Hypervault - Rugged
Ninety-five percent APY buys a lot of hopium - and even more exit liquidity.
HyperVault promised automated yield optimization across Hyperliquid's HyperEVM, delivering eye-watering returns through "modular strategy adapters" and "keeper-bot harvests."
Behind the buzzwords sat an internal ledger system with no share tokens, privileged admin functions disguised as safety features, and a team claiming audits from firms who'd never heard their name.
September 26th brought the inevitable: $4.64 million vanished through deBridge to Ethereum, then straight into Tornado Cash while depositors watched their vaults drain to zero.
Social accounts deleted, Discord nuked, founders ghosted - textbook exit choreography executed with the precision of a team who'd clearly practiced on previous projects.
When your yield aggregator aggregates user funds into a single wallet before disappearing, who's really getting optimized?
Ninety-five percent APY on a new DeFi protocol sounds ambitious.
Seventy-six percent on stablecoins sounds delusional.
Both together? That's the sound of a rug being rolled out.
HyperVault marketed itself as Hyperliquid's as a non-custodial, auto-compounding yield aggregator on HyperEVM.
Behind the glossy docs sat something uglier: an internal accounting system with no ERC-4626 shares, privileged contract functions hidden behind modifiers, and audit claims from firms who'd never heard of them.
September 4th brought the first warning.
By September 25th, the inevitable arrived.
Between those dates, 1,100 depositors ignored every red flag waving in their faces - fake audit claims, anonymous team members, yields that defied market gravity.
Nick Olsen from Sweden played founder while a network of developers with curious GitHub histories built the infrastructure.
They'd done this before under different names: ZinoFinance, Zero-G Finance, PerfectSwap.
Same playbook, different wrapper.
Two main exploitation addresses drained funds from 9 vaults into a consolidation wallet.
Funds bridged to Ethereum through deBridge. Swapped to ETH. Then disappeared into Tornado Cash while social accounts vanished and websites went dark.
By the time security firms flagged the movement, the operation was complete.
Recovery odds for the victims? Zero.
Odds the same team runs this script again under a new name?
The Canary in the Coal Mine
Trouble was spotted on September 4th, 2025.
HypingBull, a Hyperliquid community member, posted a warning that should have emptied every vault: "MAX REPOST: HYPERVAULT PROJECT IS DOING SHADY STUFF."
The protocol claimed audits were "pending via Spearbit, Pashov, and Code4rena" with an expected turnaround mid-September.
Standard legitimacy theater - drop some respected names, promise transparency, buy time while deposits pile up.
HypingBull went straight to Pashov on Telegram to confirm if HyperVault was really being audited. The reply was blunt: ‘First time I hear the project with this name.’”
Code4rena's website showed no pending audits for HyperVault. Nothing in the queue, nothing in progress, nothing planned. Complete fabrication.
TVL at the time: $700,000.
HypingBull withdrew everything and told others to do the same.
Most didn't listen.
Since that callout, HyperVault's claimed TVL had grown to $5.8 million - likely inflated, but real money nonetheless.
DefiLlama showed $4.97 million on September 24th, then zero the next day.
September 23rd brought another voice into the mix.
HYPEconomist, a prominent Hyperliquid community influencer, tweeted about HyperVault with an endorsement: "cooking! use the money and put it into a hypervault."
Three days before the rug.
After the collapse, community members were less forgiving.
One post summed it up: "HYPEconomist is a shill for Hypervault that just rugged its users. Beware of scammers like this in the HL community."
HYPEconomist's response: "they rugged me too."
Whether victim or enabler, the endorsement three days before the exit didn't age well.
But even HYPEconomist's endorsement wasn't the most damning part of this story.
Someone actually did audit HyperVault.
How does a legitimate security audit end up as camouflage for a rug pull?
The Audit Gaslight
September 14th - HyperVault announced on X they were starting an audit with Zenith.
Note the language: starting. Not completing, not publishing, not implementing fixes. Starting.
