Hyperliquid Eligibility Airdrop Scam: how the fake checker drains your wallet

What the scam page looks like

The page at hyperliquid-eligibility.xyz opens with the Hyperliquid logo at top-left, a navigation bar matching the real hyperliquid.xyz layout, and a hero block that says "Check your airdrop eligibility." Below the hero there is a single Connect Wallet button. The visual fidelity is high enough that a user who has visited the real Hyperliquid site in the past will not immediately notice the difference. Brand fonts, colors, and even the small "Verified by Cloudflare" stamp are all copied.

The trick is in the URL. The real Hyperliquid lives on hyperliquid.xyz (note: not .xyz as a generic disposable TLD, but the company's actual root domain on the .xyz registry). The scam page uses hyperliquid-eligibility.xyz, which is a separate domain registered by an attacker. The hyphen between hyperliquid and eligibility is what tells you it is not the official site, but most users do not parse URLs that carefully when they are excited about a possible airdrop.

What happens when you click Connect Wallet

The button does not run an eligibility check. It runs a wallet-drainer flow. Depending on which wallet the user has installed, one of three things happens.

Phantom / Solflare (Solana): The wallet opens a transaction approval popup. The transaction is a SystemProgram.transfer or an SPL token transfer that sends the user's entire wallet balance to an attacker-controlled address. The transaction summary line in the wallet UI usually obscures the recipient. Users who click Approve without reading carefully lose every token in that wallet within one block.

MetaMask / Rabby (EVM): The wallet opens a signature request, not a transaction. The signature is a Permit2 batch approval with an unlimited spender and a far-future deadline. Signing it does not move funds immediately. Instead, it gives the attacker a permanent permission slip to drain any ERC-20 token in the wallet at any future moment. The attacker waits a few days for the user to forget, then executes the drain. By the time the user notices, the chain history shows a "Permit2.permitBatch" call from the user's own wallet, which makes recovery effectively impossible.

WalletConnect (any chain): The page triggers a WalletConnect session that pipes the malicious transaction or signature through to the user's mobile wallet. Mobile wallet UIs are often more compressed than desktop, which makes the malicious payload even harder to read at the moment of approval.

Why the .xyz TLD keeps fooling crypto users

The .xyz TLD has a split reputation in crypto. Legitimate projects use it heavily because it is cheap, available, and Web3-friendly. ENS uses .xyz. Many real crypto brands including Hyperliquid itself use .xyz. So users have been trained that .xyz is normal for crypto products. That trust is exactly what the attacker exploits. A .com phishing site is suspicious. A .xyz phishing site looks routine.

The same pattern repeats for .app, .io, .lol, .fun, and other TLDs that have become Web3-adjacent. The TLD itself is not the signal. The full domain string is. hyperliquid.xyz is the real site. hyperliquid-eligibility.xyz, hyperliquid-claim.xyz, hyperliquid-airdrop.xyz, checkhyperliquid.xyz, and a dozen other variants are scams. They are all separately registered domains, none of them owned by the Hyperliquid team.

How to verify a real Hyperliquid airdrop

The Hyperliquid team announces all airdrops through three channels, in this exact order of authority. First, the official Hyperliquid Twitter account @HyperliquidX. Second, the official Hyperliquid Discord. Third, the news section on the real hyperliquid.xyz root domain. Any URL not linked from one of these three sources should be assumed to be a scam, regardless of how official it looks.

The team has also stated publicly that Hyperliquid airdrops never require users to "connect to verify eligibility." Eligibility for Hyperliquid airdrops is determined by on-chain activity that the team can read directly. There is no eligibility checker that requires a wallet connection. Any page that requires connecting a wallet to "check eligibility" is a phishing page, no matter what branding it carries.

If you want to check your own eligibility, the safest method is to use a read-only block explorer like solscan.io or the official Hyperliquid stats page accessed directly from hyperliquid.xyz. Read-only access does not require signing transactions and cannot drain funds.

