Verify a decision

{"actor":"system:backfill","investigation_id":"d6f710cc-1241-439e-a06f-cea33478dad8","kind":"publish","page_slug":"hypurrfi-domain-hijack-april-2026","published_at":"2026-06-02T20:27:21.409Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"HypurrFi Domain Hijack (April 2026)","sections":[{"content":"On April 3, 2026, HypurrFi detected unauthorized DNS changes to its primary domain hypurr.fi. The team attributed the compromise to a social engineering attack targeting the domain registrar, identified in subsequent reporting as Openprovider. HypurrFi founder androolloyd posted an urgent warning on X stating 'DO NOT USE the Hypurr.fi domain; it is compromised.' The team confirmed that the protocol's core smart contracts, team infrastructure, and social media channels remained under team control throughout the incident. HypurrFi is a non-custodial DeFi lending and borrowing protocol operating on Hyperliquid's EVM layer (HyperEVM), launched on mainnet in early 2025. At the time of the incident the protocol had approximately $30 million in TVL per reporting by Live Bitcoin News citing DefiLlama data, though DefiLlama's own tracker recorded a combined TVL reaching substantially higher figures at peak (approximately $180 million as of later in 2026, per DefiLlama).","heading":"Incident Overview","severity":"high","sources":[{"credibility":2,"name":"HypurrFi investigates domain hijacking, warns users from interacting with lending protocol — The Block","type":"news_article","url":"https://www.theblock.co/post/396336/hypurrfi-investigates-domain-hijacking-warns-users-interacting-lending-protocol"},{"credibility":2,"name":"HypurrFi Flags Domain Hijack, Urges Users to Stay Away — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/04/04/hypurrfi-flags-domain-hijack-urges-users-to-stay-away/"},{"credibility":3,"name":"HypurrFi Website Compromised in Suspected Domain Hijack, Users Told to Stay Away — Live Bitcoin News","type":"news_article","url":"https://www.livebitcoinnews.com/hypurrfi-website-compromised-in-suspected-domain-hijack-users-told-to-stay-away/"},{"credibility":2,"name":"HypurrFi TVL, Fees & Revenue — DefiLlama","type":"on_chain","url":"https://defillama.com/protocol/hypurrfi"}]},{"content":"The compromise was achieved at the registrar layer rather than through any vulnerability in HypurrFi's smart contracts or internal systems. An attacker gained unauthorized control of domain DNS records at Openprovider — the registrar holding the hypurr.fi domain — through social engineering, a technique where an individual is manipulated into granting access or making changes via impersonation or deception rather than through a technical exploit. Once DNS control was obtained, the attacker was able to redirect users visiting hypurr.fi to potentially malicious infrastructure. The team's official statement read: 'The hypurr.fi domain was compromised this afternoon in what we believe to be a social engineering attack on the registrar. Based on our understanding and investigation, the HypurrFi protocol and team infrastructure has NOT been compromised.' The compromised domain was flagged and blocked across several major crypto wallets during the transition period. No drainer contract or phishing site served to users was publicly confirmed during this incident, in contrast to the contemporaneous CoW Swap hijack where losses of approximately $1.2 million were confirmed. DNS propagation delays meant that even after domain control was restored by the team, the domain may have temporarily resolved to attacker-controlled infrastructure for some users for up to 24 hours.","heading":"Attack Vector and Technical Analysis","severity":"high","sources":[{"credibility":3,"name":"HypurrFi Domain Breach Triggers Emergency Migration As Team Confirms Protocol And Funds Remain Secure — NullTX","type":"news_article","url":"https://nulltx.com/hypurrfi-domain-breach-triggers-emergency-migration-as-team-confirms-protocol-and-funds-remain-secure/"},{"credibility":3,"name":"HypurrFi Domain Hijacked in Social Engineering Attack — Phemex News","type":"news_article","url":"https://phemex.com/news/article/hypurrfi-domain-hijacked-in-social-engineering-attack-70843"},{"credibility":3,"name":"Alert: HypurrFi confirms Hypurr.fi domain compromised; operations moved to Hypurrfi.com — BingX Flash