Compliance

Scam-Or Project Flash Case: Hyperliquid’s EU Access (No KYC) to MiFID II-Scope Instruments

By Tom Morris - October 23, 2025 No comments 4 mins read

Summary:
Independent checks conducted by Scam-Or Project across multiple EU locations indicate that EU residents can fund accounts, perform spot swaps, and open perpetual futures (Perps) on Hyperliquid without identity verification, geo-blocking, or explicit deposit ceilings. Testers deposited from Ledger cold wallets, converted ETH → USDC on the spot market, and opened Perps using USDC—all without KYC prompts.

Key Findings (New Evidence)

EU onboarding without KYC:
From several EU jurisdictions, wallets connected and the Hyperliquid UI remained fully usable with no identity checks, residency questions, or regional blocks.
Cold-wallet funding works end-to-end:
ETH was transferred directly from Ledger to a Hyperliquid deposit address; no additional onboarding, relays, or soft caps appeared.
Spot swap to USDC executed:
Deposited ETH was seamlessly converted to USDC on Hyperliquid’s Spot market, establishing a USDC balance.
Perps opened with USDC:
With USDC as the trading currency, perpetual futures positions were opened and managed without KYC or gating procedures.
No visible deposit ceilings:
Across repeated trials, no explicit deposit limits were displayed or enforced.
Interface behavior unchanged for EU IPs:
The previously documented flow (wallet connect → ApproveAgent → accept terms) remained available from EU IP ranges.

Why This Matters (Compliance Lens)

Perps = derivatives:
Within the EU, perpetual futures fall under MiFID II when provided to EU clients. If a venue lets EU residents access and trade perps, investment-services authorization is ordinarily required (exchange/market-maker side).
Anonymity heightens regulatory exposure:
Operating without KYC/appropriateness checks and without EU gating runs counter to typical MiFID II safeguards (client protection, market integrity, and AML/CFT expectations channelled through authorized firms).
Spot ≠ clean room for perps:
Even if spot crypto-to-crypto can align with MiCA/CASP concepts, enabling EU access to perpetuals pushes the activity into the MiFID II perimeter for the provider.
Replicated pattern across jurisdictions:
Identical results in Italy and Austria strengthen the factual basis beyond a single-country anomaly.

On-Platform Observations (Concise)

Deposit: ETH sent from Ledger into Hyperliquid’s deposit flow (no KYC).
Spot: ETH → USDC conversion completed on Hyperliquid Spot.
Perps: USDC used to open and manage perpetual futures positions.
Controls: No geo-blocking, residency selection, KYC, or deposit caps were encountered.

Quick Control Matrix (What Testers Saw)

Control Area	Expected Under EU Norms (MiFID II context)	Observed on Hyperliquid (EU IPs)
IP/Geo-fencing for Perps	Regional gating or explicit exclusion	Not observed
KYC/Identity Verification	Mandatory before derivatives access	Not triggered
Appropriateness/Suitability	Assessment before enabling derivatives	Not observed
Deposit Limits	Communicated thresholds or triggers	None displayed
Residency Attestation	Required attestation for access	Not requested

Editorial Analysis (Strong View)

Hyperliquid appears to operate as a permissionless interface that, in practice, admits EU residents to derivatives trading without EU-perimeter controls. In a post-MiCA environment—where derivatives = MiFID II—this stance resembles the familiar “scale first, formalize later” approach seen in prior cycles. Jurisdictional boundaries eventually catch up with growth curves.

Updated Right-to-Reply (Questions for Hyperliquid)

Do you exclude EU/EEA/UK residents from Perps? If yes, where are the effective controls (IP gating, residency attestation, KYC)?
On what basis do you allow anonymous deposits and trading (including Ledger-funded flows) from EU IPs?
Why do your Terms list Restricted Persons (e.g., US/Ontario/sanctions) but omit EU/EEA/UK, while perps remain available in the UI?
Do you rely on reverse solicitation for EU users? If so, what evidence do you keep and how do you prevent indirect solicitation via affiliates/influencers?
Have you engaged any EU NCA regarding your EU access posture for perpetual futures?

Scam-Or Project will publish any response verbatim or note no comment.

Evidence Pack (On File, Timestamped)

How Hyperliquid addresses EU residents with crypto perps (Scam-Or Project explainer).
Multiple test runs: different EU jurisdictions, different IP ranges.
Flow artifacts: wallet-connect prompts, ApproveAgent signature, deposit confirmations, ETH→USDC spot fills, Perps order tickets/executions.
Hashing & timestamps: screenshots/recordings with SHA-256 hashes; environment details (IP geolocation, time, network).
Terms snapshot: current Terms of Use showing US/Ontario/sanctions restrictions; no EU exclusion observed.

Risk Signals for Readers

Regulatory: Potential unauthorized investment services risk if EU clients are admitted to perps.
Operational: Risk of sudden control changes (account restrictions, forced position closures, access blocks) if enforcement increases.
Consumer: Absence of the MiFID II investor-protection framework for these trades.

Next Steps (Scam-Or Project)

Transmit right-to-reply with a 72-hour response window; publish responses or note no comment.
Continue access monitoring via multiple EU ISPs; log any changes (geo-fencing/KYC prompts).
Prepare a comparative matrix (Hyperliquid vs. EU-authorized venues): KYC, onboarding, derivatives permissions, market surveillance.
Share information.