HyperVault Founder Nick Olsson Internal Ledger Rug Pull

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 16:04, 10 October 2025 by Azoundria (talk | contribs) (Created page with "{{Imported Case Study With About|source=https://www.quadrigainitiative.com/casestudy/hypervaultfoundernickolssoninternalledgerrugpull.php}} {{Unattributed Sources}} thumb|HyperVault Logo/Captured Homepage<ref name="odailynews-21267" /><ref name="peckshieldalerttweet-21268" /><ref name="unknown-5676" /><ref name="hypingbulltweet-21269" /><ref name="hypervaultdevnick-21270" /><ref name="jishkk110118twitter-21271" /><ref name="matiasgladiatortwitter...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Notice: This page is a freshly imported case study from an original repository. While the original content had a similar format, some sections may not have been fully completed. Please help fill in any empty sections or any missing information you can find. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Notice: This page contains sources which are not attributed to any text. The unattributed sources follow the initial description. Please assist by visiting each source, reviewing the content, and placing that reference next to any text it can be used to support. Feel free to add any information that you come across which isn't present already. Sources which don't contain any relevant information can be removed. Broken links can be replaced with versions from the Internet Archive. See General Tutorial on Wikis, Anatomy of a Case Study, and/or Citing Your Sources Guide for additional information. Thanks for your help!

HyperVault Logo/Captured Homepage

[1][2][3][4][5][6][7][8][9][10][11][12][13][14][15][16][17][18]

About HyperVault

"Introducing Hypervault V1! The most efficient yield aggregator on @HyperliquidX The gateway to yield on #HyperEVM Deposits are now open"


About Nick Olsson

Nick Olsson is reportedly the founder of HyperVault.

The Reality

User HypingBull posted on Twitter/X to warn the community on September 4th, multiple weeks prior to the eventual rug pull event. At this time, the team was claiming auditors were underway when auditors had not started performing any audits.

What Happened

The specific events of the loss and how it came about. What actually happened to cause the loss and some of the events leading up to it.

Key Event Timeline - HyperVault Founder Nick Olsson Internal Ledger Rug Pull
Date Event Description
September 4th, 2025 1:29:00 PM MDT HypingBull Audit Warning HypingBull posts a warning to the community. The HyperVault team claimed multiple audits underway with results in mid-September, however reaching out to one of the auditors they were unable to get any confirmation that there was an audit happening. The auditor had not heard of the project before.
September 25th, 2025 7:27:12 PM MDT Vault Contract Ownership Switch The ownership of the vault contract is switched in a transaction.
September 25th, 2025 8:34:00 PM MDT Initial Withdrawal Of HYPE The first withdrawal of HYPE tokens from the vault contract.
September 25th, 2025 8:47:00 PM MDT Final Withdrawal Of PUMP The final withdrawal is for PUMP tokens from the vault contract.
September 26th, 2025 12:43:00 AM MDT HypingBull Update Tweet HypingBull posts an update to notify that all social media related to HyperVault has now been removed.
September 26th, 2025 1:26:00 AM MDT PeckShield Tweet Posted PeckShield posts an alert tweet noting the withdrawal of $3.6m worth of cryptocurrency. PeckShield shares a screenshot of the HyperVault Twitter/X account having been deleted.
September 26th, 2025 1:32:00 AM MDT Odaily News Report Posted The incident is reported on ODaily News.
September 29th, 2025 7:12:00 PM MDT Naim/BrutalTrade Tracing Naim (BrutalTrade) traces funds from Circulate Money that went into TornadoCash in 3 deposits, and were then immediately withdrawn in 3 subsequent withdrawals.
September 30th, 2025 3:47:00 PM MDT Rekt News Published Report Rekt news publishes an article with a high level overview of the rug pull.

