Hyperliquid User Loses $21 Million To Hackers After Private Key Breach

What Happened

A Hyperliquid user operating wallet address 0x0cdC…E955 has lost $21 million worth of crypto to hackers, following a private key breach.

PeckShield’s investigation included visual evidence in the form of screenshots that map out various wallet addresses implicated in the theft.

A mysterious aspect of the hacking incident involves the timing of certain trading activities.

Their reasoning centers on the observation that these newly acquired assets were converted into the stablecoins USDC and DAI, then 0xF4bE227b268e191b79097Daad0AcCcD9a7A7FAD2" rel="nofollow noopener noreferrer" target="_blank">dispersed across numerous wallet addresses spanning both the Ethereum and Arbitrum blockchain networks.

Investigation findings reveal that the attacker also successfully extracted $3.1 million from the Plasma Syrup Vault liquidity pool.

According to 0x3A9F97C69130aa2A64AD278D08cf18d6351e6FC0" rel="nofollow noopener noreferrer" target="_blank">Cannon’s analysis, an additional $300,000 may have been drained from associated wallet addresses that the hacker managed to compromise.

Similar Hacking Incidents On Hyperliquid Paint a Troubling Picture

According to him, he’s not sure how he was hacked, “No malware, no discord chats, no TG calls, no email download,” he added.

He believes the hack was most likely achieved through Windows malware, as he hadn’t touched crypto wallets in a week prior to the hack and had gotten a new MacBook, too, but the wallet wasn’t set up on it.

Unlike smart contract bugs or exchange exploits, this attack happened because of a private key leak.

Market Context

Precisely when PeckShield issued its initial alert about the breach, 0x0cdc902f4448b51289398261db41e8adc99be955" rel="nofollow noopener noreferrer" target="_blank">trading records show that a Hyperliquid account executed a closure of a HYPE long position valued at $16 million.

Researchers at MLM conducted an analysis of transaction records from Hypurrscan and have put forward the theory that this trading account likely belongs to the compromised user.

Why It Matters

Luke Cannon, a prominent voice on X (formerly Twitter), has suggested that the victim’s losses may be even more extensive.

Details

Blockchain security specialists at PeckShield tracked the movement of stolen assets through on-chain analysis, revealing that the attackers quickly moved to transfer the compromised funds to the Ethereum network.

The stolen haul included approximately 17.75 million DAI tokens and 3.11 million MSYRUPUSDP tokens.

The data shows a clear trail of stolen tokens being systematically transferred and redistributed 0x9846828dbd618875349d1bb912b7c2e2f621eac0" rel="nofollow noopener noreferrer" target="_blank">through Monero dark pool. This methodology closely mirrors the tactics employed by cybercriminals in previous high-profile cryptocurrency thefts.

$16M Long Trade Close Links to the Hyperliquid Private Key Breach

This same account also liquidated 100,000 HYPE coins, converting them into $4.4 million.

This transaction pattern correlates closely with the movement data that PeckShield 0xc1ee32fac1d9a0ce63021467e34164df3078289b" rel="nofollow noopener noreferrer" target="_blank">documented through Etherscan.

The scope of the attack wasn’t limited to assets held directly on the Hyperliquid platform.

These funds, denominated in MSYRUPUSDP tokens, were immediately relocated to a freshly created wallet address.

Another Hyperliquid user shared that he lost $700k in HYPE in a similar incident last month.

That means the attacker gained direct access to the wallet’s login credentials. Such leaks often occur due to phishing links, malware, or unsafe key storage.

Security experts have long warned that high-value accounts should always use cold wallets or multi-signature protection to prevent such incidents.