Audit log

Every state-changing event for Fake Hyperliquid App: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

1. #1publishby system:backfill

   2026-05-19 16:45:09Z
   Score: ? → ? (no score change)
   anchoranchored

   chain

   ●mainnet-betaslot 420,808,103

   sig

   2sK5CJZLRNTX…h5iN7BWmcopyexplorer ↗

   hash

   DSvJzbJw5b9U…1tMQasoBcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (11554 B) ▸

   {"actor":"system:backfill","investigation_id":"a7376be0-6a6f-4bb8-99da-faa2ffb8facc","kind":"publish","page_slug":"fake-hyperliquid-app","published_at":"2026-05-19T16:45:09.468Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Fake Hyperliquid App","sections":[{"content":"On November 7, 2025, on-chain investigator ZachXBT published a warning via his Telegram channel (t.me/investigations, post 287) alerting the crypto community to a fraudulent Hyperliquid application available on the Google Play Store. The post received over 126,000 views. ZachXBT noted that major app platforms 'don't do a good job of filtering these scams out.' Hyperliquid, the decentralized perpetuals exchange operating primarily on its own Layer 1 blockchain, has never released an official mobile application for Android or iOS, meaning any such listing on app marketplaces is fraudulent by definition.","heading":"Overview and Discovery","severity":"critical","sources":[{"credibility":2,"name":"ZachXBT Investigations Telegram – Post 287","type":"social_media","url":"https://t.me/s/investigations/288"},{"credibility":2,"name":"Crypto Investigator ZachXBT Warns of a Fake Hyperliquid App on Google Play Store – CoinEdition","type":"news_article","url":"https://coinedition.com/crypto-investigator-zachxbt-warns-of-a-fake-hyperliquid-app-on-google-play-store/"},{"credibility":2,"name":"Fake Hyperliquid App Spotted on Google Play Store – CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2025/11/08/fake-hyperliquid-app-spotted-on-google-play-store/"}]},{"content":"The fraudulent application was published on the Google Play Store under the developer name 'Tvtion Inc.' The app replicated Hyperliquid's official logo, app description, and user interface design with high fidelity, and allegedly included fabricated positive reviews to increase its credibility in the store listing. Google Play Store's review processes failed to detect or remove the application prior to ZachXBT's public warning. A separate but related fake Hyperliquid application was also alleged to have appeared on Apple's App Store, where two users reportedly lost approximately $28,000.","heading":"Developer and App Store Listing","severity":"critical","sources":[{"credibility":2,"name":"ZachXBT Alerts on Fake Hyperliquid Apps on Google Play – Phemex News","type":"news_article","url":"https://phemex.com/news/article/zachxbt-warns-of-fake-hyperliquid-apps-on-google-play-store-33752"},{"credibility":2,"name":"Fake Hyperliquid App on Google Play Targets Users in New Crypto Phishing Scam – CryptoRank","type":"news_article","url":"https://cryptorank.io/news/feed/a647f-fake-hyperliquid-app-on-google-play-store"},{"credibility":2,"name":"Fake Hyperliquid App on Google Play Targets Users – BitcoinEthereumNews","type":"news_article","url":"https://bitcoinethereumnews.com/crypto/fake-hyperliquid-app-on-google-play-targets-users-in-new-crypto-phishing-scam/"}]},{"content":"The fraudulent application presented users with a login screen prompting them to either 'connect wallet' or 'restore account.' Both flows were designed to intercept sensitive credentials. The seed phrase or private key entered by the user was captured and transmitted to an external server controlled by the attackers. This credential-harvesting approach gave the operators full, persistent control over any wallet whose recovery phrase was submitted. Unlike smart-contract-based 'drainer' kits that require on-chain transaction approval, this attack relied on social engineering to obtain the root credential, enabling the theft of all assets