Three red flags users can verify in 10 seconds

• The domain has extra words around the brand name. hyperliquid.xyz is the real site. hyperliquid-eligibility.xyz, hyperliquid-claim.app, claim-hyperliquid.io, and hyperliquid-airdrop.com are all separately registered domains. The brand name with no extra words is the real one. Any extra word is a phishing indicator.
• The page requires connecting a wallet to "check eligibility." Real airdrop eligibility is determined by on-chain history that any explorer can read without your signature. If a page is asking you to connect to check, it is asking you to sign something, and the something is almost always a drainer transaction.
• The page is shared via DM, replied to under an influencer tweet, or sent in a Telegram group with a countdown timer. "You have 6 hours to claim." "Snapshot ends in 2 hours." Urgency is a phishing primitive. Real Hyperliquid airdrops do not have hour-level deadlines. They announce snapshots days in advance.

What to do if you already connected to hyperliquid-eligibility.xyz

If you clicked Connect Wallet but did not approve any transaction or signature, you are likely fine. The page itself cannot drain a wallet without a confirmation from your wallet UI. Disconnect the site from your wallet's connected-sites list and move on.

If you approved a transaction, the funds are gone. There is no recovery path for a signed Solana transfer or a signed EVM permit. The on-chain state is final. The only thing you can do at this point is rotate to a new wallet and assume the compromised wallet is forever drained.

If you signed a Permit2 batch approval but funds have not moved yet, the wallet is still vulnerable. Visit revoke.cash and revoke every Permit2 approval from your wallet. This costs a small gas fee and closes the permission window before the attacker can execute the drain. Detailed recovery steps are in our crypto wallet drained guide.

How SafeBrowz catches this pattern

The SafeBrowz extension blocks hyperliquid-eligibility.xyz and similar variants on three layers. The URL pattern check flags domains that contain a tracked crypto brand keyword combined with action words like "eligibility," "claim," "airdrop," "verify," and "recover." That is enough to mark the page as caution before the wallet ever connects.

If the page survives the URL check, the AI scan analyzes the on-page content for brand impersonation. Hyperliquid is in the SafeBrowz brand database of 500+ tracked crypto and finance brands. When the AI sees Hyperliquid branding on a domain that is not hyperliquid.xyz itself, it flags brand impersonation and pushes the verdict to danger.

For Premium users, the wallet-drainer JavaScript detection catches the specific drainer libraries used to build these pages. Inferno Drainer, Angel Drainer, Pink Drainer, MS Drainer, and Atomic Drainer each have signature patterns in their client-side code. SafeBrowz Premium recognizes those signatures and shows a full-screen warning before the page can render the Connect Wallet button.

The same detection is available as a public API at api.safebrowz.com/v1/detect, so wallet apps and AI agents can pre-check any airdrop URL before passing it to a user. The first request is gated by x402 payment on Solana or Base, 0.001 USDC per call. Enterprise Bearer keys are available on request for high-volume integrators.

What this scam tells us about 2026 crypto phishing

The hyperliquid-eligibility.xyz setup is part of a wider 2026 pattern where attackers attach generic action words to legitimate brand names. The brand-plus-action template scales because the attacker can register dozens of variants for every popular project. Hyperliquid is just one example. Pendle, EigenLayer, Symbiotic, Ethena, Eclipse, Monad, Berachain, MegaETH, and every other 2026 airdrop candidate has the same problem. As soon as the project is on the airdrop watch-list, attackers register brand-eligibility, brand-claim, brand-airdrop, and brand-rewards variants on every available TLD.

The defense at user level stays the same. The real airdrop has one URL. It is linked from the official team's verified social profile. Any other URL is a phishing setup, regardless of branding. The defense at extension level is what SafeBrowz does for free across Chrome, Firefox, and Edge: catch the brand-plus-action pattern before the wallet connects, and treat every airdrop URL as guilty until cross-verified against the project's official channels.

Block fake airdrop pages before you click

SafeBrowz is a free browser extension for Chrome, Firefox, and Edge that blocks fake airdrop pages, fake wallet flows, and known crypto drainer domains in real time. It tracks 500+ brands across 100+ languages. Premium adds wallet drainer JavaScript signature detection. The core protection is free forever.