News","type":"news_article","url":"https://bingx.com/en/flash-news/post/hypurrfi-confirms-fi-domain-compromised-in-social-engineering-attack-moves-users-to-hypurrfi-com"}]},{"content":"HypurrFi is properly characterized as the victim of this incident; the attack did not exploit a vulnerability in HypurrFi's protocol code, smart contracts, or operational security practices beyond the registrar layer. No user funds were confirmed drained from the HypurrFi protocol as a result of this specific incident. The protocol's smart contracts remained solvent and operational throughout. The fault lies with registrar-level authentication practices that allowed a social engineering attacker to gain DNS control. This contrasts with the CoW Swap frontend hijack on April 14, 2026, where attackers served a phishing interface that drained approximately $1.2 million in user assets. The team migrated frontend infrastructure to hypurrfi.com (also accessible at app.hypurrfi.com) and subsequently recovered control of the original hypurr.fi domain. The DarkWebInformer account on X confirmed the team was able to regain control of the affected domain via the registrar, with DNS propagation expected to take up to 24 hours.","heading":"Impact Assessment and Fault Attribution","severity":"medium","sources":[{"credibility":3,"name":"HypurrFi flags suspected domain hijacking, urges users to avoid hypurr.fi — BingX Flash News","type":"news_article","url":"https://bingx.com/en/flash-news/post/hypurrfi-warns-hypurr-fi-domain-may-be-hijacked-says-user-funds-not-at-risk-as-hyperevm-tvl-nears-m"},{"credibility":3,"name":"DarkWebInformer on X — domain recovery confirmation","type":"social_media","url":"https://x.com/DarkWebInformer/status/2040191433102029063"},{"credibility":3,"name":"CoW Swap Publishes Post-Mortem on Domain Hijack; User Losses Estimated at $1.2 Million — BingX Flash News","type":"news_article","url":"https://bingx.com/en/flash-news/post/cow-swap-report-says-cow-fi-domain-hijack-redirected-swap-cow-fi-to-phishing-site-estimated-user-losses-m"}]},{"content":"The HypurrFi incident is one of at least three confirmed DeFi frontend domain hijackings within a six-week window in early 2026, representing a documented pattern of registrar-level social engineering attacks against decentralized finance protocols. Neutrl, a DeFi protocol, experienced a suspected DNS frontend hijack on March 19, 2026, leading the team to pause smart contracts as a precaution; the team worked with security firm 0xGroomLake to investigate and advised users to revoke all Permit2 approvals. HypurrFi's hypurr.fi domain was hijacked on April 3, 2026, via social engineering at Openprovider. CoW Swap, a major Ethereum DEX aggregator, had its cow.fi domain hijacked on April 14, 2026, via social engineering against registrar Gandi SAS — attackers allegedly submitted falsified identification documents to Finland's Traficom (.fi TLD registry); this attack resulted in confirmed user losses of approximately $1.2 million drained over a 4.5-hour window. Additionally, eth.limo suffered a social engineering DNS hijack via registrar EasyDNS in the same period. Security researchers writing for Web3SecNews characterized the pattern as an organized campaign with a common methodology: social engineering at registrars to obtain domain control, executed in under 30 minutes from request to compromise, with fresh TLS certificate issuance as a detectable signal. The .fi TLD's centralized registration infrastructure appears to have been a particular point of weakness across multiple incidents.","heading":"Six-Week DeFi Frontend Attack Cluster (March–April 2026)","severity":"high","sources":[{"credibility":2,"name":"Neutrl DeFi Pauses Smart Contracts Amid Suspected DNS Frontend Hijack — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/03/19/neutrl-defi-pauses-smart-contracts-amid-suspected-dns-frontend-hijack/"},{"credibility":1,"name":"Popular DeFi platform CoW Swap warns users to stay away from its site after security breach — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/14/popular-defi-platform-warns-users-to-stay-away-from-its-site-after-security-breach"},{"credibility":3,"name":"The .fi Files: A Field Report on DNS Hijacking in DeFi — Web3SecNews (Substack)","type":"research","url":"https://web3secnews.substack.com/p/the-fi-files-a-field-report-on-dns"},{"credibility":2,"name":"EasyDNS accepts responsibility for eth.limo hijack — The