Zenith actually showed up and did the work.
Their draft audit, delivered privately on September 24th, found 42 total vulnerabilities. Six rated High severity. Ten rated Medium.
This is the kind of stuff that would make any team hit panic mode - if they actually cared.
Zenith's recommendation was unambiguous: full re-audit required after fixes.
HyperVault's response? Acknowledgment in private. Silence in public. Then two days later, they executed the rug.
The draft audit never saw daylight.
No public disclosure, no transparency about the severity of issues found, no indication that depositors were trusting their funds to a protocol riddled with critical vulnerabilities.
Zenith had done their job. Found the problems. Warned the team. Recommended remediation.
None of it mattered because the team had no intention of fixing anything.
They weren't building a sustainable protocol. They were running out the clock.
Post-collapse, Zenith confirmed they'd be cooperating fully with investigators.
DocuSign metadata from the audit engagement contained an IP address - one belonging to Nicholas Olsen, the supposed founder who'd later vanish along with the funds.
Meanwhile, Hybra Finance found themselves caught in the blast radius.
They'd integrated with HyperVault, even quote-retweeted an announcement after seeing Zenith's name attached.
That retweet was based on Zenith announcing the audit was starting - not that it had passed, not that issues were resolved, just that an audit process had begun.
After the rug, Hybra issued a mea culpa: "We clearly did not do enough DD."
They offered full reimbursement to users who'd interacted with HyperVault after September 25, 3PM UTC - the timestamp when Hybra amplified their post - and who had prior on-chain interaction with Hybra.
A small goodwill allocation would go to all HyperVault victims at Hybra's launch.
Damage control from a project that learned an expensive lesson about vetting their integrations.
But even with warnings from community members, a draft audit showing critical flaws, and yields that defied basic mathematics, deposits kept flowing in.
What does it take for pattern recognition to override greed?
The Technical Extraction
HyperVault's architecture wasn't sophisticated - it was deliberately opaque.
Many DeFi protocols use ERC-4626 vault standards. Share tokens represent your deposit. You can see them in your wallet, track them on explorers, verify your ownership on-chain.
Transparent, auditable, simple.
HyperVault chose a different path.
Internal ledger system. Global accrual index. No share tokens cluttering up your wallet or leaving traces on block explorers.
Everything tracked inside the contract's internal state.
On paper, it is "gas-efficient" and "math neat."
Reality? Perfect camouflage for a rug.
Without share tokens, casual observers couldn't easily audit who owned what.
The protocol kept all state internally, behind contract code. Shifts in vault balances happened invisibly until someone bothered to query the contract directly.
Hidden among the standard functions sat the real payload: privileged admin access wrapped in an onlyHV() modifier.
It looked like a safety feature, but acted like a master key.
September 25th, they pulled the trigger.
The owner set the staking contract to their own EOA. Then initiated mass withdrawals from all 9 vaults.
Four days before the rug, the HyperVault developer funded five addresses from Hypercore to HyperEVM via spotSend to cover gas fees in $HYPE.
Of those five addresses, only two were used for the extraction:
Primary exploitation address: 0x79957ce3c826030d642b9ba6f60b896b61588af8
Secondary exploitation address: 0x8d851eb3995ef0e2e7a3581316b4899b414c9bcf
Funder wallet: 0x49c083a19a25734b0c66bcc0d16333a36c3a7bf0
From there, the laundering operation moved with practiced efficiency.
Swapped various tokens into HYPE.
Bridged to Ethereum via deBridge in batch after batch.
