Hyperliquid Security Timeline: Key Incidents, Risks, and Lessons

May 6, 2026

hyperliquid security timeline
hyperliquid incident history
hyperliquid security events
hyperliquid risk history

Since launch, Hyperliquid has become one of the most closely watched on-chain perpetuals platforms, known for its high-performance trading experience and its decentralized exchange narrative. At the same time, its growth has come with several security and risk events that are worth studying in detail.

For traders, understanding this history is not just about looking backward. A security timeline helps you evaluate platform risk, counterparty exposure, operational assumptions, and the practical steps you can take before placing capital on any venue. For the wider crypto community, these incidents also offer useful lessons about how on-chain derivatives markets behave under stress.

This article summarizes the major publicly documented security and risk events in the Hyperliquid ecosystem to date, explains their impact, and reviews the responses that followed.

Important note: this article relies on public information only and does not cite specific figures that cannot be independently verified. For real-time status, audit information, contract details, or official policy updates, always refer directly to Hyperliquid’s official documentation and channels.

Why a Security Timeline Matters

For perpetual futures traders, a platform’s security history is one input in assessing counterparty and venue risk. Unlike a centralized exchange, an on-chain protocol leaves a large amount of activity visible on public ledgers. That transparency can make past incidents easier to inspect, quantify, and learn from.

But transparency does not remove risk. On-chain derivatives platforms are exposed to several overlapping threat categories:

Market manipulation around thinly traded assets
Liquidation engine stress and vault-level risk
Validator or governance intervention concerns
Phishing websites and fake community channels
Malicious approvals and drainer contracts
Cross-ecosystem risks introduced by smart contract expansion

Major perpetual DEXs such as GMX and dYdX have faced different security and market-structure challenges during their development. Hyperliquid is no exception. The point is not to single out one venue, but to understand how these systems can fail, how teams respond, and what users can do to reduce their own exposure.

Incident Timeline Overview

2024: Abnormal Activity From Wallets Linked by Researchers to North Korean Actors

In the second half of 2024, on-chain analytics researchers identified substantial trading activity on Hyperliquid from wallet addresses that they associated with North Korean threat actors. The finding triggered broad discussion across the crypto security community.

Some researchers interpreted the behavior as possible reconnaissance rather than ordinary speculative trading. In other words, the concern was not only whether those wallets made or lost money, but whether a sophisticated actor was studying the platform’s mechanics, market depth, liquidation behavior, or operational response patterns.

Hyperliquid later responded publicly, stating that its security mechanisms had not detected signs of a breach and emphasizing that monitoring of abnormal addresses had been strengthened. No direct user asset loss was publicly attributed to this event.

Still, the incident highlighted an important reality: on-chain derivatives venues are visible to everyone, including advanced threat actors. High-performance trading protocols with meaningful liquidity can attract attention not only from traders and market makers, but also from groups studying potential attack surfaces.

For background on blockchain-based asset tracing and threat attribution, traders may find Chainalysis research on crypto asset tracking useful.

March 2025: The JELLYJELLY Price Manipulation Incident

The JELLYJELLY, or JELLY, incident is the most widely discussed single risk event in the Hyperliquid ecosystem so far.

According to public discussion and official follow-up, a participant took advantage of the JELLY token’s very thin spot liquidity. The actor established a large position in the perpetuals market while pushing up the spot price. As the market moved, the liquidation system was forced to transfer an unfavorable position into the HLP vault.

The Hyperliquid validator committee then voted to delist the JELLY perpetual market and settle all open positions at a specified price. After the event, Hyperliquid’s official communications stated that the HLP vault ended with a small surplus.

Even though the immediate financial outcome for the vault was described as positive, the handling of the event raised important questions in the community. The core debate was not only about the specific token or the settlement price, but about the degree of intervention possible in a system marketed as decentralized.

For traders, the JELLY event is a useful case study in several ways:

Thin spot liquidity can create outsized risk in perpetual markets.
Liquidation systems can be stressed by assets with weak external market depth.
Vault depositors face risks that differ from directional traders.
Emergency responses may protect the system while still raising decentralization concerns.

For the detailed sequence of events and official handling, refer to the relevant announcement in Hyperliquid Docs.

2025: Phishing Sites and Impersonation Domains Increase

As Hyperliquid’s user base grew, phishing attacks targeting its users became more visible throughout 2025. This is a common pattern in crypto: when a protocol gains traction, attackers register lookalike domains, create fake bots, impersonate support accounts, and publish fraudulent airdrop or reward campaigns.

In the Hyperliquid context, attackers have used tactics such as:

Domains that closely resemble the official site
Fake Discord or Telegram bots
Impersonated support staff
False airdrop claim pages
Malicious wallet connection prompts
Requests for seed phrases or private keys

OWASP’s definition of phishing and its prevention guidance are directly relevant here. Phishing is not a protocol exploit in the narrow technical sense, but for users the result can be the same: lost funds.

Hyperliquid’s only official application entry point is https://app.hyperliquid.xyz/. Any “Hyperliquid” page asking you to enter a private key or seed phrase is a scam.

Before signing anything, check the full URL carefully. Look for misspellings, extra characters, unusual top-level domains, and fake search ads. Do not rely on links from direct messages, sponsored results, or random social media replies. Bookmark the official app and use that bookmark rather than searching each time.

2025–2026: Drainer Contracts Target HyperEVM Users

With the rollout of HyperEVM, smart contract activity began expanding around the Hyperliquid ecosystem. That growth also introduced a broader set of EVM-style user risks, especially malicious approval and drainer attacks.

