Verify a decision

{"actor":"system:backfill","investigation_id":"a7376be0-6a6f-4bb8-99da-faa2ffb8facc","kind":"publish","page_slug":"fake-hyperliquid-app","published_at":"2026-05-19T16:45:09.468Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Fake Hyperliquid App","sections":[{"content":"On November 7, 2025, on-chain investigator ZachXBT published a warning via his Telegram channel (t.me/investigations, post 287) alerting the crypto community to a fraudulent Hyperliquid application available on the Google Play Store. The post received over 126,000 views. ZachXBT noted that major app platforms 'don't do a good job of filtering these scams out.' Hyperliquid, the decentralized perpetuals exchange operating primarily on its own Layer 1 blockchain, has never released an official mobile application for Android or iOS, meaning any such listing on app marketplaces is fraudulent by definition.","heading":"Overview and Discovery","severity":"critical","sources":[{"credibility":2,"name":"ZachXBT Investigations Telegram – Post 287","type":"social_media","url":"https://t.me/s/investigations/288"},{"credibility":2,"name":"Crypto Investigator ZachXBT Warns of a Fake Hyperliquid App on Google Play Store – CoinEdition","type":"news_article","url":"https://coinedition.com/crypto-investigator-zachxbt-warns-of-a-fake-hyperliquid-app-on-google-play-store/"},{"credibility":2,"name":"Fake Hyperliquid App Spotted on Google Play Store – CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2025/11/08/fake-hyperliquid-app-spotted-on-google-play-store/"}]},{"content":"The fraudulent application was published on the Google Play Store under the developer name 'Tvtion Inc.' The app replicated Hyperliquid's official logo, app description, and user interface design with high fidelity, and allegedly included fabricated positive reviews to increase its credibility in the store listing. Google Play Store's review processes failed to detect or remove the application prior to ZachXBT's public warning. A separate but related fake Hyperliquid application was also alleged to have appeared on Apple's App Store, where two users reportedly lost approximately $28,000.","heading":"Developer and App Store Listing","severity":"critical","sources":[{"credibility":2,"name":"ZachXBT Alerts on Fake Hyperliquid Apps on Google Play – Phemex News","type":"news_article","url":"https://phemex.com/news/article/zachxbt-warns-of-fake-hyperliquid-apps-on-google-play-store-33752"},{"credibility":2,"name":"Fake Hyperliquid App on Google Play Targets Users in New Crypto Phishing Scam – CryptoRank","type":"news_article","url":"https://cryptorank.io/news/feed/a647f-fake-hyperliquid-app-on-google-play-store"},{"credibility":2,"name":"Fake Hyperliquid App on Google Play Targets Users – BitcoinEthereumNews","type":"news_article","url":"https://bitcoinethereumnews.com/crypto/fake-hyperliquid-app-on-google-play-targets-users-in-new-crypto-phishing-scam/"}]},{"content":"The fraudulent application presented users with a login screen prompting them to either 'connect wallet' or 'restore account.' Both flows were designed to intercept sensitive credentials. The seed phrase or private key entered by the user was captured and transmitted to an external server controlled by the attackers. This credential-harvesting approach gave the operators full, persistent control over any wallet whose recovery phrase was submitted. Unlike smart-contract-based 'drainer' kits that require on-chain transaction approval, this attack relied on social engineering to obtain the root credential, enabling the theft of all assets across all chains associated with the compromised wallet.","heading":"Phishing Mechanism and Drainer Operation","severity":"critical","sources":[{"credibility":2,"name":"Hyperliquid, Fake App on Google Play: ZachXBT's Warning and the DeFi Security Flaw – Decripto","type":"news_article","url":"https://decripto.org/en/hyperliquid-fake-app-on-google-play-zachxbts-warning-and-the-defi-security-flaw/"},{"credibility":2,"name":"Beware: Fake Hyperliquid App on Google Play Phishes Crypto Users – BTCC","type":"news_article","url":"https://www.btcc.com/en-US/square/Cryptopolitan/1149383"},{"credibility":2,"name":"Fake Hyperliquid App on Google Play Targets Users in New Crypto Phishing Scam – MEXC News","type":"news_article","url":"https://www.mexc.com/news/158391"}]},{"content":"ZachXBT's warning identified Ethereum address 0x8c12C21C394D9174c3b1a086A97d2C5523ABb8F5 as a theft address linked to the operation. Multiple outlets reporting on the investigation noted this address had been associated with thefts exceeding $281,000 at the time of the warning. The precise figure has not been independently verified through a named blockchain analytics firm with a primary published report; the $281,000 figure is treated as an estimate reported by secondary news sources covering ZachXBT's original disclosure. A separate Apple App Store variant of the scam allegedly resulted in two users losing approximately $28,000 combined.","heading":"On-Chain Theft Address and Financial Impact","severity":"critical","sources":[{"credibility":2,"name":"Fake Hyperliquid App on Google Play Targets Users in New Crypto Phishing Scam – CryptoRank","type":"news_article","url":"https://cryptorank.io/news/feed/a647f-fake-hyperliquid-app-on-google-play-store"},{"credibility":2,"name":"Crypto Investigator ZachXBT Warns of a Fake Hyperliquid App – CoinEdition","type":"news_article","url":"https://coinedition.com/crypto-investigator-zachxbt-warns-of-a-fake-hyperliquid-app-on-google-play-store/"},{"credibility":2,"name":"Fake Hyperliquid App Spotted on Google Play Store – CryptoTimes","type":"news_article","url":"https://www.cryptotimes.io/2025/11/08/fake-hyperliquid-app-spotted-on-google-play-store/"}]},{"content":"The