A fraudulent app posing as Hyperliquid slipped past Google Play’s defenses, sparking warnings for crypto users.
- Scammers bypass automated security protocols to publish a fraudulent mobile application impersonating the Hyperliquid exchange on the Google Play Store.
- Blockchain investigator ZachXBT identifies the software as a critical credential stealer actively extracting private wallet keys and seed phrases.
- This sophisticated breach exposes the systemic inability of technology corporations like Google to police malicious clones within their marketplaces.
Blockchain investigator ZachXBT first flagged a fake Hyperliquid app on Google Play that mimicked the exchange’s interface and branding.
Fake Hyperliquid App Bypasses Google Safeguards
On November 7, an alert from ZachXBT put the crypto community on notice about a fake Hyperliquid app appearing in the Google Play Store. The post called attention to how easily polished impostors can appear in major app marketplaces.
The on-chain sleuth shared the screenshot showing the design cues resembling the real platform to appear legitimate. ZachXBT also noted, “None of these platforms seem to do a good job of filtering these scams out.” In addition to the warning, he also shared the “theft address.”
Malware Confirmed to Target Seed Phrases and Private Keys
The malware analysis, conducted by X user @Phish_Destroy, dated November 7, 2025, classified the fraudulent app as a “credential_stealer” of critical severity. The report confirmed the explicit goal of the application was to steal specific data: seed phrases, private keys, and general wallet credentials.
Genuine News Deserves Honest Attention.
High-conviction projects require an intelligent audience. Connect with readers who value sharp reporting.
👉 Submit Your PRThe analysis identified the app’s malicious network infrastructure, including the domain hyperl-jeet[.]sbs. All communications with the fraudulent application utilized this unique, non-official domain.
Sophisticated Features Designed to Evade Detection
The technical analysis also indicated that the fake Hyperliquid app employed several sophisticated security features intended to conceal its malicious activity and evade detection by security software. These features included obfuscation and SSL pinning.
Obfuscation is used to make the malicious code difficult to reverse-engineer, while SSL pinning prevents security researchers from easily intercepting and analyzing the app’s network traffic. The app, with the package name com.renault.fisiop, explicitly impersonated the Hyperliquid brand, targeting the DeFi wallet user base.
How to Stay Safe
- Do not download any mobile app claiming to be Hyperliquid.
- Always access Hyperliquid through the official web platform.
- Avoid entering wallet information or seed phrases into apps you cannot verify.
- Remove suspicious apps immediately and consider using hardware wallets for added security.
Chain Street’s Take
This fake Hyperliquid app shows how scammers continue to target crypto users through app stores. Even polished listings can be deceptive, emphasizing the importance of verifying sources and exercising caution.
Activate Intelligence Layer
Institutional-grade structural analysis for this article.
