Crypto news

05.07.2026
06:41

A phishing attack on Hyperliquid: how scammers stole $12,000 through a fake account

The Hyperliquid ecosystem, despite its technological appeal, continues to demonstrate vulnerabilities in user security. A recent incident, in which a victim lost approximately $12,000 on the decentralized exchange HyperSwap (operating on the HyperEVM layer), reveals a classic yet no less dangerous phishing scheme. Scammers act brazenly and calculatingly, using social engineering and inattention.

Attack Scheme: Account Spoofing and Clone Website

It all began when a user, who held assets in the HyperSwap liquidity pool, saw a post on social network X (formerly Twitter) supposedly from the exchange's official account. The post offered an airdrop — a free token distribution. Clicking the link, the victim landed on a website that was visually indistinguishable from the real HyperSwap. However, it was a phishing clone.

Key point: the post was published not by the official account, but by an impersonator. The difference in the account name was just a couple of letters, easily overlooked when quickly scrolling through the feed. The scammers created a convincing copy of both the social media account and the exchange website itself.

The Theft Moment: "Approval" Without the Owner's Knowledge

On the fake website, the user connected their wallet and, believing they were simply checking eligibility for free tokens, confirmed a transaction. In reality, this action granted the scammer permission (approval) to manage their investment in the liquidity pool. Outwardly, the operation was no different from normal actions on legitimate services, so the trick went unnoticed.

The theft itself took less than two minutes. From 20:21 to 20:23 UTC on June 29, 2026, the scammer's address (labeled by the hyperevmscan explorer as Fake_Phishing3746335) used the obtained access and transferred the NFT confirming the share in the pool to their wallet. Importantly: this transaction was initiated and paid for by the attacker themselves — the victim signed nothing at that moment. This is the essence of a drainer: access is obtained in advance, and the withdrawal of funds occurs later, without the owner's involvement.

The scammer then withdrew all funds from the stolen NFT: approximately 3935 USDC and 116 WHYPE, totaling roughly $12,100. After that, using the legitimate cross-chain bridge service LI.FI, they converted everything into HYPE and transferred about $12,300 from the HyperEVM network to the Ethereum network.

Project Response and Lessons for the Community

Upon discovering the loss, the victim tried to contact the Hyperliquid team to help remove the link to the phishing resource, which was still posted in the comments. However, according to them, there was no response. The only active communication channel with HyperSwap was Discord, which turned out to be non-functional at the time of the request. Attempts to reach the team through other channels also failed.

This case is a clear example that security in DeFi begins with the user's own vigilance. Scammers exploit trust in brands and human inattention. My recommendation: always check website addresses and account names character by character, never click on links to exchanges from social media posts, and enter URLs manually. And most importantly — never sign transactions whose meaning you do not fully understand, especially those related to granting permissions to manage your tokens. Regularly reviewing and revoking issued permissions through specialized services is a mandatory procedure for anyone working with DeFi protocols.