Hyperliquid

The Hyperliquid HYPE ecosystem’s 2025 saga of exploits and manipulations exemplifies the double-edged sword of DeFi innovation, where blistering growth to 70-80% dominance in perpetual futures trading—fueled by sub-second executions, zero gas fees, and 50x leverage—has invited predatory “degen warfare” and state-sponsored predation, inflicting over $30 million in HLP bad debt through oracle gaming, self-liquidations, and DPRK-linked wallet breaches. While the platform’s resilient liquidity vault and validator interventions (pausing markets, delisting perps, oracle tweaks) turned potential catastrophes like the March $13.5 million ETH/JELLYJELLY hits into net gains, these serial attacks expose glaring Layer 1 frailties: validator centralization (just 16 nodes amid Ethereum’s thousands), thin liquidity vulnerabilities, and blurred lines between competitive sabotage (e.g., Binance/OKX listing timings) and outright crime. Absent traditional enforcement or PEP/laundering ties, on-chain transparency via sleuths like Lookonchain empowered community reckoning and $60 million outflows, yet the absence of regulatory teeth—despite CFTC scrutiny—signals systemic risks in unanchored, permissionless derivatives, where “clean” perp profits mask deeper threats to retail users and DeFi’s legitimacy amid HYPE’s volatile surges.

Hyperliquid’s 2025 exploits and manipulations inflicted over $30 million in ecosystem impact through perpetual futures liquidations, oracle manipulations, and DPRK-linked hacks on its Layer 1 blockchain and HLP vault. Key events spanned March’s ETH/JELLYJELLY self-liquidation attacks ($13.5M mitigated to $700k gain), September’s $700k breach, October’s $21.8M wallet/dApp hits, and November’s $4.9M POPCAT pump-dump via 19 wallets.

Validators (16 nodes) intervened with pauses, delistings, and oracle fixes, absorbing shocks amid $8B daily volumes and $100M monthly fees, while no money laundering, PEPs, or enforcement actions materialized—relying on on-chain sleuthing (Lookonchain, PeckShield) and $60M outflows for resolution. These exposed centralization risks in DeFi’s perp leader (70-80% share), blending degen sabotage with state threats, yet highlighted resilience without traditional probes.

Countries Involved

Primary involvement centers on the United States, as Hyperliquid engages with the CFTC on perpetual trading regulations, and exploits align with global DeFi patterns but lack specific geographic attribution beyond blockchain analysis. North Korean state-sponsored hackers were implicated in related 2025 attacks on Hyperliquid, including a $700,000 breach in September tracked by threat monitors linking addresses to DPRK groups, amid their $2 billion crypto theft tally that year. Secondary ties to China emerge from rapid listings on exchanges like Binance and OKX during manipulations, sparking collusion claims, though unproven. The platform’s global user base, including US traders, amplifies cross-border risks, with no single country dominating due to on-chain anonymity. Validator concentration (only 16 nodes) raises collusion fears potentially involving any jurisdiction with sophisticated actors. European regulators monitor peripherally via broader crypto fraud busts, but this case remains protocol-specific without arrests. Overall, it’s a borderless DeFi event underscoring international enforcement challenges in tracking wallet clusters across exchanges.

Date Discovered / Reported

The exploits were discovered and reported in March 2025, with two attacks hitting Hyperliquid’s liquidation system in quick succession, as detailed in CoinGecko’s aggregate report published June 11, 2025, covering March events. Initial detection came via on-chain monitoring during the ETH perp exploit, followed by the JELLYJELLY manipulation, publicly analyzed post-facto. Validators acted swiftly, pausing trading same-month, amid real-time community alerts. This fits a pattern of 2025 incidents: September North Korean hack reported immediately by @tayvano_, October Hyperdrive ($782k) and wallet ($21M) breaches via PeckShieldAlert, and November POPCAT manipulation flagged by Lookonchain on November 13. March event predates HYPE’s price surge to ATH $59.40 by September, yet exposed early vulnerabilities during meteoric growth. Reporting relied on blockchain sleuths like ZachXBT criticizing responses, with no formal regulatory filing due to DeFi self-governance. Timeline underscores rapid evolution from exploit to mitigation, informing later security upgrades.

Cryptocurrency Involved

HYPE, ETH, USDC, POPCAT, JELLYJELLY and other listed perpetual futures pairs on Hyperliquid.

Type of Crime

Market manipulation and protocol exploits, classified as economic attacks rather than traditional theft, involving self-liquidation schemes to offload bad debt onto HLP via leveraged positions and oracle gaming. Not outright hacking but sophisticated DeFi warfare: pump with large buys, self-liquidate by withdrawing collateral or crashing prices, profiting inversely elsewhere. North Korean incidents add state-sponsored theft via wallet compromises and abnormal trading patterns. No fiat fraud or rug pulls; purely on-chain perp abuses exploiting thin depth and automated LP absorption. Critics label it “peak degen warfare,” with $3M torched for $4.9M HLP damage in POPCAT case. March ETH/JELLYJELLY dual hits manipulated prices for $13.5M unrealized HLP loss (mitigated). Regulatory gray area: CFTC eyes perps, but DeFi decentralization evades immediate prosecution. Risks include collusion accusations against CEXs listing manipulated tokens. Broader context: aligns with $2B North Korean crypto thefts, blending crime with competitive sabotage.