Technical Details

The HyperVault rug pull exploited a combination of technical obfuscation, deceptive marketing, and privileged contract design. Unlike standard DeFi protocols that use transparent ERC-4626 vaults with share tokens to represent user deposits, HyperVault operated using a hidden internal ledger system. This allowed vault balances and ownership to remain opaque, preventing users and explorers from tracking deposits easily. The contract included an onlyHV() function modifier granting elevated privileges under the guise of a safety mechanism. This effectively acted as a master key, enabling the team to redirect control of the vaults to their externally owned address (EOA) and initiate mass withdrawals without resistance or transparency.

The exploit unfolded on September 25, 2025, when the attackers used two main wallets to drain funds from nine vaults into a consolidation wallet. They had pre-funded five wallets with gas fees four days earlier, two of which were used in the actual theft. Approximately 1,126.72 ETH (≈$4.64M) was swapped into $HYPE, bridged from HyperEVM to Ethereum using deBridge, and then laundered via Tornado Cash through four different Ethereum addresses. This well-planned maneuver allowed the attackers to evade immediate detection while community members and forensic analysts like SpecterAnalyst retroactively pieced together the transaction flow. The addresses involved, their movement of funds, and even their bridge timing aligned precisely with the vault drain, confirming the deliberate nature of the rug pull.

Further technical evidence came from a draft audit delivered privately by Zenith Security two days before the rug. It revealed 42 vulnerabilities, six of which were high severity, but the HyperVault team never acknowledged these publicly. Instead, they used the announcement about the pending audit to bolster trust while ignoring the critical issues ultimately raised. After the rug, developers began deleting their GitHub repositories, severing online identities, and removing all social presence. Despite connections drawn across previous projects like ZinoFinance, PerfectSwap, and Zero-G Finance using similar tactics, the team vanished with the funds. Blockchain forensics have since traced the exploit trail in detail, but due to the use of Tornado Cash and anonymous developer infrastructure, recovery remains unlikely.

Total Amount Lost

Losses were reported by SlowMist at $3,610,000 USD. PeckShield originally estimated these losses at $3.6m or 752 ETH.

PeckShield broke down the losses as 36,883,470.75 UPUMP, 107,318.43 USDC, 1214.17 USOL, 11,588.61 kHYPE, 86.0063 UETH, 2.1657 UBTC, 439,863.77 USDT0, 10,702.60 USDe, and 37,060.02 WHYPE. This added up to a total of exactly $3.61m USD.

Rekt reports the loss total as $4.64m USD, while an article by Blockonomi reports a total of $6.3m USD, which reportedly came from HypingBull. It is unclear the discrepancy.

The total amount lost has been estimated at $3,610,000 USD.

Immediate Reactions

Within hours of draining $4.64 million from user vaults, the HyperVault team deleted social media accounts, shut down the Discord server, took their website offline, and removed documentation. The founder, Nick Olsen, who had previously appeared on video calls and used the handle "0xnyck," became unreachable. Several developers connected to the project scrubbed their GitHub accounts or deleted key repositories once identified publicly.

Prominent influencers like HYPEconomist endorsed HyperVault days before the rug, later claiming to be victims themselves. After the collapse, community sentiment turned sharply. Accusations flew, and influencers who promoted the project were labeled enablers or scammers. While some, like Hybra Finance, took responsibility and offered reimbursements to their users, the broader Hyperliquid community was left shaken, frustrated that red flags had been so visible and yet so widely ignored.

Independent investigators like BrutalTrade and security analysts from SpecterAnalyst launched deep-dive investigations. They traced wallet movements, uncovered GitHub and domain registration patterns, and linked HyperVault’s team to past scams like ZinoFinance and PerfectSwap. Their findings highlighted a network of serial scammers using the same playbook under different names. Even innocent parties, like the audit firm Kupia Security, were briefly swept up in the investigation due to incidental blockchain connections.

Ultimate Outcome

Over $4.64 million in user deposits was extracted from HyperVault’s vaults and funneled through a sophisticated laundering pipeline involving deBridge bridges and Tornado Cash, effectively eliminating any realistic path to recovery. More than 1,100 depositors were impacted, many of whom ignored early red flags or placed trust in influencer endorsements and fake audit claims. By the time forensic analysts publicly confirmed the exploit, the operation was already finalized: funds were scattered across anonymized wallets, social channels were deleted, and all digital traces of the team had vanished. Projects like Hybra Finance, which had integrated with HyperVault, issued public apologies and partial user reimbursements, but for the vast majority of victims, the damage was permanent.