fake Hyperliquid app is part of a documented broader pattern of malicious crypto applications on major app stores. Cybersecurity firm Cyble Research and Intelligence Labs (CRIL) identified over 20 malicious crypto-related apps on the Google Play Store in 2025, impersonating platforms including SushiSwap, PancakeSwap, and Hyperliquid, all using the same seed-phrase harvesting approach. A separate but related attack vector targeting Hyperliquid involved fraudulent Google Ads campaigns, in which attackers purchased Google Search advertisements for Hyperliquid and its associated blockchain explorer HypurrScan, redirecting users to cloned websites designed to harvest wallet credentials or execute malicious smart contract approvals. The Google Ads phishing vector involved a spoofed domain (hypurrscan.net impersonating hypurrscan.io) that presented a fake Cloudflare CAPTCHA page designed to trick Windows users into executing a malicious command via the Run dialog.","heading":"Broader Campaign Context","severity":"high","sources":[{"credibility":2,"name":"Phishing Gets Hyperliquid: When Google Ads Serve the Payload – SecDesk","type":"research","url":"https://secdesk.com/phishing-gets-hyperliquid-when-google-ads-serve-the-payload/"},{"credibility":2,"name":"Did You Just Google 'Hyperliquid'? You Might've Landed on a Wallet Drainer – The Coin Republic","type":"news_article","url":"https://www.thecoinrepublic.com/2025/06/26/did-you-just-google-hyperliquid-you-mightve-landed-on-a-wallet-drainer/"},{"credibility":2,"name":"Fake 'Hyperliquid' Ads on Google Scam Crypto Users – Phemex News","type":"news_article","url":"https://phemex.com/news/article/fake-hyperliquid-ads-on-google-lead-to-walletdraining-scams-11125"},{"credibility":2,"name":"Over Two Dozen Fake Crypto and Wallet Apps on Play Store Stealing Seed Phrases – TechRadar","type":"news_article","url":"https://www.techradar.com/pro/security/stop-using-these-22-android-crypto-and-wallet-apps-asap-or-you-risk-losing-all-your-cryptocurrency"}]},{"content":"ZachXBT's warning explicitly criticized app store platform moderation, stating that 'none of these platforms seem to do a good job of filtering these scams out.' The fake Hyperliquid app was able to pass Google Play's review process despite Hyperliquid having no official mobile application, making the listing straightforwardly impersonating. This reflects a systemic issue: the Google Play Store and Apple App Store have repeatedly allowed fraudulent crypto wallet and exchange impersonation apps to reach users before community-driven investigation triggers removal. The use of fabricated reviews in the app listing further illustrates the inadequacy of automated moderation at scale.","heading":"Platform Security Failures","severity":"medium","sources":[{"credibility":2,"name":"Lack of Scrutiny Exposed as Fake Hyperliquid App Pops Up on Google Play Store – Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/fake-hyperliquid-app-on-google-play-store/"},{"credibility":2,"name":"ZachXBT Alerts on Fake Hyperliquid Apps on Google Play – Phemex News","type":"news_article","url":"https://phemex.com/news/article/zachxbt-warns-of-fake-hyperliquid-apps-on-google-play-store-33752"}]}],"sources_used":[],"summary":"A fraudulent mobile application impersonating Hyperliquid, the decentralized perpetuals exchange, was identified on the Google Play Store in November 2025 by on-chain investigator ZachXBT. The app, published under the developer name 'Tvtion Inc.', replicated Hyperliquid's branding and interface to harvest users' seed phrases, transmitting them to an external server. An Ethereum address linked to the operation has been associated with thefts exceeding $281,000; Hyperliquid has never released an official mobile application, making any such listing inherently fraudulent.","timeline":[{"date":"2025-06-01","event":"Cybersecurity firm Cyble Research and Intelligence Labs (CRIL) identifies over 20 malicious crypto applications on the Google Play Store impersonating platforms including Hyperliquid, SushiSwap, and PancakeSwap, all using seed-phrase harvesting techniques.","source":"CoinEdition / Cyble CRIL report","source_url":"https://coinedition.com/crypto-investigator-zachxbt-warns-of-a-fake-hyperliquid-app-on-google-play-store/"},{"date":"2025-06-26","event":"A separate Google Ads phishing campaign targeting Hyperliquid users is reported, in which fraudulent ads for HypurrScan (hypurrscan.net) redirect users to a fake Cloudflare CAPTCHA page designed to execute malicious commands on Windows machines.","source":"The Coin Republic","source_url":"https://www.thecoinrepublic.com/2025/06/26/did-you-just-google-hyperliquid-you-mightve-landed-on-a-wallet-drainer/"},{"date":"2025-11-07","event":"ZachXBT publishes a warning via his Telegram investigations channel (post 287) about a fake Hyperliquid application on the Google Play Store published by developer 'Tvtion Inc.', identifying Ethereum theft address 0x8c12C21C394D9174c3b1a086A97d2C5523ABb8F5. The post receives over 126,000 views.","source":"ZachXBT Investigations Telegram / Phemex News","source_url":"https://phemex.com/news/article/zachxbt-warns-of-fake-hyperliquid-apps-on-google-play-store-33752"},{"date":"2025-11-08","event":"Multiple crypto news outlets including CoinEdition, CryptoTimes, and CryptoRank cover ZachXBT's warning, reporting the theft address has been linked to losses exceeding $281,000 and that a parallel Apple App Store variant resulted in approximately $28,000 stolen from two users.","source":"CryptoTimes / CryptoRank / CoinEdition","source_url":"https://www.cryptotimes.io/2025/11/08/fake-hyperliquid-app-spotted-on-google-play-store/"}]},"v":1}