Primary address bridging (906.88 ETH - $3.73M):
0x79957ce3c826030d642b9ba6f60b896b61588af8
Secondary address bridging: (219.85 ETH - $905K):
0x8d851eb3995ef0e2e7a3581316b4899b414c9bcf
Total bridged to Ethereum: 1,126.72 ETH ($4.64 million)
The funds split across four landing wallets on Ethereum:
147.93 ETH:
0x56e90397133aea9b9a087c3c93467875ed4a2be7
127.35 ETH: 0xd74ea73957a4eac6a9636221421a3a69b4714eee
631.59 ETH:
0xee882b9ada0895376fd90a2b6a80d6d7f7f06396
219.85 ETH: 0x7901922af07526a66b63c479565f44e81889f4e2
Over the next 3-4 days, most of the 1,126 ETH disappeared into Tornado Cash across multiple deposit transactions from these four wallets. Only gas fee dust remains in the landing addresses.
SpecterAnalyst's forensic analysis revealed the exploitation addresses.
Following those breadcrumbs through the deBridge transactions confirmed the full scope: $4.64 million with complete on-chain proof.
Pretty close to the $4.97 million TVL reported on DefiLlama before the rug.
SpecterAnalyst traced the Tornado Cash withdrawals to their new destinations:
Labeled as Multisig:
0x4A47D00F97deDf7D8890ECb248823f3DA842B0D8
Other Wallets Involved:
0x25A8C73c0541A3876bc2236a0b20C179872f44100x8E24c9d098e63fcDBdbC1fF9cAF7b684aA98285B
0x8ceF0B6b63ca3Dd56393Ad1bBACD8F05384F47D0
0x0aDa87Cb5df3B579812bf5FcE36a2603b193ab30
0x92747063F7E1CA985D99cBD4418Cc23f3b8d4c7B
0x1235058627620b5e3eDAe9A2241A457169c8DFe5
By the time anyone realized what was happening, the operation was already complete.
Social accounts deleted. Discord server gone. Website offline. Documentation vanished.
Recovery through legal channels? Tornado Cash makes that a fantasy.
Recovery through negotiation? Can't negotiate with ghosts.
For a team that supposedly spent months building "modular strategy adapters," they sure executed the exit with surgical precision.
Makes you wonder - what were they really building all along?
Meet the Architects
Say hello to Nick Olsen from Sweden.
That's the face HyperVault put forward. His Twitter handle 0xNyck, somehow still exists despite the FUD.
Discord username "0xnyck | hypervault.fi" - joined the server only in September 2025 despite claiming months of development since late July.
Email used for business development: rizwan.bizdev@gmail.com.
Multiple community members, including HYPEconomist, confirmed having video calls with Olsen before depositing funds.
Doxxed calls, face on camera, the whole trust-building routine.
Then he vanished with $4.64 million.
Behind Olsen sat a network of developers whose GitHub activity told a more interesting story.
BrutalTrade revealed their identities - or at least the email addresses they were careless enough to leave exposed:
jamestarlancer - carlhamilton0503@gmail.com gurujustin - kkh0102www@outlook.com res-pan - butcherfinance@gmail.com hypervim - jansuu62@gmail.com perfect-swap - ropstvanka@gmail.com pandorabok - borkovicbiljana9@gmail.com nickbit0 - nick@bitnue.com chaincoderpro - chaincoderpro@gmail.com
When confronted on Telegram after the collapse, their response was telling - they started deleting repositories and accounts instead of explaining anything.
Jamestarlancer nuked his entire GitHub within minutes of being called out. Gurujustin removed the zerog-ui repository, then deleted his account entirely.
Guilty people don't typically scramble to destroy evidence unless they know what's coming.
But HyperVault wasn't their first rodeo.
BrutalTrade connected the dots across multiple projects: Zero-G Finance, PerfectSwap, and NodeSynapse.
All registered through Njalla - an anonymous domain registrar popular with people who have something to hide.
hypervault.finance zino.finance zerog.finance perfectswap.io seadrome.finance
Same registrar. Maybe the same team, in the end, the same outcome.*
Smart move - if any of these developers used their project emails for GitHub, Twitter, Discord, or other platforms, those password reset links could lead somewhere interesting.
BrutalTrade didn't just trace funds - he traced patterns.
He found wallet connections spanning multiple projects. And also discovered a Binance deposit address that had received funds from addresses controlled by the scammers.
