A $237,000 exploit and $500,000 in drained ether reveal the cost of mocking security

A forged message changed the admin of Hyperbridge’s Polkadot token contract on Ethereum, enabling an attacker to mint and sell 1 billion tokens and profit approximately $237,000. An additional 245 ether—worth over $500,000—was drained from the project’s TokenGateway contract and sent to Tornado Cash. The exploit followed less than two weeks after Hyperbridge published an April Fools’ joke claiming it had been hacked by the North Korean Lazarus Group for $37 million. The announcement linked to a Rickroll gif and a blog post titled “Why Hyperbridge Can’t Be Hacked.” Before the actual breach, a bounty hunter had shared evidence of critical vulnerabilities with the team and was told to “exploit them if you found them.” When a known exploiter address began testing the protocol, Hyperbridge’s “Web3 Philosopher” dismissed the attempts, saying, “hope you have a quantum computer bro.”