A HyperSwap user lost about $12,300 after clicking a fake airdrop link on X, approving one wallet request, and unknowingly giving a scammer control of his funds.
BeInCrypto reconstructed the attack with the victim using public blockchain records. The records show a fast phishing operation inside the Hyperliquid ecosystem.
The scammer took the victim’s position on HyperSwap, withdrew the funds behind it, converted them into HYPE, and moved the money to Ethereum in less than two minutes.
Note: HyperSwap is an exchange that runs on the Hyperliquid blockchain. HyperSwap has its own team, and Hyperliquid does not manage it — just as the creators of Ethereum do not manage applications like Uniswap running on it.
The Trap Started With a Fake X Account
The victim used HyperSwap. Like other decentralized exchanges, it lets users trade directly from their wallets without a company holding their funds.
The victim had supplied money to a HyperSwap liquidity pool. In simple terms, he had deposited crypto, so other users could trade against it. In return, he could earn fees.
On HyperSwap V3, that position was represented by NFT #178549. This was not a picture or collectible. It was more like a digital receipt. Whoever controlled that NFT controlled the funds linked to the position.
The victim told BeInCrypto he saw a post on X promoting an airdrop. An airdrop is a token giveaway, often used by crypto projects to reward users.
The post appeared to come from HyperSwap. It did not. It came from an impostor account with a handle that closely resembled the real HyperSwap account, HyperSwapX, which is linked from the project’s official website.
The victim followed the link and connected his wallet. He believed he was checking whether he qualified for the airdrop. Instead, he approved a transaction that gave the scammer permission to move his HyperSwap position.
That approval was the key moment.
One Approval Gave the Scammer Control
Crypto wallets often ask users to approve transactions. Some approvals are harmless. Others give another address permission to move valuable assets.
To most users, the warning can look routine. A fake site can make a dangerous approval look like a normal step in claiming tokens.
That appears to be what happened here.
At 20:21:51 UTC on June 29, the scammer used the earlier approval to transfer NFT #178549 out of the victim’s wallet. The victim did not sign anything at that moment. The scammer had already secured permission.
The scammer’s address was 0x880C95246D7525b84902E6c040818a7C72d3Aa77. HyperEVM explorer records flagged it as Fake_Phishing3746335, with a “Phish / Hack” tag reported by HashDit.
The NFT moved to another scammer-controlled wallet. Once that happened, the attacker controlled the liquidity position.
Twenty-five seconds later, the scammer withdrew the funds behind the NFT. The position contained about 3,935 USDC and 116.6 WHYPE. Together, they were worth roughly $12,300 at the time.
The Money Was Moved Fast
After withdrawing the funds, the scammer prepared to move them away from HyperEVM.
First, the wallet gave permission to LI.FI, a legitimate cross-chain bridge and swap service. A bridge lets users move crypto from one blockchain to another.
There is no evidence that LI.FI took part in the theft. The scammer used it after stealing the funds.
The scammer then converted the stolen USDC and WHYPE into about 175.9 HYPE. Seconds later, the HYPE was bridged from HyperEVM to Ethereum.
The destination was 0xFa47eef42fB2C63DCEA0cAC2295a58036052932D. On Ethereum, that wallet received the funds and almost immediately moved 7.035 ETH onward in one transaction.
The wallet had been created shortly before. It was used once and left almost empty. That pattern is common in laundering chains, where stolen funds pass through temporary wallets to make tracing harder.
From the NFT transfer to the bridge transaction, the active theft took about 84 seconds.
A Wider Phishing Pattern
The scammer’s wallet appeared to be part of a broader operation.
Explorer records reviewed by BeInCrypto showed the address had been active for about 33 days. It was also linked to roughly 25 other addresses. That suggests the attacker may have targeted more than one user.
For victims, the problem is practical. Blockchain records can show what happened. They rarely stop it from happening in real time.
Once a user signs a bad approval, the scammer can act quickly. Once funds move across chains, recovery becomes even harder.
The victim later tried to report the suspicious link and get it removed. He said he felt ignored and began to suspect the HyperSwap team had failed to act.
The on-chain evidence reviewed by BeInCrypto points to a phishing attack from an impostor account. The fake X account was separate from HyperSwap’s official account. The official HyperSwap account and official contract were not shown to have carried out the theft.
However, the victim’s experience highlights a serious weakness in the ecosystem. Users can be attacked through fake social media accounts, drained through confusing wallet approvals, and left with few clear options after the money is gone.
During a conversation with BeInCrypto journalists, the victim stated that they tried various ways to warn the Hyperliquid team about the scam, but received no response.
According to the victim, the only active communication channel with HyperSwap was Discord. At the time of writing, the link to it is invalid. So he tried to get the problem across to the ecosystem team where the project works, but that attempt was unsuccessful.
Overall, the scammer’s method was simple. A fake account promoted a fake airdrop. A fake site secured wallet approval. A flagged phishing wallet took the victim’s HyperSwap position, emptied it, and moved the funds to Ethereum.
The loss was about $12,300. The theft took less than two minutes.
The victim suggested that HyperSwap employees may be involved in the theft or are deliberately hiding it. However, BeInCrypto could not find any exact information to support those claims.
The post How a Fake HyperSwap Airdrop Drained $12,300 in 84 Seconds appeared first on BeInCrypto.
Security,Editor’s Pick,Scams,Security (Crypto Scams and Hacks)#Fake #HyperSwap #Airdrop #Drained #Seconds1783361127