Binance Deposit Address on Arkham:
0xb51d4e01f8fd81db35fca780c32369ba94ba72b5
September 28th, BrutalTrade sent an ultimatum directly to addresses associated with the team: return the funds, keep 10% as a bounty, and all legal action stops. Twenty-four hours to respond.
They didn't.
The message went to five specific addresses tied to the operation, and to one of the wallets they'd used while developing ZinoFinance - just to make sure they knew this wasn't a bluff.
BrutalTrade's parting message: "We git cloned everything ;)"
Every repository, every commit, every piece of code these developers touched - archived before they could delete it.
Digital breadcrumbs that might not recover the funds, but could help identify the people behind the keyboards.
The hunt continues - BrutalTrade opened a Telegram channel for the community to coordinate ongoing tracking efforts.
Serial scammers leave patterns. This team left highways.
How many more project names are they workshopping right now?
Collateral Damage
BrutalTrade's investigation didn't just trace the scammers - it caught innocent bystanders in the net.
Kupia Security, a legitimate audit firm, found themselves flagged when blockchain analysis revealed their wallet (kupia.eth) had sent $25 to the same Binance deposit address used by the HyperVault scammers.
BrutalTrade posted the connection publicly.
But BrutalTrade wasn’t done and found more connections through helloalan.eth - an address that had sent $1,800 and $2,500 to Kupia, then separately sent $120 to that same scammer Binance address.
Another wallet linked to Kupia's operations (auditsea9 on GitHub) appeared in the transaction web.
Kupia responded fast: That $25 transaction happened March 22, 2024 - 553 days before the rug. They'd tried buying an ENS domain or VPS from what turned out to be a sketchy vendor.
They sent the money, but never received the service.
Just another cautionary tale about crypto transactions.
Blockchain analysis connects wallets, but not the intent.
A vendor running a scam operation can take payments from dozens of legitimate businesses.
Those businesses aren't accomplices - they're victims too.
BrutalTrade clarified: "The goal is precisely to connect the dots, not to say that you are implicated, far from it, but to say that at some point you had a relationship with that person."
Fair enough. Every thread needs pulling when you're hunting ghosts.
Kupia threatened legal action if the accusations continued.
BrutalTrade backed off the direct implications but kept the wallet connections documented.
Either way, it illustrated the messy reality of on-chain detective work.
Sometimes innocent parties get caught in the crossfire when investigators follow every lead.
When the blockchain shows connections but can't prove intent, how do you separate accomplices from collateral damage?
Ninety-five percent APY never meant high returns - it meant high-speed extraction.
HyperVault spent weeks building legitimacy: fake audit claims, video calls with depositors, integration partnerships, social media presence.
It was all theater.
The internal ledger system, the privileged admin functions, the anonymous dev team with serial scammer histories - the infrastructure was always designed for one purpose.
September 26th just marked execution day.
Nick Olsen and his network of GitHub ghosts are gone, $4.64 million lighter in other people's pockets, already workshopping their next project name while 1,100 victims learn an expensive lesson about pattern recognition.
Maybe somewhere in Sweden or behind a VPN, the architects are counting their ETH.
When the same team runs the same scam under different names and it keeps working, who's really getting rugged - the depositors or the entire concept of due diligence?
REKT作为匿名作者的公共平台,我们对REKT上托管的观点或内容不承担任何责任。
捐赠 (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C
声明:
REKT对我们网站上发布的或与我们的服务相关的任何内容不承担任何责任,无论是由我们网站的匿名作者,还是由 REKT发布或引起的。虽然我们为匿名作者的行为和发文设置规则,我们不控制也不对匿名作者在我们的网站或服务上发布、传输或分享的内容负责,也不对您在我们的网站或服务上可能遇到的任何冒犯性、不适当、淫秽、非法或其他令人反感的内容负责。REKT不对我们网站或服务的任何用户的线上或线下行为负责。