How a Fake HyperSwap Airdrop Drained $12,300 in 84 Seconds

Source Beincrypto

A HyperSwap user lost about $12,300 after clicking a fake airdrop link on X, approving one wallet request, and unknowingly giving a scammer control of his funds.

BeInCrypto reconstructed the attack with the victim using public blockchain records. The records show a fast phishing operation inside the Hyperliquid ecosystem. 

The scammer took the victim’s position on HyperSwap, withdrew the funds behind it, converted them into HYPE, and moved the money to Ethereum in less than two minutes.

Note: HyperSwap is an exchange that runs on the Hyperliquid blockchain. HyperSwap has its own team, and Hyperliquid does not manage it — just as the creators of Ethereum do not manage applications like Uniswap running on it.

The Trap Started With a Fake X Account

The victim used HyperSwap. Like other decentralized exchanges, it lets users trade directly from their wallets without a company holding their funds.

The victim had supplied money to a HyperSwap liquidity pool. In simple terms, he had deposited crypto, so other users could trade against it. In return, he could earn fees.

On HyperSwap V3, that position was represented by NFT #178549. This was not a picture or collectible. It was more like a digital receipt. Whoever controlled that NFT controlled the funds linked to the position.

The victim told BeInCrypto he saw a post on X promoting an airdrop. An airdrop is a token giveaway, often used by crypto projects to reward users.

The Scammer’s Post Using a Fake X Account with a Very Similar Username to the Official HyperSwap Account

The post appeared to come from HyperSwap. It did not. It came from an impostor account with a handle that closely resembled the real HyperSwap account, HyperSwapX, which is linked from the project’s official website.

The victim followed the link and connected his wallet. He believed he was checking whether he qualified for the airdrop. Instead, he approved a transaction that gave the scammer permission to move his HyperSwap position.

That approval was the key moment.

One Approval Gave the Scammer Control

Crypto wallets often ask users to approve transactions. Some approvals are harmless. Others give another address permission to move valuable assets.

To most users, the warning can look routine. A fake site can make a dangerous approval look like a normal step in claiming tokens.

That appears to be what happened here.

At 20:21:51 UTC on June 29, the scammer used the earlier approval to transfer NFT #178549 out of the victim’s wallet. The victim did not sign anything at that moment. The scammer had already secured permission.

The scammer’s address was 0x880C95246D7525b84902E6c040818a7C72d3Aa77. HyperEVM explorer records flagged it as Fake_Phishing3746335, with a “Phish / Hack” tag reported by HashDit.

The NFT moved to another scammer-controlled wallet. Once that happened, the attacker controlled the liquidity position.

Twenty-five seconds later, the scammer withdrew the funds behind the NFT. The position contained about 3,935 USDC and 116.6 WHYPE. Together, they were worth roughly $12,300 at the time.

Theft transaction in hyperevmscan: On June 29, 2026, the address marked as Fake_Phishing3746335 transferred the victim’s NFT (0x39f2…0f9E) to his wallet

The Money Was Moved Fast

After withdrawing the funds, the scammer prepared to move them away from HyperEVM.

First, the wallet gave permission to LI.FI, a legitimate cross-chain bridge and swap service. A bridge lets users move crypto from one blockchain to another.

There is no evidence that LI.FI took part in the theft. The scammer used it after stealing the funds.

The scammer then converted the stolen USDC and WHYPE into about 175.9 HYPE. Seconds later, the HYPE was bridged from HyperEVM to Ethereum.

The destination was 0xFa47eef42fB2C63DCEA0cAC2295a58036052932D. On Ethereum, that wallet received the funds and almost immediately moved 7.035 ETH onward in one transaction.

The wallet had been created shortly before. It was used once and left almost empty. That pattern is common in laundering chains, where stolen funds pass through temporary wallets to make tracing harder.

From the NFT transfer to the bridge transaction, the active theft took about 84 seconds.

A Wider Phishing Pattern

The scammer’s wallet appeared to be part of a broader operation.

Explorer records reviewed by BeInCrypto showed the address had been active for about 33 days. It was also linked to roughly 25 other addresses. That suggests the attacker may have targeted more than one user.

The link to the fraudulent resource has been hanging in messages since June 26

For victims, the problem is practical. Blockchain records can show what happened. They rarely stop it from happening in real time.

Once a user signs a bad approval, the scammer can act quickly. Once funds move across chains, recovery becomes even harder.

The victim later tried to report the suspicious link and get it removed. He said he felt ignored and began to suspect the HyperSwap team had failed to act.

The on-chain evidence reviewed by BeInCrypto points to a phishing attack from an impostor account. The fake X account was separate from HyperSwap’s official account. The official HyperSwap account and official contract were not shown to have carried out the theft.