across all chains associated with the compromised wallet.","heading":"Phishing Mechanism and Drainer Operation","severity":"critical","sources":[{"credibility":2,"name":"Hyperliquid, Fake App on Google Play: ZachXBT's Warning and the DeFi Security Flaw – Decripto","type":"news_article","url":"https://decripto.org/en/hyperliquid-fake-app-on-google-play-zachxbts-warning-and-the-defi-security-flaw/"},{"credibility":2,"name":"Beware: Fake Hyperliquid App on Google Play Phishes Crypto Users – BTCC","type":"news_article","url":"https://www.btcc.com/en-US/square/Cryptopolitan/1149383"},{"credibility":2,"name":"Fake Hyperliquid App on Google Play Targets Users in New Crypto Phishing Scam – MEXC News","type":"news_article","url":"https://www.mexc.com/news/158391"}]},{"content":"ZachXBT's warning identified Ethereum address 0x8c12C21C394D9174c3b1a086A97d2C5523ABb8F5 as a theft address linked to the operation. Multiple outlets reporting on the investigation noted this address had been associated with thefts exceeding $281,000 at the time of the warning. The precise figure has not been independently verified through a named blockchain analytics firm with a primary published report; the $281,000 figure is treated as an estimate reported by secondary news sources covering ZachXBT's original disclosure. A separate Apple App Store variant of the scam allegedly resulted in two users losing approximately $28,000 combined.","heading":"On-Chain Theft Address and Financial Impact","severity":"critical","sources":[{"credibility":2,"name":"Fake Hyperliquid App on Google Play Targets Users in New Crypto Phishing Scam – CryptoRank","type":"news_article","url":"https://cryptorank.io/news/feed/a647f-fake-hyperliquid-app-on-google-play-store"},{"credibility":2,"name":"Crypto Investigator ZachXBT Warns of a Fake Hyperliquid App – CoinEdition","type":"news_article","url":"https://coinedition.com/crypto-investigator-zachxbt-warns-of-a-fake-hyperliquid-app-on-google-play-store/"},{"credibility":2,"name":"Fake Hyperliquid App Spotted on Google Play Store – CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2025/11/08/fake-hyperliquid-app-spotted-on-google-play-store/"}]},{"content":"The fake Hyperliquid app is part of a documented broader pattern of malicious crypto applications on major app stores. Cybersecurity firm Cyble Research and Intelligence Labs (CRIL) identified over 20 malicious crypto-related apps on the Google Play Store in 2025, impersonating platforms including SushiSwap, PancakeSwap, and Hyperliquid, all using the same seed-phrase harvesting approach. A separate but related attack vector targeting Hyperliquid involved fraudulent Google Ads campaigns, in which attackers purchased Google Search advertisements for Hyperliquid and its associated blockchain explorer HypurrScan, redirecting users to cloned websites designed to harvest wallet credentials or execute malicious smart contract approvals. The Google Ads phishing vector involved a spoofed domain (hypurrscan.net impersonating hypurrscan.io) that presented a fake Cloudflare CAPTCHA page designed to trick Windows users into executing a malicious command via the Run dialog.","heading":"Broader Campaign Context","severity":"high","sources":[{"credibility":2,"name":"Phishing Gets Hyperliquid: When Google Ads Serve the Payload – SecDesk","type":"research","url":"https://secdesk.com/phishing-gets-hyperliquid-when-google-ads-serve-the-payload/"},{"credibility":2,"name":"Did You Just Google 'Hyperliquid'? You Might've Landed on a Wallet Drainer – The Coin Republic","type":"news_article","url":"https://www.thecoinrepublic.com/2025/06/26/did-you-just-google-hyperliquid-you-mightve-landed-on-a-wallet-drainer/"},{"credibility":2,"name":"Fake 'Hyperliquid' Ads on Google Scam Crypto Users – Phemex News","type":"news_article","url":"https://phemex.com/news/article/fake-hyperliquid-ads-on-google-lead-to-walletdraining-scams-11125"},{"credibility":2,"name":"Over Two Dozen Fake Crypto and Wallet Apps on Play Store