How A Fake Hyperswap Airdrop Drained $12,300 In 84 Seconds
- BeInCrypto reconstructed the attack with the victim using public blockchain records.
- The records show a fast phishing operation inside the Hyperliquid ecosystem.
- Note: HyperSwap is an exchange that runs on the Hyperliquid blockchain.
- HyperSwap has its own team, and Hyperliquid does not manage it — just as the creators of Ethereum do not manage applications like Uniswap running on it.
What Happened
The scammer’s address was 0x880C95246D7525b84902E6c040818a7C72d3Aa77. HyperEVM explorer records flagged it as Fake_Phishing3746335, with a “Phish / Hack” tag reported by HashDit.
Market Context
The victim had supplied money to a HyperSwap liquidity pool. In simple terms, he had deposited crypto, so other users could trade against it. In return, he could earn fees.
The NFT moved to another scammer-controlled wallet. Once that happened, the attacker controlled the liquidity position.
Why It Matters
A HyperSwap user lost about $12,300 after clicking a fake airdrop link on X, approving one wallet request, and unknowingly giving a scammer control of his funds.
BeInCrypto reconstructed the attack with the victim using public blockchain records. The records show a fast phishing operation inside the Hyperliquid ecosystem.
Details
The scammer took the victim’s position on HyperSwap, withdrew the funds behind it, converted them into HYPE, and moved the money to Ethereum in less than two minutes.
Note: HyperSwap is an exchange that runs on the Hyperliquid blockchain. HyperSwap has its own team, and Hyperliquid does not manage it — just as the creators of Ethereum do not manage applications like Uniswap running on it.
The Trap Started With a Fake X Account
The victim used HyperSwap. Like other decentralized exchanges, it lets users trade directly from their wallets without a company holding their funds.
On HyperSwap V3, that position was represented by NFT #178549. This was not a picture or collectible. It was more like a digital receipt. Whoever controlled that NFT controlled the funds linked to the position.
The victim told BeInCrypto he saw a post on X promoting an airdrop. An airdrop is a token giveaway, often used by crypto projects to reward users.
The post appeared to come from HyperSwap. It did not. It came from an impostor account with a handle that closely resembled the real HyperSwap account, HyperSwapX, which is linked from the project’s official website.
The victim followed the link and connected his wallet. He believed he was checking whether he qualified for the airdrop. Instead, he approved a transaction that gave the scammer permission to move his HyperSwap position.
That approval was the key moment.
One Approval Gave the Scammer Control
Crypto wallets often ask users to approve transactions. Some approvals are harmless. Others give another address permission to move valuable assets.
To most users, the warning can look routine. A fake site can make a dangerous approval look like a normal step in claiming tokens.
That appears to be what happened here.
At 20:21:51 UTC on June 29, the scammer used the earlier approval to transfer NFT #178549 out of the victim’s wallet. The victim did not sign anything at that moment. The scammer had already secured permission.
Twenty-five seconds later, the scammer withdrew the funds behind the NFT. The position contained about 3,935 USDC and 116.6 WHYPE. Together, they were worth roughly $12,300 at the time.
The Money Was Moved Fast
After withdrawing the funds, the scammer prepared to move them away from HyperEVM.
First, the wallet gave permission to LI.FI, a legitimate cross-chain bridge and swap service. A bridge lets users move crypto from one blockchain to another.
There is no evidence that LI.FI took part in the theft. The scammer used it after stealing the funds.