Entities Involved

Hyperliquid protocol/team/validators (16 nodes), HLP liquidity vault absorbing losses, attackers (anonymous wallets, North Korean-linked clusters), and external exchanges like OKX (USDC source), Binance (JELLYJELLY listing). Blockchain sleuths: Lookonchain (POPCAT), @tayvano_ (DPRK), PeckShieldAlert (October hacks), ZachXBT (critic). No identified individuals like James Wynn (trader/security link in laundering rumors, unconfirmed). Hyperdrive (Hyperliquid dApp) hit separately. Community users faced $60M USDC outflows post-breaches. CFTC peripherally via Hyperliquid engagements. No PEPs named. Whale traders coordinated $285M ETH positions for March cascade. Elliptic tracks DPRK trends. Gate.com, CoinGecko report aggregates. Platform’s four-validator reliance (early reports) heightened risks, now 16 but still vulnerable vs. Ethereum’s 1,000+.

PEP Involvement

No. No politically exposed persons (PEPs) identified in reports across exploits, hacks, or manipulations. Attacks traced to anonymous wallets, DPRK hackers (state actors, not PEPs), and degens/whales without public ties to officials. Hyperliquid’s permissionless nature obscures identities, but sleuths flagged no PEP flags. Rumors like James Wynn lack PEP context. Focus remains protocol/users, not elites. (Over 200 words not applicable as binary; expanded for compliance: Regulatory probes absent, unlike fiat AML cases.)

Laundering Techniques Used

No direct money laundering confirmed; exploits generated clean profits via perp trading, potentially launderable through DEX/CEX hops, but primary crime is manipulation, not layering illicit funds. Attackers cashed out via inverse CEX positions post-liquidation, blending gains on-chain. DPRK hacks typical: choppers mix stolen crypto across bridges/wallets before OTC. HLP bad debt isn’t laundering but forced absorption. Rumors of Hyperliquid as “laundering tool” via trader overlaps unproven. Self-liquidation mimics legit trading, evading simple flags. No mixer/Tornado use noted; relies on perp volume ($8B daily) for obfuscation.

Estimated Value Laundered

Not applicable; no laundering proven. Exploit profits/losses: $13.5M mitigated to $700k gain (March), $4.9M HLP bad debt (POPCAT), $4.03M treasury (ETH manip), $700k+ (Sep DPRK), $782k (Hyperdrive), $21M (wallet). Total ecosystem impact exceeds $30M, but attacker gains ~$3-5M per event, not laundered sums. HLP resilient via fees.

Transaction Analysis Summary

On-chain: Attacker splits USDC (e.g., $3M OKX to 19 wallets), builds $20-30M leveraged longs ([email protected]), pumps price via buys, withdraws collateral or dumps for crash/liquidations, inverse profits elsewhere. JELLYJELLY: short, oracle manip, delist. ETH: $285M position cascades. DPRK: flagged addresses trade abnormally. HLP absorbs post-collateral exhaust. Validators intervene. Thin depth exploited; $60M outflows follow.

Regulatory/Enforcement Actions Taken

None direct; DeFi self-mitigation: pauses, delists, oracle fixes. CFTC monitors perps. No arrests; DPRK sanctions ongoing. Community critiques centralization. Outflows signal market enforcement.

Links to Reports / Sources

Case Title / Operation Name:

Hyperliquid

Country(s) Involved:

United States

Platform / Exchange Used:

Hyperliquid (decentralized perpetual futures exchange); external venues including Binance and OKX referenced in context.

Cryptocurrency Involved:

HYPE, ETH, USDC, POPCAT, JELLYJELLY and other listed perpetual futures pairs on Hyperliquid.

Volume Laundered (USD est.):

N/A

Wallet Addresses / TxIDs :

Multiple attacker-controlled wallets interacting with Hyperliquid and external exchanges; specific addresses and TxIDs documented in public on-chain analyses and alerts.

Method of Laundering:

No direct laundering scheme formally established; activity centers on market manipulation and protocol-level exploitation (e.g., self-liquidation strategies and oracle/price manipulation) that could subsequently be followed by off-ramping via exchanges.

Source of Funds:

Primarily trading capital and collateral deployed on Hyperliquid; some incidents linked to wallets attributed to North Korean state-backed hacking activity, where upstream funds are believed to originate from prior crypto thefts.

Associated Shell Companies:

N/A

PEPs or Individuals Involved:

N/A

Law Enforcement / Regulatory Action:

As of available reporting, no direct prosecutions specific to these incidents; responses have consisted mainly of protocol-level measures (pausing markets, adjusting oracles, delisting affected pairs) while regulators focus more broadly on DeFi derivatives oversight.

Year of Occurrence:

2025 (primary exploit and manipulation activity, along with related security incidents on the Hyperliquid ecosystem).

Ongoing Case:

Ongoing

AML Network Risk Rating:

🔴 High Risk