Sep 2025 - HyperVault Founder Nick Olsson Internal Ledger Rug Pull - $3.61m (Global)
"Introducing Hypervault V1! The most efficient yield aggregator on @HyperliquidX The gateway to yield on #HyperEVM Deposits are now open"
User HypingBull posted on Twitter/X to warn the community on September 4th, multiple weeks prior to the eventual rug pull event. At this time, the team was claiming auditors were underway when auditors had not started performing any audits.
The HyperVault rug pull exploited a combination of technical obfuscation, deceptive marketing, and privileged contract design. Unlike standard DeFi protocols that use transparent ERC-4626 vaults with share tokens to represent user deposits, HyperVault operated using a hidden internal ledger system. This allowed vault balances and ownership to remain opaque, preventing users and explorers from tracking deposits easily. The contract included an onlyHV() function modifier granting elevated privileges under the guise of a safety mechanism. This effectively acted as a master key, enabling the team to redirect control of the vaults to their externally owned address (EOA) and initiate mass withdrawals without resistance or transparency.
The exploit unfolded on September 25, 2025, when the attackers used two main wallets to drain funds from nine vaults into a consolidation wallet. They had pre-funded five wallets with gas fees four days earlier, two of which were used in the actual theft. Approximately 1,126.72 ETH (≈$4.64M) was swapped into $HYPE, bridged from HyperEVM to Ethereum using deBridge, and then laundered via Tornado Cash through four different Ethereum addresses. This well-planned maneuver allowed the attackers to evade immediate detection while community members and forensic analysts like SpecterAnalyst retroactively pieced together the transaction flow. The addresses involved, their movement of funds, and even their bridge timing aligned precisely with the vault drain, confirming the deliberate nature of the rug pull.
Further technical evidence came from a draft audit delivered privately by Zenith Security two days before the rug. It revealed 42 vulnerabilities, six of which were high severity, but the HyperVault team never acknowledged these publicly. Instead, they used the announcement about the pending audit to bolster trust while ignoring the critical issues ultimately raised. After the rug, developers began deleting their GitHub repositories, severing online identities, and removing all social presence. Despite connections drawn across previous projects like ZinoFinance, PerfectSwap, and Zero-G Finance using similar tactics, the team vanished with the funds. Blockchain forensics have since traced the exploit trail in detail, but due to the use of Tornado Cash and anonymous developer infrastructure, recovery remains unlikely.
Losses were reported by SlowMist at $3,610,000 USD. PeckShield originally estimated these losses at $3.6m or 752 ETH.
PeckShield broke down the losses as 36,883,470.75 UPUMP, 107,318.43 USDC, 1214.17 USOL, 11,588.61 kHYPE, 86.0063 UETH, 2.1657 UBTC, 439,863.77 USDT0, 10,702.60 USDe, and 37,060.02 WHYPE. This added up to a total of exactly $3.61m USD.
Rekt reports the loss total as $4.64m USD, while an article by Blockonomi reports a total of $6.3m USD, which reportedly came from HypingBull. It is unclear the discrepancy.
Within hours of draining $4.64 million from user vaults, the HyperVault team deleted social media accounts, shut down the Discord server, took their website offline, and removed documentation. The founder, Nick Olsen, who had previously appeared on video calls and used the handle "0xnyck," became unreachable. Several developers connected to the project scrubbed their GitHub accounts or deleted key repositories once identified publicly.
Prominent influencers like HYPEconomist endorsed HyperVault days before the rug, later claiming to be victims themselves. After the collapse, community sentiment turned sharply. Accusations flew, and influencers who promoted the project were labeled enablers or scammers. While some, like Hybra Finance, took responsibility and offered reimbursements to their users, the broader Hyperliquid community was left shaken, frustrated that red flags had been so visible and yet so widely ignored.
Independent investigators like BrutalTrade and security analysts from SpecterAnalyst launched deep-dive investigations. They traced wallet movements, uncovered GitHub and domain registration patterns, and linked HyperVault’s team to past scams like ZinoFinance and PerfectSwap. Their findings highlighted a network of serial scammers using the same playbook under different names. Even innocent parties, like the audit firm Kupia Security, were briefly swept up in the investigation due to incidental blockchain connections.
