Crypto news

05.07.2026
14:26

A phishing attack on Hyperliquid: $12,000 stolen through a fake account on X

A user of the decentralized exchange HyperSwap, operating on the HyperEVM blockchain, lost approximately $12,000 as a result of a sophisticated phishing attack. The incident occurred due to a fraudulent link posted on the social network X (Twitter). An analysis of transactions on a blockchain explorer reconstructed the full picture of the attack, which is a classic example of social engineering using a "drainer."

How It Happened

The victim held assets in a HyperSwap liquidity pool. The right to a share in the pool is confirmed by a unique NFT. The victim's attention was drawn to a post on the official HyperSwap account on X, which promised a free "airdrop." By clicking on the link, the user landed on a website outwardly indistinguishable from the real one, but it was actually a phishing clone.

A key detail was that the post was published not from the exchange's official account, but from a fake duplicate. The name of the duplicate account differed from the real one by just a couple of letters, which easily escapes attention during a quick glance. The attackers created a convincing copy of the page, and the user, not noticing the substitution, took the fake at face value.

The Theft Mechanism: The "Drainer" in Action

On the fake website, the victim connected their wallet and confirmed an operation, thinking they were simply checking their eligibility for free tokens. In reality, this action granted the scammer permission to manage their investment — the NFT confirming their share in the pool. Externally, such a confirmation request is no different from normal operations on legitimate services, so the deception goes unnoticed until the funds are withdrawn.

The active phase of the theft took less than two minutes — from 20:21 to 20:23 UTC on June 29, 2026. First, the fraudulent address, tagged by the security service HashDit as Fake_Phishing3746335, using the previously obtained access, transferred the NFT with the victim's investment to its own wallet. It is important to note: this transaction was initiated and paid for by the attacker themselves. The victim did not sign anything at that moment. This is the essence of the "drainer": access is obtained in advance, and the withdrawal is carried out later, without the owner's involvement.

The scammer then withdrew the invested funds from the NFT: approximately 3935 USDC and 116 WHYPE, totaling around $12,100. Using the legitimate exchange and transfer service LI.FI, they converted all the stolen assets into a single HYPE token and sent about $12,300 from the HyperEVM network to the Ethereum network.

How They Covered Their Tracks

On the Ethereum network, the funds arrived at an address created shortly before. It was used only once: it received the funds, almost immediately transferred them out in a single operation, and remained practically empty. Such a one-time "transit" wallet is a typical element in the chain of stolen asset withdrawal. Notably, the attacker used an ordinary, legitimate cross-chain transfer service for the withdrawal, not some "hacker" tool. This complicates tracking and creates a false impression for the victim that the service or exchange itself is to blame.

Analysis shows that the fraudulent address was active for about a month and is linked to approximately 25 different wallets. This indicates a well-established, streamlined scheme, not a random incident.

Project Reaction and Lessons

Upon discovering the loss, the user tried to contact the HyperSwap and Hyperliquid teams to have the suspicious link removed, but there was no response. The victim suspects that HyperSwap employees may be involved in the theft or are deliberately covering it up. The only active communication channel with HyperSwap was Discord, which turned out to be invalid at the time of writing.

Expert Opinion: This incident is a stark reminder that in the DeFi world, user security is 99% dependent on their own vigilance. No smart contract audit will protect against a phishing link on social media. Key rules: never click on links to exchanges from posts, always check the account name letter by letter, and most importantly, never sign operations in your wallet whose meaning you do not fully understand. Regularly checking and revoking granted permissions through verified services should become a mandatory routine for anyone working with DeFi.