A typical drainer attack works like this:

A user visits a fake or compromised website.
The site prompts the user to connect a wallet.
The user is asked to sign a transaction that appears routine.
The transaction grants an unlimited or excessive token approval.
The attacker later uses that approval to transfer assets out of the wallet.

These attacks are especially dangerous because the initial signature may not immediately move funds. A user may think nothing happened, while the malicious approval remains active in the background.

Chainalysis research on drainer toolkits has shown that drainers have become one of the fastest-growing categories of on-chain threats. As more users interact with HyperEVM contracts, regular approval hygiene becomes essential.

A practical baseline: use Revoke.cash regularly to review and revoke unnecessary contract approvals. If an approval is unfamiliar, old, or no longer needed, revoke it. This habit is especially important for wallets that interact with new tokens, airdrops, NFT mints, bridges, or unofficial front ends.

Comparing the Main Risk Categories

The events above are different, but they can be grouped into a few major risk types.

Market-Structure Risk

The JELLY incident falls into this category. Perpetual markets rely on price feeds, liquidity, liquidation logic, and risk parameters. When the underlying spot market is thin or easy to move, the perp market can become vulnerable to manipulation.

For traders, this means that not all markets on the same venue carry the same risk. A major pair with deep liquidity is not equivalent to a small-cap token with shallow spot markets.

Platform Governance and Intervention Risk

The validator committee’s decision to delist and settle JELLY positions became a focal point for debate. Emergency intervention can help contain losses, but it also raises questions about who has authority during stress and how predictable those decisions are.

This is a recurring trade-off in decentralized finance: systems that are completely rigid may fail under extreme conditions, while systems with emergency controls require trust in the people or validators who can use them.

User-Side Security Risk

Phishing sites, fake domains, malicious bots, and drainer contracts mostly target users directly. In these cases, the protocol itself may not be compromised, but users can still lose funds by signing the wrong message or trusting the wrong interface.

This is where personal operational security matters most. Hardware wallets, URL discipline, approval reviews, and wallet segmentation can significantly reduce risk.

Ecosystem Expansion Risk

HyperEVM expands what builders and users can do, but it also increases the attack surface. More contracts mean more approvals, more front ends, more third-party integrations, and more opportunities for attackers to imitate legitimate activity.

Growth is not inherently bad, but it requires better wallet hygiene from users.

OneKey Hardware Wallet: A Practical First Line of Defense

Across all of these incidents, one defensive principle stands out: separate your main assets from hot-wallet risk.

A OneKey hardware wallet helps by storing private keys offline. That does not make trading risk disappear, and it cannot prevent every bad decision. But it does reduce the chance that a compromised browser, fake website, or malware-infected device can directly steal your private keys.

When used with OneKey Perps as part of a disciplined workflow, you can build a safer trading setup:

Sign sensitive actions with a hardware wallet so transactions require physical confirmation.
Keep long-term holdings and larger balances in cold storage.
Move only short-term trading margin to the wallet or account you actively use.
Separate your main wallet from experimental DeFi activity.
Review token approvals through Revoke.cash on a regular schedule.
Verify the Hyperliquid app URL before connecting or signing.

OneKey Perps is useful as a practical workflow layer for traders who want to access perpetuals while keeping custody discipline at the center of their setup. The goal is not to eliminate risk — no trading venue or wallet can do that — but to make common failure paths harder: phishing, careless approvals, hot-wallet compromise, and overexposure of main funds.

To get started, visit onekey.so/download and set up OneKey before routing serious capital into any on-chain trading workflow.

Frequently Asked Questions

Q1: Does Hyperliquid have public security audit reports?

Check Hyperliquid’s official documentation directly for the latest audit status. This article does not cite audit conclusions that cannot be independently verified.

Q2: Did Hyperliquid change its listing standards after the JELLY incident?

The Hyperliquid team indicated after the event that it would review relevant parameters. Any concrete policy changes should be confirmed through official announcements and documentation.

Q3: How can I tell whether a “Hyperliquid” website is real?

Hyperliquid’s only official application entry point is https://app.hyperliquid.xyz/. Before connecting a wallet or signing anything, check the URL spelling, HTTPS certificate, and source of the link. Never enter your seed phrase or private key into any website.

Q4: How often should regular users check wallet approvals?

A practical rule is to check approvals at least once a month using Revoke.cash. Revoke anything you do not recognize or no longer use. If you frequently try new protocols, check more often.

Q5: How is depositing into HLP different from directly trading perpetuals?

HLP deposits expose users to vault-level system risk, including the aggregate outcome of market-making, liquidations, and platform risk parameters. Direct perp trading exposes users to position-level directional risk, leverage risk, liquidation risk, and funding conditions. Both can result in losses and should be evaluated separately.

Conclusion

Hyperliquid’s security and risk history shows the layered reality of on-chain derivatives markets. Risks can come from market manipulation, emergency governance decisions, phishing campaigns, malicious approvals, and smart contract ecosystem expansion.

No platform can guarantee zero risk. What users can control is their own setup: where they keep funds, how much capital they expose, which interfaces they trust, and what they sign.

The core principle is simple: keep your main assets under your own control and avoid exposing more than necessary to active trading environments. A OneKey hardware wallet is a direct way to strengthen that setup, and OneKey Perps provides a practical workflow for traders who want to approach on-chain perps with better custody habits.

Visit onekey.so to learn more about OneKey, or go to onekey.so/download to start building a safer on-chain trading setup.

Risk warning: This article is for informational purposes only and does not constitute investment, financial, legal, or trading advice. Crypto asset trading involves significant risk, including loss of principal, platform risk, smart contract risk, market risk, and regulatory risk. A review of past security events is not a prediction or endorsement of future outcomes. Always make independent decisions based on your own risk tolerance.