Block","type":"news_article","url":"https://www.theblock.co/post/398005/easydns-accepts-responsibility-for-eth-limo-hijack-its-first-social-engineering-breach-in-28-years"},{"credibility":2,"name":"CoW Swap Frontend Attack Explained — KuCoin Blog","type":"news_article","url":"https://www.kucoin.com/blog/cow-swap-frontend-attack-explained-dns-hijacking-how-it-works-and-how-to-protect-your-wallet-in-defi"}]},{"content":"On May 15, 2026, HypurrFi announced a planned wind-down of its operations, unrelated to the April domain hijack. The team described the decision as 'strategic instead of reactive,' framing it as a deliberate transition after having played a role in bootstrapping lending on HyperEVM since the protocol's 2025 launch. Euler Finance assumed maintenance and operation of the Euler contract stack (known as Mewler) on Hyperliquid EVM, while Clearstar Labs continued managing Prime, Yield, and Earn vaults. HypurrFi stated that all markets remained solvent and operational and that there was 'no security breach.' Support access for users was available through May 28, 2026, with legacy markets set to close by July 15, 2026. A migration wizard was provided to facilitate moving positions to Euler Prime/Yield markets. The wind-down announcement explicitly confirmed that the April 3 domain compromise did not trigger the protocol's closure, and that smart contract security was never compromised.","heading":"Protocol Wind-Down (May 2026)","severity":"medium","sources":[{"credibility":2,"name":"HypurrFi Announces Wind Down as Euler Finance Takes Over — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/16/hypurrfi-announces-wind-down-as-euler-finance-takes-over/"},{"credibility":3,"name":"HypurrFi Transfers Mewler Lending to Euler Amid Wind Down — Phemex News","type":"news_article","url":"https://phemex.com/news/article/hypurrfi-to-wind-down-operations-transfers-mewler-lending-to-euler-81850"}]},{"content":"HypurrFi was a bootstrapped (non-VC-funded) DeFi lending and borrowing protocol native to Hyperliquid's EVM layer (HyperEVM). It launched on mainnet in early 2025, reportedly reaching initial supply caps of $4.42 million within one hour. The protocol's architecture was described as inspired by Aave but optimized for Hyperliquid EVM, offering pooled and isolated markets, a synthetic dollar (USDXL), and leveraged yield strategies. The team was led by androolloyd (Andrew Lloyd), identified in multiple sources as co-founder and CEO; Andy served as Head of Growth. HypurrFi maintained a partnership with Euler Finance to deploy the Euler contract stack (Mewler) on HyperEVM. The team's real-name identities were partially disclosed: androolloyd's real name (Andrew Lloyd or similar derivation) is inferable from the handle and podcast appearances, but full biographical background was not publicly documented. Note: HypurrFi (the lending protocol) is distinct from the hypurr-nfts NFT collection, which also operates in the Hyperliquid ecosystem.","heading":"Protocol Background and Team","severity":"low","sources":[{"credibility":2,"name":"HypurrFi: The Next Big Lending Protocol on Hyperliquid? — Impossible Finance Blog","type":"research","url":"https://blog.impossible.finance/hypurrfi-the-next-big-lending-protocol-on-hyperliquid/"},{"credibility":2,"name":"HypurrFi — Hypurr.co Ecosystem Projects","type":"official","url":"https://www.hypurr.co/ecosystem-projects/hypurrfi"},{"credibility":3,"name":"androolloyd on X","type":"social_media","url":"https://x.com/androolloyd"}]},{"content":"During the incident window (April 3–4, 2026), users were advised to avoid interacting with hypurr.fi entirely and to use the migrated domain hypurrfi.com (also app.hypurrfi.com). Security researchers broadly recommended that users who visited hypurr.fi during the compromised window should revoke any token approvals granted to unknown or newly-encountered smart contract addresses and check connected wallets for malicious approvals using tools such as revoke.cash. The team confirmed that official social media channels (X, Telegram, Discord) remained under team control and that communications through those channels could be trusted. Given HypurrFi's subsequent wind-down announcement in May 2026 and the July 15, 2026 scheduled closure of legacy markets, users with active positions were advised by the protocol to migrate to Euler Prime/Yield markets using the provided migration wizard before the closure