Over $4.64 million in user deposits was extracted from HyperVault’s vaults and funneled through a sophisticated laundering pipeline involving deBridge bridges and Tornado Cash, effectively eliminating any realistic path to recovery. More than 1,100 depositors were impacted, many of whom ignored early red flags or placed trust in influencer endorsements and fake audit claims. By the time forensic analysts publicly confirmed the exploit, the operation was already finalized: funds were scattered across anonymized wallets, social channels were deleted, and all digital traces of the team had vanished. Projects like Hybra Finance, which had integrated with HyperVault, issued public apologies and partial user reimbursements, but for the vast majority of victims, the damage was permanent.
The incident shook trust in HyperEVM and exposed recurring patterns of DeFi fraud. The HyperVault rug was not an isolated event, but part of a wider trend of serial scams involving the same team operating under different project names. Investigators linked HyperVault’s developers to earlier exploits in ZinoFinance, Zero-G Finance, and PerfectSwap — all run through similar infrastructure and registered anonymously via Njalla. The exploit prompted a wave of skepticism across the DeFi community, particularly around projects offering unusually high yields with opaque teams.
Users of Hybra Finance were entitled to a full recovery if they invested in the project after a tweet the project made, and were already users of the Hybra Finance project prior to the tweet.
All others remain awaiting any form of recovery still.
Analysts like SpecterAnalyst and BrutalTrade are still working to track down the identities of those responsible by following blockchain breadcrumbs and examining the connections between wallets, bridges, and other projects.
While no legal action has been confirmed, the investigations are ongoing. The tools, audit reports, and codebases have been archived by community sleuths for future reference. Many are calling for better vetting practices, more transparent audit processes, and stronger security protocols.
Further Analysis
More Cryptocurrency Exchange Hacks/Scams/Frauds
HyperDrive Router Set As Operator State Changes Triggered > > < < Griffin AI Misconfigured LayerZero Bridge Unauthorized Minting
Sources/Further Reading
PeckShieldAlert: Hypervault Finance experienced abnormal withdrawals worth approximately $3.6 million - ODaily News (Dec 31)
PeckShield - "#PeckShieldAlert #Rugpull? We have detected an abnormal withdrawal of ~$3.6M worth of cryptos from @hypervaultfi." - Twitter/X (Dec 31)
(Dec 31)
HypingBull - "My suspicions were right. Hypervault just deleted all the social media accounts. Twitter has gone, the Discord has gone too." - Twitter/X (Dec 31)
Hypervault Dev Nick - OpenSea NFT Collection (Dec 31)
@jishkk110118 Twitter (Dec 31)
@matiasgladiator Twitter (Dec 31)
Brutal Trade - "His GitHub profile is https://github.com/res-pan, and in a 2024 commit to Zero-G Finance he forgot to hide his email address" - Twitter/X (Dec 31)
@0xdoola Twitter (Dec 31)
@itscuatrohuesos Twitter (Dec 31)
@MariaPierandrei Twitter (Dec 31)
@theHYPEconomist Twitter (Dec 31)
@ozcryptofficial Twitter (Dec 31)
@0xthade Twitter (Dec 31)
Zenith256 - "We will fully collaborate with the investigation. Based on DocuSign metadata, we have identified an IP address belonging to Nicholas Olsen and will be sharing it with authorities and affected parties. We will also be conducting a full forensic investigation to locate any other information that might be helpful." - Twitter/X (Dec 31)
Hybra Finance - "We are shocked to learn that Hypervault has rugged. Here’s what happened and what we’re doing next" - Twitter/X (Dec 31)
Rekt HQ - "95% APY, zero percent chance of getting your money back. HyperVault's $4.64M rug pulled every classic move - fake audit claims, anon devs with serial scammer histories, privileged contract backdoors. Ghosts left highways - community traced them all." - Twitter/X (Dec 31)
HyperVault Rugged - Rekt (Dec 31)
 t.me/QuadrigaInitiative
|
 /r/QuadrigaInitiative
|
 @QuadrigaInit
|
 info@quadrigainitiative.com
|