A phishing attack on HyperSwap: how a user lost $12,000 due to a fake account on X
The Hyperliquid ecosystem, despite its technological appeal, continues to demonstrate vulnerabilities related to human factors and insufficient moderation. This time, the target of the attack was the decentralized exchange HyperSwap, operating on the HyperEVM layer. One asset holder lost approximately $12,000 by falling for a classic phishing trick.
Attack Scheme: Spoofing and Trust
Analysis of the incident shows that the attackers followed a well-rehearsed scenario. A duplicate account of the official HyperSwap page was created on the social network X (Twitter). The difference in spelling was minimal — just a couple of characters, easily overlooked during a quick glance. This was precisely what the calculation was based on.
The user, seeing a post offering an "airdrop" from the exchange, clicked on the link. Instead of the official website, they landed on a phishing clone, visually indistinguishable from the original. By connecting their wallet and confirming a transaction they believed was a standard verification for receiving free tokens, the victim effectively granted the scammers permission to manage their funds.
Timeline of the Theft: Less Than Two Minutes
Data from the blockchain explorer hyperevmscan paints a clear picture. The active phase of the attack took place within two minutes — from 20:21 to 20:23 UTC on June 29, 2026. The scammer's address, flagged by the security service HashDit as Fake_Phishing3746335, first used previously obtained access to transfer an NFT representing the victim's share in a liquidity pool to their own wallet.
Key point: this operation was initiated and paid for by the attacker themselves. The victim was no longer signing anything at this moment. This is the essence of a "drainer" — access is obtained in advance, and the actual withdrawal of assets occurs later, without the owner's knowledge. After this, the scammer extracted the underlying coins from the NFT: approximately 3,935 USDC and 116 WHYPE, totaling about $12,100.
Covering Tracks and Project Response
Subsequently, the funds were consolidated into HYPE through the legitimate cross-chain transfer service LI.FI and sent to Ethereum. There, they arrived at a "transit" wallet, which had been created shortly before and used only once. This is a typical element in the money laundering chain.
The response to the incident is noteworthy. The victim attempted to contact both the HyperSwap team and the main Hyperliquid team to report the malicious link. However, according to them, there was no reaction. The only active communication channel with HyperSwap (Discord) was non-functional at the time. This creates a troubling precedent where a user is left alone to deal with the consequences of an attack, receiving no support from the platform.
My comment as an analyst: This case is not just one user's story. It is a wake-up call for the entire Hyperliquid ecosystem. The lack of a rapid response to phishing threats and non-functional support channels undermines trust in the project. Users need to exercise maximum vigilance: manually check website URLs, never click on links to "airdrops" from social networks, and regularly review granted permissions in their wallets. Decentralization technology does not negate the basic rules of digital hygiene.