date.","heading":"User Safety and Recommended Actions","severity":"medium","sources":[{"credibility":3,"name":"HypurrFi Domain Hijack Pushes Users to Avoid Using the Platform — BitRss","type":"news_article","url":"https://bitrss.com/hypurrfi-domain-hijack-pushes-users-to-avoid-using-the-platform-198562"},{"credibility":2,"name":"HypurrFi Announces Wind Down as Euler Finance Takes Over — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/16/hypurrfi-announces-wind-down-as-euler-finance-takes-over/"}]}],"sources_used":[{"credibility":2,"name":"HypurrFi investigates domain hijacking, warns users from interacting with lending protocol — The Block","type":"news_article","url":"https://www.theblock.co/post/396336/hypurrfi-investigates-domain-hijacking-warns-users-interacting-lending-protocol"},{"credibility":2,"name":"HypurrFi Flags Domain Hijack, Urges Users to Stay Away — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/04/04/hypurrfi-flags-domain-hijack-urges-users-to-stay-away/"},{"credibility":3,"name":"HypurrFi Website Compromised in Suspected Domain Hijack, Users Told to Stay Away — Live Bitcoin News","type":"news_article","url":"https://www.livebitcoinnews.com/hypurrfi-website-compromised-in-suspected-domain-hijack-users-told-to-stay-away/"},{"credibility":3,"name":"HypurrFi Domain Breach Triggers Emergency Migration — NullTX","type":"news_article","url":"https://nulltx.com/hypurrfi-domain-breach-triggers-emergency-migration-as-team-confirms-protocol-and-funds-remain-secure/"},{"credibility":3,"name":"HypurrFi Domain Hijacked in Social Engineering Attack — Phemex News","type":"news_article","url":"https://phemex.com/news/article/hypurrfi-domain-hijacked-in-social-engineering-attack-70843"},{"credibility":2,"name":"HypurrFi Announces Wind Down as Euler Finance Takes Over — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/16/hypurrfi-announces-wind-down-as-euler-finance-takes-over/"},{"credibility":2,"name":"Neutrl DeFi Pauses Smart Contracts Amid Suspected DNS Frontend Hijack — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/03/19/neutrl-defi-pauses-smart-contracts-amid-suspected-dns-frontend-hijack/"},{"credibility":1,"name":"Popular DeFi platform CoW Swap warns users to stay away from its site after security breach — CoinDesk","type":"news_article","url":"https://www.coindesk.com/tech/2026/04/14/popular-defi-platform-warns-users-to-stay-away-from-its-site-after-security-breach"},{"credibility":3,"name":"CoW Swap Publishes Post-Mortem on Domain Hijack; User Losses Estimated at $1.2 Million — BingX Flash News","type":"news_article","url":"https://bingx.com/en/flash-news/post/cow-swap-report-says-cow-fi-domain-hijack-redirected-swap-cow-fi-to-phishing-site-estimated-user-losses-m"},{"credibility":2,"name":"CIP-86 Passed: CoW DAO Begins Compensation for April Attack — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/05/12/cip-86-passed-cow-dao-begins-compensation-for-april-attack/"},{"credibility":2,"name":"EasyDNS accepts responsibility for eth.limo hijack, its first social engineering breach in 28 years — The Block","type":"news_article","url":"https://www.theblock.co/post/398005/easydns-accepts-responsibility-for-eth-limo-hijack-its-first-social-engineering-breach-in-28-years"},{"credibility":3,"name":"The .fi Files: A Field Report on DNS Hijacking in DeFi — Web3SecNews (Substack)","type":"research","url":"https://web3secnews.substack.com/p/the-fi-files-a-field-report-on-dns"},{"credibility":2,"name":"HypurrFi: The Next Big Lending Protocol on Hyperliquid? — Impossible Finance Blog","type":"research","url":"https://blog.impossible.finance/hypurrfi-the-next-big-lending-protocol-on-hyperliquid/"},{"credibility":2,"name":"HypurrFi TVL, Fees & Revenue — DefiLlama","type":"on_chain","url":"https://defillama.com/protocol/hypurrfi"},{"credibility":3,"name":"androolloyd on X","type":"social_media","url":"https://x.com/androolloyd"},{"credibility":2,"name":"HypurrFi — Hypurr.co Ecosystem Projects","type":"official","url":"https://www.hypurr.co/ecosystem-projects/hypurrfi"},{"credibility":3,"name":"HypurrFi Domain Hack: TVL Freeze and $52M March Losses — AInvest","type":"news_article","url":"https://www.ainvest.com/news/hypurrfi-domain-hack-tvl-freeze-52m-march-losses-2604/"},{"credibility":3,"name":"DarkWebInformer on X — domain recovery confirmation","type":"social_media","url":"https://x.com/DarkWebInformer/status/2040191433102029063"},{"credibility":3,"name":"HypurrFi