Hyperbridge: They Said It Could Not Be Hacked. It Got Hacked.

Hyperbridge joked about being unhackable on April Fools Day. Twelve days later someone minted $1.19 billion in fake tokens on their bridge. The attacker walked away with $237,000. The jokes were deleted. Nobody has been caught.

Hyperbridge joked about being unhackable on April Fools Day 2026. Twelve days later an attacker minted 1 billion DOT tokens on Ethereum and walked away with $237K - limited only by thin pool liquidity

On April 1, 2026, Hyperbridge posted a fake hack.

Hyperbridge is a blockchain bridge. A bridge is software that lets you move cryptocurrency from one blockchain network to another - like moving money between banks that do not talk to each other. Bridges handle enormous sums and have historically been one of crypto's biggest security weak points. The Ronin Bridge lost $625 million in 2022. Wormhole lost $320 million the same year.

Hyperbridge claimed to be different. It used cryptographic proofs rather than trusted middlemen to verify transactions. The math does the checking, not a committee of humans who can be bribed, hacked, or socially engineered. That was the pitch.

On April 1, to celebrate this pitch, Hyperbridge posted a joke.

The announcement said the North Korean Lazarus Group had drained $37 million. A link led to a blog post that opened with a Rickroll GIF. The title read: "Why Hyperbridge Can't Be Hacked." The post blamed rogue AI agents, quantum computers, and fictional hackers. It joked that auditors had tried to warn the team but nobody was home because developers were eating KitKat bars to celebrate a promotion.

The community called it tasteless.

Hyperbridge's lead developer, who goes by "Web3 Philosopher" on X, responded by doubling down. He boasted about the protocol's incorruptible infrastructure and called the core community "true believers" who understood the protocol could never be compromised.

Days later, a known attacker address started probing Hyperbridge's contracts.

A developer spotted the probing in real time and posted a screenshot publicly. His response: "Lmao the uniBTC exploiter is testing Hyperbridge. I hope you have a quantum computer bro."

Someone replied: "Rule number one. Don't actively provoke attackers."

There was another warning nobody mentioned publicly until after. A bug bounty researcher had previously flagged critical vulnerabilities in the codebase. Bug bounty programs pay researchers to find security holes before attackers do. The response Hyperbridge reportedly gave: "exploit them if you found them."

On April 13, twelve days after the April Fools post, someone did.

The vulnerability was in the bridge's verification process. When you move tokens from one blockchain to another, the receiving chain needs proof that the tokens actually exist and were sent. Hyperbridge used a system called Merkle Mountain Range proofs to verify this. The flaw: old valid proofs could be recycled and attached to completely new requests. The system could not tell the difference between a legitimate new transfer and a forged message replaying old credentials. On top of that, the challenge period - the window of time the system has to detect and reject a suspicious transaction - was set to zero seconds. Zero. No time to catch anything.

The attacker exploited both failures simultaneously. They forged a cross-chain message, granted themselves administrator control of the token contract, and minted 1 billion bridged DOT tokens on Ethereum. DOT is Polkadot's cryptocurrency. 1 billion tokens at prevailing prices was worth approximately $1.19 billion on paper.

Then they tried to cash out.

They dumped the tokens into trading pools on Uniswap, a decentralized exchange. But the pools were too thin - there simply was not enough other money sitting in them to absorb a billion DOT being sold at once. The token price collapsed immediately. After selling everything available, the attacker walked away with 108.2 ETH. Approximately $237,000.

They had created $1.19 billion in tokens and extracted $237,000.

Hyperbridge immediately paused all operations. Polkadot confirmed that its core network and native DOT were completely unaffected - only the bridged version of DOT on Ethereum was compromised. Total losses across all pools came to approximately $2.5 million after full accounting. Some of the extracted ETH was deposited into Tornado Cash, a mixing service used to obscure the trail of stolen funds.

Some funds were traced to Binance. Law enforcement coordination was opened. As of the time of writing, no arrest has been made and no funds have been formally recovered.

The April Fools posts were deleted the same day the real hack happened.

The bug bounty researcher who flagged the critical vulnerabilities received no public acknowledgment after the exploit. The developer who said "I hope you have a quantum computer bro" has not commented further. Web3 Philosopher has gone quiet.

The attacker left with $2.5 million and a story that writes itself. They minted over a billion dollars and the only thing that saved Hyperbridge from total catastrophe was a pool that was not deep enough to let them out.

You cannot make this up. And someone actually tried.