Stealing Seed Phrases – TechRadar","type":"news_article","url":"https://www.techradar.com/pro/security/stop-using-these-22-android-crypto-and-wallet-apps-asap-or-you-risk-losing-all-your-cryptocurrency"}]},{"content":"ZachXBT's warning explicitly criticized app store platform moderation, stating that 'none of these platforms seem to do a good job of filtering these scams out.' The fake Hyperliquid app was able to pass Google Play's review process despite Hyperliquid having no official mobile application, making the listing straightforwardly impersonating. This reflects a systemic issue: the Google Play Store and Apple App Store have repeatedly allowed fraudulent crypto wallet and exchange impersonation apps to reach users before community-driven investigation triggers removal. The use of fabricated reviews in the app listing further illustrates the inadequacy of automated moderation at scale.","heading":"Platform Security Failures","severity":"medium","sources":[{"credibility":2,"name":"Lack of Scrutiny Exposed as Fake Hyperliquid App Pops Up on Google Play Store – Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/fake-hyperliquid-app-on-google-play-store/"},{"credibility":2,"name":"ZachXBT Alerts on Fake Hyperliquid Apps on Google Play – Phemex News","type":"news_article","url":"https://phemex.com/news/article/zachxbt-warns-of-fake-hyperliquid-apps-on-google-play-store-33752"}]}],"sources_used":[],"summary":"A fraudulent mobile application impersonating Hyperliquid, the decentralized perpetuals exchange, was identified on the Google Play Store in November 2025 by on-chain investigator ZachXBT. The app, published under the developer name 'Tvtion Inc.', replicated Hyperliquid's branding and interface to harvest users' seed phrases, transmitting them to an external server. An Ethereum address linked to the operation has been associated with thefts exceeding $281,000; Hyperliquid has never released an official mobile application, making any such listing inherently fraudulent.","timeline":[{"date":"2025-06-01","event":"Cybersecurity firm Cyble Research and Intelligence Labs (CRIL) identifies over 20 malicious crypto applications on the Google Play Store impersonating platforms including Hyperliquid, SushiSwap, and PancakeSwap, all using seed-phrase harvesting techniques.","source":"CoinEdition / Cyble CRIL report","source_url":"https://coinedition.com/crypto-investigator-zachxbt-warns-of-a-fake-hyperliquid-app-on-google-play-store/"},{"date":"2025-06-26","event":"A separate Google Ads phishing campaign targeting Hyperliquid users is reported, in which fraudulent ads for HypurrScan (hypurrscan.net) redirect users to a fake Cloudflare CAPTCHA page designed to execute malicious commands on Windows machines.","source":"The Coin Republic","source_url":"https://www.thecoinrepublic.com/2025/06/26/did-you-just-google-hyperliquid-you-mightve-landed-on-a-wallet-drainer/"},{"date":"2025-11-07","event":"ZachXBT publishes a warning via his Telegram investigations channel (post 287) about a fake Hyperliquid application on the Google Play Store published by developer 'Tvtion Inc.', identifying Ethereum theft address 0x8c12C21C394D9174c3b1a086A97d2C5523ABb8F5. The post receives over 126,000 views.","source":"ZachXBT Investigations Telegram / Phemex News","source_url":"https://phemex.com/news/article/zachxbt-warns-of-fake-hyperliquid-apps-on-google-play-store-33752"},{"date":"2025-11-08","event":"Multiple crypto news outlets including CoinEdition, CryptoTimes, and CryptoRank cover ZachXBT's warning, reporting the theft address has been linked to losses exceeding $281,000 and that a parallel Apple App Store variant resulted in approximately $28,000 stolen from two users.","source":"CryptoTimes / CryptoRank / CoinEdition","source_url":"https://www.cryptotimes.io/2025/11/08/fake-hyperliquid-app-spotted-on-google-play-store/"}]},"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 2b1c6595-b691-4381-b1c0-12921bfd33b0copy
2. #2reviewby reviewerreviewer

