New Crypto Scam: Fake Hyperliquid App on Google Play Exposed

byKae Thorne
New Crypto Scam: Fake Hyperliquid App on Google Play Exposed
Listen 6:30
Takeaways
Hide
  • A fake Hyperliquid app on the Google Play Store was analyzed, confirming it is a “credential_stealer” malware explicitly designed to target user seed phrases and private keys
  • The malicious app used a deceptive domain, hyperl-jeet[.]sbs, and deployed defensive security features, such as SSL pinning and obfuscation, to evade detection
  • The alert by investigator ZachXBT, which accompanied the Ethereum theft address, highlights the risk posed by sophisticated malware impersonating decentralized finance (DeFi) tools

A fraudulent app posing as Hyperliquid slipped past Google Play’s defenses, sparking warnings for crypto users.

Blockchain investigator ZachXBT first flagged a fake Hyperliquid app on Google Play that mimicked the exchange’s interface and branding.

Related: X Ban Wipes Out Crypto Rewards, Kaito Pivots To New Model After 20% Slump

Fake Hyperliquid App Bypasses Google Safeguards

On November 7, an alert from ZachXBT put the crypto community on notice about a fake Hyperliquid app appearing in the Google Play Store. The post called attention to how easily polished impostors can appear in major app marketplaces. 

The on-chain sleuth shared the screenshot showing the design cues resembling the real platform to appear legitimate. ZachXBT also noted, “None of these platforms seem to do a good job of filtering these scams out.” In addition to the warning, he also shared the “theft address.”

New Crypto Scam: Fake Hyperliquid App on Google Play Exposed

Malware Confirmed to Target Seed Phrases and Private Keys

The malware analysis, conducted by X user @Phish_Destroy, dated November 7, 2025, classified the fraudulent app as a “credential_stealer” of critical severity. The report confirmed the explicit goal of the application was to steal specific data: seed phrases, private keys, and general wallet credentials.

The analysis identified the app’s malicious network infrastructure, including the domain hyperl-jeet[.]sbs. All communications with the fraudulent application utilized this unique, non-official domain.

Related: $6 Billion ‘Heist’: New GENIUS Act Robs Stablecoin Holders

Sophisticated Features Designed to Evade Detection

The technical analysis also indicated that the fake Hyperliquid app employed several sophisticated security features intended to conceal its malicious activity and evade detection by security software. These features included obfuscation and SSL pinning. 

Obfuscation is used to make the malicious code difficult to reverse-engineer, while SSL pinning prevents security researchers from easily intercepting and analyzing the app’s network traffic. The app, with the package name com.renault.fisiop, explicitly impersonated the Hyperliquid brand, targeting the DeFi wallet user base. 

How to Stay Safe

  • Do not download any mobile app claiming to be Hyperliquid.
  • Always access Hyperliquid through the official web platform.
  • Avoid entering wallet information or seed phrases into apps you cannot verify.
  • Remove suspicious apps immediately and consider using hardware wallets for added security.

Chain Street’s Take

This fake Hyperliquid app shows how scammers continue to target crypto users through app stores. Even polished listings can be deceptive, emphasizing the importance of verifying sources and exercising caution. 

Frequently Asked Questions

What was the scam reported in the article?
Show

A fake mobile application impersonating the decentralized finance (DeFi) platform Hyperliquid was discovered on the Google Play Store. The fraudulent app was designed to look and feel like the official platform to deceive users into downloading it.

What was the purpose of this fake app?
Show

The app was identified as a "credential_stealer" malware. Its explicit goal was to steal users' most sensitive cryptocurrency information, including their wallet seed phrases and private keys, giving scammers full access to their funds.

Who discovered and exposed this fake app?
Show

The fraudulent app was first flagged by the well-known blockchain investigator ZachXBT, who posted an alert on the social media platform X to warn the crypto community. A subsequent malware analysis confirmed its malicious nature.

What made this fake app particularly dangerous?
Show

The app was sophisticated. It used defensive security features like obfuscation (to hide its malicious code) and SSL pinning (to prevent its network traffic from being easily analyzed). These techniques were designed to help it evade detection by both Google Play's security checks and security researchers.

How can users protect themselves from this type of scam?
Show

The primary advice is to avoid downloading any mobile app claiming to be from Hyperliquid, as the platform is web-based. Users should always access DeFi platforms through their official websites and never enter their seed phrase or private keys into any unverified application. If a suspicious app is installed, it should be removed immediately.

The author, a seasoned journalist with no cryptocurrency holdings, presents this article for informational purposes only. It does not constitute investment advice or an endorsement of any cryptocurrency, security, or other financial instrument. Readers should conduct their own research and, if needed, consult a licensed financial professional before making any financial decisions.

You May Also Like