Trader on Hyperliquid Loses $21M After Private Key Breach
- Private key leak on Hyperliquid led to a $21M theft across Ethereum and Arbitrum wallets.
- The attackers timed the breach after a $16M HYPE position was closed and swapped.
- Incident follows other exploits on Hyperliquid-linked protocols like Hyperdrive.
A whale on the Hyperliquid network lost roughly $21 million in digital assets after their private wallet was compromised on October 10, according to on-chain data shared by blockchain security firm PeckShieldAlert.
The attack began shortly after the wallet closed a large position on the platform, and the funds were quickly moved across networks. The breach was centered on a personal key leak rather than a system failure at Hyperliquid.
Wallet Drained After Major Trade
The targeted wallet had just exited a $16 million long position on HYPE before liquidators struck. Minutes after the trade settled, the owner sold 100,000 HYPE tokens for $4.4 million in DAI. The attacker then accessed the compromised keys and drained the balance.
PeckShieldAlert reported losses of about 17.75 million DAI along with 3.11 million in Maple Protocol’s MSYRUPUSDP stablecoin. The hacker bridged the stolen funds to Ethereum, splitting them between separate addresses.
One wallet now holds around $6.91 million, while another holds close to $10 million. The intermediary Arbitrum address used during the transfer was emptied afterward. Reports also indicate that an additional $300,000 was taken from another wallet linked to the same user.
Notably, the attacker pulled $3.1 million from the Plasma Syrup Vault during the exploit. The MSYRUPUSDP tokens were moved to a new address but remain unmixed. The timing suggests the perpetrators monitored the whale’s activity before executing the breach.
Hyperliquid Operations Remain Unaffected
PeckShield stated that only the user’s private wallet was compromised. Hyperliquid itself is safe, and no other users have lost money. The platform doesn’t hold users’ funds, which keeps problems smaller. But showing wallet balances makes it easier for hackers to target someone. Hackers often use malware, fake security apps, or trick messages to steal money, not flaws in the platform itself.
Earlier fears about possible state-sponsored targeting of Hyperliquid resurfaced after the breach. Yet no link to prior rumors involving North Korean groups has been established. The focus remains on the private key leak, the method of access, and the attacker’s familiarity with the user’s trading habits.
Previous Attacks Within the Ecosystem
The loss comes shortly after a separate exploit on Hyperdrive, a lending protocol operating on Hyperliquid. In late September, attackers drained about $782,000 by triggering an insecure function in Hyperdrive’s router contract.
CertiK reported that two liquidity pools were affected before the protocol was paused. The Hyperdrive team later said it identified the root cause and was preparing compensation for impacted accounts.
The latest wallet breach adds to several incidents tied to decentralized platforms launched in late 2024. Analysts tracking these events say that whales have increasingly become prime targets, especially when their portfolios are visible on-chain. Hyperliquid’s setup makes it easier to analyze wallet movements, which can aid both observers and attackers.
Related: UK Eyes $6.7B Bitcoin Seizure in Historic Crypto Fraud Trial
Rising Value Fuels Attacks
The breach comes amid a wider surge in crypto theft. It is reported that North Korea-linked hackers have stolen more than $2 billion in digital assets in 2025 alone. The firm said cumulative thefts tied to that group now exceed $6 billion.
Losses this year are nearly triple those of 2024, with a growing share affecting high-net-worth individuals rather than exchanges. More and more people with a lot of crypto are being picked by hackers because they control their own wallets.
Since crypto prices have gone up, thieves are now going after regular people who may not have strong security. Some targets are also linked to big companies that hold large amounts of crypto.
Hyperliquid is also getting ready for another round of airdrops, and new projects on the network still plan to give rewards based on how much people trade. The compromised account may still qualify for allocations, which could be swept if attackers retain key access.
In addition, the incident shows the continued vulnerability of wallets even when protocols are secure. Attackers tracked the timing of trades, the availability of balances, and cross-chain routes to capture and distribute funds with precision.
