Hyperliquid suffered its third market manipulation attack in 2025 when an anonymous trader burned $3 million to inflict $4.9 million in losses on the platform’s community-owned liquidity vault November 12.
The attack followed an identical pattern to previous incidents in March and July, raising questions about whether the fast-growing decentralized perpetuals exchange has addressed the underlying vulnerability that makes it a predictable target.
According to blockchain intelligence firm Arkham, the attacker withdrew $3 million in USDC from OKX exchange around 4:30 AM UTC, distributed it across 19 wallets, then opened over $26 million in leveraged long positions on POPCAT, a Solana-based meme coin.
The Playbook: Fake Demand, Real Damage
The attacker created a $20 million buy wall at $0.21, manufacturing the appearance of strong demand. POPCAT’s price climbed as retail traders entered long positions, believing in bullish momentum.
Within minutes, the buy wall vanished. POPCAT crashed 43% from $0.21 to $0.12, triggering $63 million in liquidations across the platform, including the attacker’s own $3 million collateral.
Hyperliquid’s Hyperliquidity Provider vault, which serves as a safety net for liquidations, absorbed the remaining $4.9 million in bad debt after collateral was exhausted. The attacker intentionally sacrificed their capital to push losses onto HLP liquidity providers.
“Someone torched 3M just to nuke liquidity and drag HLP into a 5M loss,” one market participant stated on X. “Classic manufactured demand illusion followed by a flush.”
Third Time Using Identical Attack Vector
This marks Hyperliquid’s third major manipulation event in 2025. The platform previously suffered similar attacks:
- March 2025: Manipulation centered on JELLYJELLY token
- July 2025: Attack involving TST token
- November 2025: POPCAT-triggered cascade
Community member VietnamPenguin noted on X that “the attack vector almost perfectly copies the JELLYJELLY case, the only difference is that POPCAT is more liquid.” The recurring pattern exposes a structural vulnerability across decentralized perpetuals platforms: high-leverage positions on illiquid tokens, combined with community-funded liquidation pools, create predictable manipulation targets.
Hyperliquid allows up to 50x leverage on certain markets. The attacker used approximately 5x leverage on POPCAT, but the token’s thin liquidity amplified the damage.
Platform Response and Market Impact
Hyperliquid temporarily suspended deposits and withdrawals on its Arbitrum bridge following the attack. An admin on the platform’s Discord confirmed the Arbitrum bridge was “temporarily paused” while other deposits and withdrawals remained functional.
The platform’s blockchain, matching engine, and smart contracts were not compromised. Hyperliquid framed the incident as market manipulation rather than a technical exploit.
Withdrawals resumed after approximately one hour. Hyperliquid has not issued an official statement directly addressing the POPCAT incident or announcing changes to prevent similar attacks.
The platform’s native HYPE token dropped from $37.77 to below $38 following the attack before recovering slightly to $38.09. Technical indicators show HYPE trading below its 200-day Exponential Moving Average at $39 and failing to surpass the 50 and 100-day EMAs around $43.
Growing Manipulation Trend
Price manipulation has emerged as a rapidly growing attack vector in cryptocurrency markets. Security firm CertiK tracked 51 price manipulation incidents causing $42 million in losses during 2025, with the POPCAT attack representing a recent peak.
DeFi analyst Hanzo suggested exchanges may need stricter leverage limits, real-time monitoring tools, or platform-specific restrictions to mitigate similar attacks. Speculation emerged on social media about potential involvement of competing platforms, with some users accusing Binance and its former CEO Changpeng Zhao.
Zhao denied involvement, stating “I have not used any other CEX for 8 years.”
Hyperliquid has become one of the breakout successes in decentralized perpetuals this cycle, regularly posting over $10 billion in daily trading volume. The platform’s rapid growth and market share dominance have made it a target for manipulation attempts.
Chain Street’s Take
Three attacks in nine months using identical methods suggests Hyperliquid either cannot or will not fix the core vulnerability. The math is straightforward: thin liquidity + high leverage + community-funded safety net = manipulatable.
What’s unclear is whether the platform’s design philosophy prevents structural fixes or whether addressing the issue would compromise the high-risk, high-reward model that attracts users. The temporary bridge pause showed Hyperliquid can intervene when necessary, undermining claims of pure decentralization.
Platform hasn’t announced concrete changes after three incidents, leaving liquidity providers exposed to repeat attacks. The question isn’t if another manipulation will happen; it’s when and which memecoin comes next.