   2026-06-13 18:18:49Z
   Score: 0 → 0 (no score change)
   The investigation page describes a real and well-documented scam incident; the core facts (ZachXBT warning, Google Play fake app, theft address, $281,000 figure, Apple App Store variant, Cyble CRIL broader campaign) are all confirmed by multiple independent sources. The main weaknesses are: (1) the 'Tvtion Inc.' developer name is not confirmed by the specific cited sources, appearing instead in secondary aggregators; (2) the fabricated positive reviews claim lacks direct source support; (3) a timeline entry for the Cyble CRIL report uses an incorrect date and wrong citation source; and (4) the claim that Hyperliquid 'has never released an official mobile application' was accurate at the time of the November 2025 scam but became stale in April 2026 when Hyperliquid launched its first official Android app. No claims were found to contradict credible sources.
   anchoranchored

   chain

   ●mainnet-betaslot 426,251,810

   sig

   42uzdXqoVpUu…kdU6hrQ1copyexplorer ↗

   hash

   EiafowiKSb9t…i82TMFLfcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (1222 B) ▸

   {"actor":"reviewer","decided_at":"2026-06-13T18:18:49.198Z","decision":"review","investigation_id":"a7376be0-6a6f-4bb8-99da-faa2ffb8facc","new_score":0,"page_slug":"fake-hyperliquid-app","prev_score":0,"reason":"The investigation page describes a real and well-documented scam incident; the core facts (ZachXBT warning, Google Play fake app, theft address, $281,000 figure, Apple App Store variant, Cyble CRIL broader campaign) are all confirmed by multiple independent sources. The main weaknesses are: (1) the 'Tvtion Inc.' developer name is not confirmed by the specific cited sources, appearing instead in secondary aggregators; (2) the fabricated positive reviews claim lacks direct source support; (3) a timeline entry for the Cyble CRIL report uses an incorrect date and wrong citation source; and (4) the claim that Hyperliquid 'has never released an official mobile application' was accurate at the time of the November 2025 scam but became stale in April 2026 when Hyperliquid launched its first official Android app. No claims were found to contradict credible sources.","score_delta":0,"sequence_num":2,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 2f0563fc-ca9c-46d8-bcca-7045ad53d926copy
3. #3review approveby judgejudge

   2026-06-13 18:18:49Z
   Score: 0 → 0 (no score change)
   The reviewer evaluated 16 claims and found zero disputed. Eleven claims are fully confirmed by independent sources; three are partially supported with minor attribution gaps rather than contradictions. The core allegations — ZachXBT's November 7, 2025 warning, the Google Play fake app, Ethereum theft address 0x8c12C21C394D9174c3b1a086A97d2C5523ABb8F5, the $281,000 loss figure, and the Apple App Store variant — are all corroborated by multiple Tier 2 outlets. The partially-supported claims (claim_findings[1], claim_findings[7], claim_findings[13]) concern peripheral details: the 'Tvtion Inc.' developer name, fabricated review specifics, and a misattributed timeline citation. Two high-priority coverage gaps flag the absence of primary on-chain analysis and a direct link to the original Telegram post — these indicate room for expansion, not evidentiary failure. Reviewer confidence is 0.82, supporting a clear approval.
   anchoranchored

   chain

   ●mainnet-betaslot 426,251,813

   sig

   5xszSirahQ2C…nzQyQ9Rycopyexplorer ↗

   hash

   DkcpcayfzcL5…qb2kd16kcopysha256 → base58

   verifying row…full verify ↗

   canonical bytes (1287 B) ▸

   {"actor":"judge","decided_at":"2026-06-13T18:18:49.198Z","decision":"review_approve","investigation_id":"a7376be0-6a6f-4bb8-99da-faa2ffb8facc","new_score":0,"page_slug":"fake-hyperliquid-app","prev_score":0,"reason":"The reviewer evaluated 16 claims and found zero disputed. Eleven claims are fully confirmed by independent sources; three are partially supported with minor attribution gaps rather than contradictions. The core allegations — ZachXBT's November 7, 2025 warning, the Google Play fake app, Ethereum theft address 0x8c12C21C394D9174c3b1a086A97d2C5523ABb8F5, the $281,000 loss figure, and the Apple App Store variant — are all corroborated by multiple Tier 2 outlets. The partially-supported claims (claim_findings[1], claim_findings[7], claim_findings[13]) concern peripheral details: the 'Tvtion Inc.' developer name, fabricated review specifics, and a misattributed timeline citation. Two high-priority coverage gaps flag the absence of primary on-chain analysis and a direct link to the original Telegram post — these indicate room for expansion, not evidentiary failure. Reviewer confidence is 0.82, supporting a clear approval.","score_delta":0,"sequence_num":3,"submission_content_hash":null,"submission_id":null,"submission_kind":null,"submission_valence":null,"v":1}

   Verify offline (run on your own machine)

   python -m src.verify_decision 8093765b-8cc6-4276-ad77-7978a493a762copy