HyperSwap User Loses $12,300 in 84-Second Fake Airdrop Phishing Attack

USDC0.02%
HYPE-2.24%
ETH0.05%

A HyperSwap user lost approximately $12,300 on June 29 after clicking a fake airdrop link on X and approving a wallet request that gave a scammer control of his funds. The attack, reconstructed by BeInCrypto using public blockchain records, occurred at 20:21:51 UTC and lasted 84 seconds from NFT transfer to cross-chain bridge completion. The scammer transferred the victim's HyperSwap liquidity position represented by NFT #178549, withdrew approximately 3,935 USDC and 116.6 WHYPE, converted the funds to 175.9 HYPE, and moved the assets to Ethereum. The phishing operation exploited a fake X account impersonating the official HyperSwap account to trick the user into granting asset transfer permissions. BeInCrypto's analysis identified scammer wallet address 0x880C95246D7525b84902E6c040818a7C72d3Aa77, flagged by HashDit as Fake_Phishing3746335, which had been active for 33 days and linked to approximately 25 other addresses suggesting multiple potential victims.

Scammer Created Fake X Account Promoting Airdrop

The victim used HyperSwap, a decentralized exchange running on the Hyperliquid blockchain that allows users to trade directly from their wallets. The victim had supplied funds to a HyperSwap liquidity pool, with the position represented by NFT #178549 functioning as a digital receipt controlling the linked funds.

The victim told BeInCrypto he saw a post on X promoting an airdrop. The post appeared to come from HyperSwap but originated from an impostor account with a handle closely resembling the real HyperSwap account, HyperSwapX, which is linked from the project's official website. The victim followed the link and connected his wallet, believing he was checking airdrop qualification. Instead, he approved a transaction giving the scammer permission to move his HyperSwap position.

Wallet Approval Transferred NFT #178549 Control

At 20:21:51 UTC on June 29, the scammer used the earlier approval to transfer NFT #178549 out of the victim's wallet without requiring an additional signature at that moment. The scammer's address, 0x880C95246D7525b84902E6c040818a7C72d3Aa77, was flagged in HyperEVM explorer records as Fake_Phishing3746335 with a "Phish / Hack" tag reported by HashDit.

The NFT moved to another scammer-controlled wallet. Twenty-five seconds later, the scammer withdrew the funds behind the NFT, which contained approximately 3,935 USDC and 116.6 WHYPE worth roughly $12,300 at the time.

Stolen Funds Converted and Bridged in 84 Seconds

After withdrawing the funds, the scammer's wallet gave permission to LI.FI, a cross-chain bridge and swap service. BeInCrypto found no evidence that LI.FI participated in the theft. The scammer converted the stolen USDC and WHYPE into approximately 175.9 HYPE, then bridged the HYPE from HyperEVM to Ethereum seconds later.

The destination was Ethereum wallet 0xFa47eef42fB2C63DCEA0cAC2295a58036052932D. On Ethereum, that wallet received the funds and moved 7.035 ETH onward in one transaction. The wallet had been created shortly before, was used once, and left almost empty. From the NFT transfer to the bridge transaction, the active theft took approximately 84 seconds.

Scammer Wallet Linked to 25 Addresses Over 33 Days

Explorer records reviewed by BeInCrypto showed the scammer's address had been active for approximately 33 days and was linked to roughly 25 other addresses. The fraudulent resource link had been present in messages since June 26, according to blockchain records.

Victim Reported Scam via GitHub and Discord Without Response

The victim tried to report the suspicious link and get it removed. During a conversation with BeInCrypto, the victim stated they tried various ways to warn the Hyperliquid team about the scam via GitHub but received no response. According to the victim, the only active communication channel with HyperSwap was Discord, but the link to it was invalid at the time of writing. The victim's attempt to contact the Hyperliquid ecosystem team was unsuccessful, with the team prompting the user to contact HyperSwap directly.

The victim suggested that HyperSwap employees may be involved in the theft or are deliberately hiding it. BeInCrypto could not find any exact information to support those claims.

FAQ

What happened in the HyperSwap phishing attack on June 29? A HyperSwap user lost approximately $12,300 after clicking a fake airdrop link on X and approving a wallet request. The scammer transferred NFT #178549 representing the victim's liquidity position at 20:21:51 UTC on June 29, withdrew approximately 3,935 USDC and 116.6 WHYPE, converted the funds to 175.9 HYPE, and bridged the assets to Ethereum in 84 seconds.

How did the scammer gain control of the victim's funds? The scammer used a fake X account impersonating the official HyperSwap account to promote a fraudulent airdrop. When the victim connected his wallet and approved what appeared to be an airdrop eligibility check, he granted the scammer permission to transfer NFT #178549, which controlled his HyperSwap liquidity position worth approximately $12,300.

What wallet address was used in the HyperSwap phishing attack? The scammer used wallet address 0x880C95246D7525b84902E6c040818a7C72d3Aa77, which HyperEVM explorer records flagged as Fake_Phishing3746335 with a "Phish / Hack" tag reported by HashDit. Explorer records reviewed by BeInCrypto showed this address had been active for approximately 33 days and was linked to roughly 25 other addresses.

Disclaimer: The information on this page may come from third-party sources and is for reference only. It does not represent the views or opinions of Gate and does not constitute any financial, investment, or legal advice. Virtual asset trading involves high risk. Please do not rely solely on the information on this page when making decisions. For details, see the Disclaimer.
Comment
0/400
No comments