The incident shook trust in HyperEVM and exposed recurring patterns of DeFi fraud. The HyperVault rug was not an isolated event, but part of a wider trend of serial scams involving the same team operating under different project names. Investigators linked HyperVault’s developers to earlier exploits in ZinoFinance, Zero-G Finance, and PerfectSwap — all run through similar infrastructure and registered anonymously via Njalla. The exploit prompted a wave of skepticism across the DeFi community, particularly around projects offering unusually high yields with opaque teams.

Total Amount Recovered

Users of Hybra Finance were entitled to a full recovery if they invested in the project after a tweet the project made, and were already users of the Hybra Finance project prior to the tweet.

All others remain awaiting any form of recovery still.

There do not appear to have been any funds recovered in this case.

Ongoing Developments

Analysts like SpecterAnalyst and BrutalTrade are still working to track down the identities of those responsible by following blockchain breadcrumbs and examining the connections between wallets, bridges, and other projects.

While no legal action has been confirmed, the investigations are ongoing. The tools, audit reports, and codebases have been archived by community sleuths for future reference. Many are calling for better vetting practices, more transparent audit processes, and stronger security protocols.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. PeckShieldAlert: Hypervault Finance experienced abnormal withdrawals worth approximately $3.6 million - ODaily News (Accessed Oct 3, 2025)
  2. PeckShield - "#PeckShieldAlert #Rugpull? We have detected an abnormal withdrawal of ~$3.6M worth of cryptos from @hypervaultfi." - Twitter/X (Accessed Oct 3, 2025)
  3. [ ] (Accessed Jan 16, 2022)
  4. HypingBull - "My suspicions were right. Hypervault just deleted all the social media accounts. Twitter has gone, the Discord has gone too." - Twitter/X (Accessed Oct 3, 2025)
  5. Hypervault Dev Nick - OpenSea NFT Collection (Accessed Oct 3, 2025)
  6. @jishkk110118 Twitter (Accessed Oct 3, 2025)
  7. @matiasgladiator Twitter (Accessed Oct 3, 2025)
  8. Brutal Trade - "His GitHub profile is https://github.com/res-pan, and in a 2024 commit to Zero-G Finance he forgot to hide his email address" - Twitter/X (Accessed Oct 3, 2025)
  9. @0xdoola Twitter (Accessed Oct 3, 2025)
  10. @itscuatrohuesos Twitter (Accessed Oct 3, 2025)
  11. @MariaPierandrei Twitter (Accessed Oct 3, 2025)
  12. @theHYPEconomist Twitter (Accessed Oct 3, 2025)
  13. @ozcryptofficial Twitter (Accessed Oct 3, 2025)
  14. @0xthade Twitter (Accessed Oct 3, 2025)
  15. Zenith256 - "We will fully collaborate with the investigation. Based on DocuSign metadata, we have identified an IP address belonging to Nicholas Olsen and will be sharing it with authorities and affected parties. We will also be conducting a full forensic investigation to locate any other information that might be helpful." - Twitter/X (Accessed Oct 3, 2025)
  16. Hybra Finance - "We are shocked to learn that Hypervault has rugged. Here’s what happened and what we’re doing next" - Twitter/X (Accessed Oct 3, 2025)
  17. Rekt HQ - "95% APY, zero percent chance of getting your money back. HyperVault's $4.64M rug pulled every classic move - fake audit claims, anon devs with serial scammer histories, privileged contract backdoors. Ghosts left highways - community traced them all." - Twitter/X (Accessed Oct 3, 2025)
  18. HyperVault Rugged - Rekt (Accessed Oct 3, 2025)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=HyperVault_Founder_Nick_Olsson_Internal_Ledger_Rug_Pull&oldid=6937"