Was the Hyperliquid platform itself hacked?

No. Hyperliquid’s smart contracts and protocol continued to operate normally. The funds were lost due to a private-key compromise affecting one trader’s wallet.

What happened after the $16M HYPE trade?

Minutes after closing a $16M long and selling 100,000 HYPE (~$4.4M), the trader’s wallet was drained. Around $17M moved to Arbitrum, was bridged (including via deBridge), and converted to DAI, while ~$3.1M in MSYRUPUSDP was withdrawn from the Plasma Syrup Vault to a new address.

Where are the funds currently located?

Funds are held across DAI-denominated wallets, with key addresses 0xF4bE227b268e191b79097Daad0AcCcD9a7A7FAD2 and 0x37fc5f763b28b15f4952d616f0e25b56a6ca1d18. The stolen MSYRUPUSDP tokens are stored at 0x3e2E66af967075120fa8bE27C659d0803DfF4436.

What does this incident mean for DeFi traders?

It highlights the ongoing risk of endpoint attacks. Strong DeFi protocols can’t protect users from compromised keys. Traders should use hardware wallets or multisig, disable auto-approvals, separate funds across accounts, and follow strict operational security practices.

How did AMLBot trace the stolen funds?

Using AMLBot Tracer, analysts visualized the full on-chain movement from the compromised wallet through bridging protocols such as deBridge to DAI-consolidated destinations. These wallets remain under continuous monitoring.

Investigations & Case Studies

Private-Key Compromise After $16M Hyperliquid Trade — Full On-Chain Breakdown

Q: Can stolen crypto be recovered after a key compromise?

Recovery may be possible if funds move through traceable or regulated intermediaries. AMLBot supports recovery investigations and liaises with exchanges and law enforcement for reporting and tracing.

AMLBot Team

Oct 10, 2025 • 4 min read

Updated: Oct 11, 2025

TL;DR: A Hyperliquid whale lost $20M+ after a private-key compromise. Using AMLBot’s Tracer, we mapped the visible on-chain flow: ~$17M moved from the trader’s wallet to Arbitrum, was bridged (incl. via deBridge) and converted to DAI. Another ~$3.1M in MSYRUPUSDP was taken from the Plasma Syrup Vault to a new address. It was not a smart-contract exploit. This was an endpoint/key compromise.

What Happened to Hyperliquid?

There were no issues with the Hyperliquid protocol itself. The platform continues to operate normally. A trader on Hyperliquid lost more than $20 million after their private key was compromised, likely through phishing or malware. The incident occurred shortly after the trader closed a $16M long position in HYPE and sold 100,000 HYPE tokens worth approximately $4.4M.

👉 We covered the case in real time on X (Twitter).

🚨 BREAKING — Whale on @HyperliquidX
drained: $20M+ stolen after a private-key leak.
Closed a $16M $HYPE long, wallet got emptied minutes later. ~$17M from Hyperliquid + ~$3.1M from Plasma Syrup Vault. 💸🔐

Funds moved → Arbitrum, then bridged to ETH and exchanged to DAI via… pic.twitter.com/M1E1Tmx3bh
— AMLBot (@AMLBotHQ) October 10, 2025

On-Chain Overview via AMLBot Tracer

The wallet connected to the trader’s Hyperliquid account was completely drained. Using our blockchain analytics tool Tracer, we mapped the visible on-chain flow of stolen funds.

The diagram below illustrates how approximately $17M in stablecoins departed from the Hyperliquid-affiliated wallet, passed through intermediary addresses, and was routed via deBridge before being converted into DAI. From that flow, more than ~$15.9M in stablecoins appear to have moved through deBridge, before consolidating into new wallets now holding approximately $10M DAI. In total, around $17M moved from the trader’s wallet, and an additional $3.1M in MSYRUPUSDP tokens was withdrawn from the Plasma Syrup Vault to a new address.

