en
Back to the list

HYPE Airdrop Scam Drains $12,300 From HyperSwap Wallet in 84 Seconds

source-logo  en.coinotag.com 1 h
image

Crypto News

A HyperSwap liquidity provider lost roughly $12,300 in 84 seconds after signing a single wallet approval that handed an attacker control of a decentralized-exchange position on the Hyperliquid blockchain. Reconstructed from public on-chain records, the case shows how fast a position can be emptied once a malicious approval is live. The victim had supplied crypto to a HyperSwap liquidity pool, earning trading fees in return. That position was tokenized as an $NFT — a digital receipt whose holder controls the underlying funds. Whoever moves the token moves the money. On-chain data shows the funds were withdrawn, converted and bridged away in under two minutes.

The trap began with a token giveaway that never existed. The victim saw a post on X promoting an airdrop and followed the link, believing he was checking eligibility for a free distribution. The account was an impostor: its handle closely mirrored the real project handle, HyperSwapX, which is linked from the official website. The lookalike name was enough to pass a quick glance. Connecting a wallet to the fraudulent site produced what looked like a routine claim step. In reality, the victim approved a transaction granting a third-party address permission to move his HyperSwap position — the single decision that decided everything.

The mechanism at work is token approval, a standard wallet action that lets another address transfer specified assets on a user’s behalf. Some approvals are harmless; others hand over valuable holdings. Here the approval covered $NFT #178549, the token representing the victim’s HyperSwap V3 liquidity position. To most users the confirmation prompt reads as ordinary, and a spoofed site can dress a dangerous approval as a normal part of claiming tokens. That is the design of modern approval phishing: the theft is authorized in advance by the victim, so no further signature is needed when the funds are actually taken.

The execution came after the fact. On-chain records place the decisive transfer at 20:21:51 UTC on June 29, when the attacker used the earlier approval to pull $NFT #178549 out of the victim’s wallet. The victim signed nothing at that moment — permission had already been granted. The receiving address, 0x880C95246D7525b84902E6c040818a7C72d3Aa77, is flagged on the HyperEVM explorer as Fake_Phishing3746335 and carries a Phish / Hack warning. The label confirms the address was already known to blockchain-security trackers, underscoring that the infrastructure behind the theft was reused across victims rather than built for a single target.

Laundering followed almost instantly. After seizing the $NFT, the attacker withdrew the crypto backing the liquidity position, converted the proceeds into HYPE — the native altcoin of Hyperliquid — and bridged the value to Ethereum, all in less than two minutes. The speed matters: by the time most users would notice an unauthorized transfer, the assets have already crossed a bridge and changed form, complicating recovery. On-chain data shows the entire sequence from position transfer to cross-chain settlement fit inside the same short window that gives this case its 84-second headline. Nothing about the flow required the victim’s further participation.

The episode also clarifies where responsibility sits. HyperSwap is a decentralized exchange that runs on the Hyperliquid blockchain but is operated by its own team; Hyperliquid does not manage it, much as Ethereum’s creators do not run the applications built on their chain. Like other DEXs, HyperSwap lets users trade directly from self-custodied wallets, with no company holding the funds. That model removes intermediaries but also removes safety nets: an approval signed on a fraudulent site executes exactly as written. Regularly reviewing and revoking wallet approvals, and verifying account handles against official links, remain the core defenses.

Our reading ties these threads to a single theme: approval phishing is now the sharpest edge of self-custody risk, and it bites hardest when attention is elsewhere. COINOTAG’s aggregate market data shows sentiment in Extreme Fear at 24 out of 100, Bitcoin dominance at 69.3%, and total crypto market capitalization near $1.84 trillion — conditions in which liquidity concentrates in majors and attackers hunt distracted holders of smaller ecosystem tokens. The primary evidence here is entirely on chain: a flagged phishing address, a timestamped $NFT transfer, and a two-minute bridge to Ethereum. No protocol was breached; one approval did the work, which is precisely what makes it repeatable.

en.coinotag.com