2026. First, the fraudulent address, flagged by the security service HashDit as Fake_Phishing3746335, used the previously obtained access to transfer the NFT confirming the victim's stake to its own wallet. It is important to emphasize: this operation was initiated and paid for by the attacker himself — the victim signed nothing at that moment. This is the insidious nature of the "drainer": access is tricked out in advance, and the withdrawal occurs later, without the owner's knowledge.
Then, the hacker extracted assets from the stolen NFT: approximately 3,935 USDC and 116 WHYPE, totaling roughly $12,100. Using the legitimate cross-chain bridge service LI.FI, they converted everything into HYPE and withdrew about $12,300 from the HyperEVM network to the Ethereum network. Using a legitimate tool to transfer funds between networks is a sophisticated move that complicates tracking and creates a false impression for the victim that the exchange or bridge service itself was involved in the theft.
Project Response and Systemic Issue
Upon discovering the loss, the user tried to contact the project team to block or remove the fraudulent link, which had been hanging in the comments since June 26. However, there was no response. According to the victim, the only active communication channel with HyperSwap was Discord, but at the time of writing, the link to it was invalid. Attempts to inform the Hyperliquid team were also unsuccessful — in response, they received a recommendation to contact HyperSwap developers directly.
This incident is not an isolated case but part of a systemic problem. Explorer data shows that the fraudulent address was active for about a month and is linked to approximately 25 different wallets, indicating a well-established, streamlined scheme. The victim himself suggested that HyperSwap employees might be involved in the theft or deliberately covering it up.
Expert Opinion. This case is a stark example of how technological decentralization, without proper attention to user experience security, turns into a "blind spot." The responsibility for protecting assets in DeFi still lies with the user. However, ecosystem projects, especially prominent ones like Hyperliquid, should more actively implement preventive protection mechanisms and incident response. Ignoring reports of vulnerabilities is a direct path to losing trust and incurring reputational costs that could far exceed the amount of a single theft.