Hyperliquid—a decentralized perpetual futures exchange built on Arbitrum—experienced a coordinated market manipulation attack targeting the Solana-based memecoin POPCAT.
The scheme involved spoofing a massive buy wall to artificially inflate demand, lure in leveraged traders, and then trigger a cascade of liquidations. This resulted in approximately $4.9 million in bad debt for Hyperliquid’s community-owned Hyperliquidity Provider (HLP) vault, which acts as a backstop for uncollateralized losses.
On November 14, 2025, blockchain analyst Specter published an on-chain investigation alleging that the attack was orchestrated by BTX Capital, a U.S.-based crypto investment firm founded in 2019, and its founder Vanessa Cao (@vc_btxcap).
Register for Tekedia Mini-MBA edition 19 (Feb 9 – May 2, 2026): big discounts for early bird.
Tekedia AI in Business Masterclass opens registrations.
Join Tekedia Capital Syndicate and co-invest in great global startups.
Register for Tekedia AI Lab: From Technical Design to Deployment (next edition begins Jan 24 2026).
BTX Capital describes itself as specializing in “liquid token strategies” to generate alpha, but Specter claims this masks manipulative tactics using the firm’s access to large capital pools.
Wallet Traces: 26 wallets involved in the POPCAT buy wall were funded via OKX and Bybit deposits. One key wallet was reused from an August 2025 TST manipulation and received funds from addresses tied to Cao’s public Ethereum wallet and BTX Capital’s official Polygon multisig.
Cross-Chain Flows: A Bybit deposit wallet received 50 million AKI tokens from a Polygon multisig controlled by 0xf97—a BTX-linked address funded directly by Cao. Ethereum and Polygon transfers explicitly bind the scheme to BTX.
The attacker sacrificed around $3–4 million in collateral on Hyperliquid but likely profited from opposing short positions on centralized exchanges (CEXes) like OKX or Bybit, where they held reverse exposure.
This marks the third major manipulation event targeting Hyperliquid’s HLP vault in 2025, following similar attacks on tokens like JELLYJELLY and ZEREBRO. The incident exposed vulnerabilities in low-liquidity, high-leverage markets on decentralized platforms, prompting Hyperliquid to temporarily pause Arbitrum bridge withdrawals and reduce leverage limits (e.g., BTC to 40x, ETH to 25x).
No protocol exploits were involved—smart contracts and the matching engine remained secure—but it highlighted risks from “degen warfare” tactics where actors burn capital to inflict asymmetric damage on liquidity providers.
The manipulation was executed with precision across multiple wallets, mimicking organic market activity. An attacker withdrew ~$3 million USDC from a CEX primarily OKX, splitting it across 19–26 coordinated wallets. These funds were bridged to Hyperliquid via Arbitrum.
Building the Trap: Using up to 10x leverage, the wallets opened long positions totaling $20–30 million in POPCAT perpetuals. A fake buy wall of ~$25 million was placed near the $0.21 price level around 16:00 UTC, creating an illusion of strong demand and pushing the price up ~30%.
The buy orders were abruptly canceled, causing POPCAT to crash ~43% to $0.12 in minutes. This thinned liquidity, sparking $63 million in total liquidations—including the attacker’s own positions.
Hyperliquid’s HLP vault absorbed the shortfall after collateral was exhausted, incurring $4.9 million in losses equivalent to ~3 months of prior profits. The vault temporarily held ~$25 million in devalued POPCAT before manual closure.
The attacker’s net loss on Hyperliquid (~$4M) was intentional, as the goal appears to be vault damage rather than direct profit. Analysts note this “kamikaze” style exploits thin order books in meme tokens, where high leverage amplifies cascades.
Link to BTX Capital and Vanessa Cao
Pattern Matching: Similar tactics fake buy walls, leveraged longs, rapid pulls appear in prior manipulations of TST, JELLYJELLY, HIFL, and ZEREBRO, all tracing to the same cluster of ~26 addresses.
BTX’s scale allows easy dominance of thin markets like Hyperliquid’s. Specter suggests the firm profits via CEX shorts while burning minimal collateral on-chain, calling it a “straightforward arbitrage” disguised as strategy.
Vanessa Cao, a former JRR Crypto co-founder and Sequoia China alum with an MBA from Tsinghua University, has not publicly responded. BTX Capital’s website emphasizes ethical trading, but the allegations imply these events are deliberate “strategies” to exploit DeFi vulnerabilities.
Community reactions on X range from calls for regulatory scrutiny to speculation of broader CEX involvement (e.g., Binance), though no concrete proof beyond on-chain data exists.
For Hyperliquid: The platform committed to refunding affected users and is exploring fixes like sliding leverage caps (e.g., smaller positions at 50x), withdrawal restrictions on high-risk trades, and higher liquidation penalties for large notionals. TVL dipped temporarily, but community support remains strong.
This underscores the need for real-time monitoring of CEX-to-DEX flows and liquidity safeguards. Perp DEXes like Hyperliquid innovate on speed and decentralization but remain susceptible to whale manipulation in illiquid assets.
POPCAT dropped ~25% post-attack from $0.21 to ~$0.15 as of November 14, contributing to broader crypto volatility amid macro pressures. Hyperliquid’s HYPE token fell ~4%. The crypto community is abuzz, with analysts like WuBlockchain amplifying Specter’s findings.
While on-chain data is compelling, definitive proof awaits further audits or legal action. This event reinforces that “decentralized” doesn’t mean immune—transparency via tools like wallet tracers is key to accountability.