On-chain movement visualized by AMLBot Tracer. The graph highlights how the stolen $20M was moved from Hyperliquid through deBridge and converted into DAI across two new wallets.

The assets are now sitting at:
𒊹0xF4bE227b268e191b7097Daad0AcCcD9a7A7FAD2 𒊹0x37fc5f763b28b15f4952d616f0e25b56a6ca1d18

The stolen MSYRUPUSDP tokens are held separately at: 𒊹0x3e2E66af967075120fa8bE27C659d0803DfF4436

Such transfers are typical for private-key-based thefts. Fast swaps, bridges, and splitting funds to avoid clustering detection. In addition, according to Hyperliquid community member Luke Cannon, about $300,000 more might have been lost through connected addresses, meaning the total damage could exceed $20.3M. This underlines that multiple wallets were likely compromised simultaneously — an indication of malware or phishing infection rather than a single key leak.

Looks like they were drained on this wallet as well for another ~$300k on mainnet:https://t.co/SMs8U34TNc
— Luke Cannon (@lukecannon727) October 9, 2025

Explore AMLBot’s Latest On-Chain Investigations

What This Means

A bit of background. After a major airdrop in November 2024, the decentralized exchange Hyperliquid quickly drew industry attention and frequently ranked among the top DEXs by trading volume, often ahead of Jupiter and dYdX. High throughput, a no-KYC model, and ample liquidity made it attractive to professional traders and large holders.

Along the way, the platform saw a few stress points (e.g., market dynamics around JELLYJELLY, oracle and delisting debates), which are typical for fast-growing venues and speak to the operational complexity of scaling execution, transparency, and market integrity. However, this wasn’t a protocol exploit. It was a key compromise. Hyperliquid’s smart contracts weren’t breached. The attacker simply acted as the legitimate owner. Incidents like this highlight a recurring pattern across DeFi: strong protocol engineering can still be undermined by weak endpoint security.

What’s Next: Ongoing Tracking of the Hyperliquid

For now, all identified hacker wallets remain active and traceable on-chain. Our analysts are continuing to monitor them.

Stay in the Loop: Follow Us on X for Quick Updates: @AMLBotHQ

Follow AMLBotHQ

Contact Recovery Team

FAQ

Was Hyperliquid Itself Hacked?

No. Hyperliquid’s smart contracts and core protocol were not compromised. The loss resulted from a private-key leak of one trader’s wallet, not a breach of the DEX infrastructure.

What Happened During the Hyperliquid Private Key Leak?

A whale reportedly lost over $20 million after a key compromise. AMLBot traced around $17M in stablecoins and $3.1M in MSYRUPUSDP tokens through bridging and swapping activity.

How Did the Attacker Move the Funds?

Funds were bridged from Arbitrum to Ethereum and converted to DAI via deBridge. The traced wallets remain active and under monitoring by AMLBot analysts.

What Does the Hyperliquid Incident Mean for DeFi Traders?

This case once again underscores a critical reality of decentralized finance: the security of funds often depends not on the protocol itself, but on the trader’s operational practices.

Private keys are single points of failure. Using hardware wallets or multi-signature setups greatly reduces the risk compared to browser extensions or hot wallets. Operational security also plays a vital role. Funds should be kept in separate wallets, automatic approvals disabled, and sensitive accounts accessed only from dedicated devices. Bridges add both visibility and complexity. When assets move through cross-chain bridges like deBridge, they become harder to track, but with advanced blockchain analytics tools such as AMLBot Tracer, it remains possible. Finally, transparency does not guarantee protection. Even though transactions are public on-chain, immediate response and reporting are essential for successful recovery and cooperation with law enforcement.

Can Stolen Crypto Be Recovered After a Key Compromise?

In most cases, recovery is possible only if the funds move through traceable intermediaries or centralized bridges. AMLBot provides professional crypto recovery and blockchain investigation services, helping victims coordinate with exchanges and law enforcement.