Transfers Mewler Lending to Euler Amid Wind Down — Phemex News","type":"news_article","url":"https://phemex.com/news/article/hypurrfi-to-wind-down-operations-transfers-mewler-lending-to-euler-81850"}],"summary":"On April 3, 2026, the frontend domain hypurr.fi of HypurrFi — a DeFi lending protocol on Hyperliquid EVM — was hijacked via a social engineering attack targeting the domain registrar Openprovider. No user funds were confirmed drained and the protocol's smart contracts remained intact throughout; the team migrated frontend operations to hypurrfi.com and subsequently recovered control of the original domain. The incident is part of a documented six-week cluster of DeFi registrar-level frontend attacks in March–April 2026 targeting Neutrl, HypurrFi, and CoW Swap.","timeline":[{"date":"2025-03-01","event":"HypurrFi launches on Hyperliquid EVM mainnet, reaching initial supply caps of approximately $4.42 million within one hour.","source":"Impossible Finance Blog","source_url":"https://blog.impossible.finance/hypurrfi-the-next-big-lending-protocol-on-hyperliquid/"},{"date":"2026-03-19","event":"Neutrl DeFi protocol experiences a suspected DNS frontend hijack; team pauses smart contracts and initiates investigation with security firm 0xGroomLake. First incident in the documented six-week DeFi registrar attack cluster.","source":"Crypto Times","source_url":"https://www.cryptotimes.io/2026/03/19/neutrl-defi-pauses-smart-contracts-amid-suspected-dns-frontend-hijack/"},{"date":"2026-04-03","event":"HypurrFi detects unauthorized DNS changes to hypurr.fi attributed to social engineering at registrar Openprovider. Founder androolloyd posts urgent warning on X. Team migrates frontend to hypurrfi.com.","source":"The Block, Crypto Times","source_url":"https://www.theblock.co/post/396336/hypurrfi-investigates-domain-hijacking-warns-users-interacting-lending-protocol"},{"date":"2026-04-04","event":"HypurrFi team confirms recovery of hypurr.fi domain control via registrar; DNS propagation expected to take up to 24 hours. No user funds confirmed drained. Incident widely covered in crypto press.","source":"NullTX, DarkWebInformer (X)","source_url":"https://nulltx.com/hypurrfi-domain-breach-triggers-emergency-migration-as-team-confirms-protocol-and-funds-remain-secure/"},{"date":"2026-04-14","event":"CoW Swap's cow.fi domain is hijacked via social engineering against registrar Gandi SAS (allegedly involving falsified identity documents submitted to Traficom, Finland's .fi TLD registry). Phishing frontend drains approximately $1.2 million in user assets over 4.5 hours. Third major incident in the DeFi registrar attack cluster.","source":"CoinDesk, BingX Flash News","source_url":"https://www.coindesk.com/tech/2026/04/14/popular-defi-platform-warns-users-to-stay-away-from-its-site-after-security-breach"},{"date":"2026-04-15","event":"Web3SecNews publishes field report characterizing the Neutrl, HypurrFi, CoW Swap, and Steakhouse/cow.fi incidents as a coordinated campaign with common social engineering methodology at the registrar level.","source":"Web3SecNews (Substack)","source_url":"https://web3secnews.substack.com/p/the-fi-files-a-field-report-on-dns"},{"date":"2026-05-12","event":"CoW DAO passes CIP-86 to begin compensation for victims of the April 14 cow.fi hijack, with claims deadline of May 14.","source":"Crypto Times","source_url":"https://www.cryptotimes.io/2026/05/12/cip-86-passed-cow-dao-begins-compensation-for-april-attack/"},{"date":"2026-05-15","event":"HypurrFi announces planned wind-down of operations. Euler Finance assumes maintenance of Mewler contract stack on HyperEVM. Team states the decision is 'strategic instead of reactive' and explicitly not related to the April domain compromise.","source":"Crypto Times","source_url":"https://www.cryptotimes.io/2026/05/16/hypurrfi-announces-wind-down-as-euler-finance-takes-over/"},{"date":"2026-05-28","event":"HypurrFi Discord support access ends per wind-down timeline.","source":"Crypto Times","source_url":"https://www.cryptotimes.io/2026/05/16/hypurrfi-announces-wind-down-as-euler-finance-takes-over/"},{"date":"2026-07-15","event":"Scheduled closure of HypurrFi legacy markets per wind-down plan.","source":"Crypto Times","source_url":"https://www.cryptotimes.io/2026/05/16/hypurrfi-announces-wind-down-as-euler-finance-takes-over/"}]},"v":1}