However, the victim’s experience highlights a serious weakness in the ecosystem. Users can be attacked through fake social media accounts, drained through confusing wallet approvals, and left with few clear options after the money is gone.

During a conversation with BeInCrypto journalists, the victim stated that they tried various ways to warn the Hyperliquid team about the scam, but received no response.

According to the victim, the only active communication channel with HyperSwap was Discord. At the time of writing, the link to it is invalid. So he tried to get the problem across to the ecosystem team where the project works, but that attempt was unsuccessful.

The screenshot shows our interlocutor trying to reach Hyperliquid support via Discord. In this case, the Hyperliquid command ignores the user’s request to send a message about the found vulnerability and prompts him to contact HyperSwap himself.

Overall, the scammer’s method was simple. A fake account promoted a fake airdrop. A fake site secured wallet approval. A flagged phishing wallet took the victim’s HyperSwap position, emptied it, and moved the funds to Ethereum.

The loss was about $12,300. The theft took less than two minutes.

The victim suggested that HyperSwap employees may be involved in the theft or are deliberately hiding it. However, BeInCrypto could not find any exact information to support those claims. 

Disclaimer: For information purposes only. Past performance is not indicative of future results.
placeholder
Micron goes all in on AI with $9.3B Japan chip plantMicron Technology broke ground on a new plant to manufacture memory chips in western Japan. This $9.3-billion facility represents an enormous commitment by Micron to grow its ability to deliver semiconductors for AI. The new facility will enable Micron to provide large amounts of high-bandwidth memory (HBM), a key part of training and operating AI...
Author  Cryptopolitan
14 hours ago
Micron Technology broke ground on a new plant to manufacture memory chips in western Japan. This $9.3-billion facility represents an enormous commitment by Micron to grow its ability to deliver semiconductors for AI. The new facility will enable Micron to provide large amounts of high-bandwidth memory (HBM), a key part of training and operating AI...
placeholder
Trump's billion-dollar crypto gain came with almost $4B investor lossesPresident Donald Trump earned a $636 million payout from his Official Trump (TRUMP) memecoin while the people who bought it lost considerably more, according to blockchain data from Nansen and Trump’s own 2025 financial disclosure. The analytics firm counted 988,905 wallets that lost a total of $3.81 billion by the end of June. Nansen’s tally,...
Author  Cryptopolitan
14 hours ago
President Donald Trump earned a $636 million payout from his Official Trump (TRUMP) memecoin while the people who bought it lost considerably more, according to blockchain data from Nansen and Trump’s own 2025 financial disclosure. The analytics firm counted 988,905 wallets that lost a total of $3.81 billion by the end of June. Nansen’s tally,...
placeholder
Vitalik Buterin shares roadmap to Ethereum becoming leaner and more scalableVitalik Buterin has published an updated long-term roadmap for Ethereum, calling the multi-year effort “Lean Ethereum” as the network’s biggest redesign since the Merge. He posted it to X on July 4, 2026, days after Ethereum researchers gathered in Berlin to work on the protocol’s long-term trajectory.      Buterin’s post is important to those...
Author  Cryptopolitan
14 hours ago
Vitalik Buterin has published an updated long-term roadmap for Ethereum, calling the multi-year effort “Lean Ethereum” as the network’s biggest redesign since the Merge. He posted it to X on July 4, 2026, days after Ethereum researchers gathered in Berlin to work on the protocol’s long-term trajectory.      Buterin’s post is important to those...
placeholder
Bitcoin Price Spikes Near $64,000 as Short Sellers Get LiquidatedBitcoin (BTC) spiked to nearly $64,000 in the early hours of July 6, reaching $63,900 on CoinGecko, extending a weekend rally that liquidated hundreds of millions of dollars in short positions.The mov
Author  Beincrypto
14 hours ago
Bitcoin (BTC) spiked to nearly $64,000 in the early hours of July 6, reaching $63,900 on CoinGecko, extending a weekend rally that liquidated hundreds of millions of dollars in short positions.The mov
placeholder
Bitcoin Options Turn Call-Heavy Before July 8 FOMC Minutes: Will BTC Break $63,000?Bitcoin (BTC) options expiring July 8 have turned call-heavy, with traders positioning for higher prices. The expiry lands the same day the Federal Reserve releases minutes from its June meeting.Call
Author  Beincrypto
14 hours ago
Bitcoin (BTC) options expiring July 8 have turned call-heavy, with traders positioning for higher prices. The expiry lands the same day the Federal Reserve releases minutes from its June meeting.Call
goTop
quote