Skip to main content
Sign in

HypurrFi Domain Hijack (April 2026)

avoid.net/hypurrfi-domain-hijack-april-202662/100·82% conf.
[AI-DRAFTED · AWAITING VERIFICATION]
anchored·31oSqg…KZMk

Summary

On April 3, 2026, the frontend domain hypurr.fi of HypurrFi — a DeFi lending protocol on Hyperliquid EVM — was hijacked via a social engineering attack targeting the domain registrar Openprovider. No user funds were confirmed drained and the protocol's smart contracts remained intact throughout; the team migrated frontend operations to hypurrfi.com and subsequently recovered control of the original domain. The incident is part of a documented six-week cluster of DeFi registrar-level frontend attacks in March–April 2026 targeting Neutrl, HypurrFi, and CoW Swap.

Connected Entities

1 entities · 10 linked investigations
Protocols
HypurrFi Domain Hijack (April 2026)
Relationships
    Also appears in
    edgeX Exchange·28Gamma Strategies·28Alephium Bridge·18Bunni Protocol·28BitGrail·2Lulo·68Thorchain DEX·14Crossmint·78Access Protocol·47Orca·80
    Have evidence about HypurrFi Domain Hijack (April 2026)?

    Timeline(10 events)

    2025-03-01

    HypurrFi launches on Hyperliquid EVM mainnet, reaching initial supply caps of approximately $4.42 million within one hour.

    Impossible Finance Blog

    2026-03-19

    Neutrl DeFi protocol experiences a suspected DNS frontend hijack; team pauses smart contracts and initiates investigation with security firm 0xGroomLake. First incident in the documented six-week DeFi registrar attack cluster.

    Crypto Times

    2026-04-03

    HypurrFi detects unauthorized DNS changes to hypurr.fi attributed to social engineering at registrar Openprovider. Founder androolloyd posts urgent warning on X. Team migrates frontend to hypurrfi.com.

    The Block, Crypto Times

    2026-04-04

    HypurrFi team confirms recovery of hypurr.fi domain control via registrar; DNS propagation expected to take up to 24 hours. No user funds confirmed drained. Incident widely covered in crypto press.

    NullTX, DarkWebInformer (X)

    2026-04-14

    CoW Swap's cow.fi domain is hijacked via social engineering against registrar Gandi SAS (allegedly involving falsified identity documents submitted to Traficom, Finland's .fi TLD registry). Phishing frontend drains approximately $1.2 million in user assets over 4.5 hours. Third major incident in the DeFi registrar attack cluster.

    CoinDesk, BingX Flash News

    2026-04-15

    Web3SecNews publishes field report characterizing the Neutrl, HypurrFi, CoW Swap, and Steakhouse/cow.fi incidents as a coordinated campaign with common social engineering methodology at the registrar level.

    Web3SecNews (Substack)

    2026-05-12

    CoW DAO passes CIP-86 to begin compensation for victims of the April 14 cow.fi hijack, with claims deadline of May 14.

    Crypto Times

    2026-05-15

    HypurrFi announces planned wind-down of operations. Euler Finance assumes maintenance of Mewler contract stack on HyperEVM. Team states the decision is 'strategic instead of reactive' and explicitly not related to the April domain compromise.

    Crypto Times

    2026-05-28

    HypurrFi Discord support access ends per wind-down timeline.

    Crypto Times

    2026-07-15

    Scheduled closure of HypurrFi legacy markets per wind-down plan.

    Crypto Times
    Provenance & Audit Trail
    Anchored on SolanaVerify on-chain

    Decision Log

    This investigation is cryptographically anchored to the Solana blockchain and source URLs are archived via the Internet Archive.

    full audit log →version history →

    model: claude-sonnet-4-6

    generated: 6/2/2026, 8:26:10 PM

    last updated: 6/2/2026, 8:27:21 PM

    avoid.net — verified advice for a post-truth world