FT Flash Case: Hyperliquid EU Access (No KYC) to MiFID II Instruments!

Several independent FinTelegram tests in different EU jurisdictions confirm that EU residents can fund, swap, and trade Perps on Hyperliquid without KYC, geo‑blocking, or deposit limits. Funds were deposited from cold wallets (Ledger), ETH was swapped to USDC on the spot market, and Perps were opened using USDC—all anonymously.

Key findings (new evidence)

• EU onboarding with zero KYC: From different EU jurisdictions, testers connected wallets and used Hyperliquid’s interface without any identity checks, residency prompts, or geo‑blocks.
• Cold‑wallet funding: ETH was sent directly from Ledger (no MetaMask relay required) to a Hyperliquid deposit address; no onboarding or limits were encountered.
• Spot swap to USDC (sale of ETH): The deposited ETH → USDC conversion on Hyperliquid’s Spot market executed seamlessly, establishing USDC balances.
• Perps opened with USDC: With USDC as trading currency, perpetual futures (perps) were opened and managed without KYC.
• No deposit caps detected: Across both tests, no explicit deposit limits were shown or enforced.
• Interface behaviour unchanged: The prior flows we documented (wallet connect → ApproveAgent → accept terms) remain available to EU IPs.

Why this matters (compliance lens)

• Perps = derivatives. In the EU, perpetual futures are MiFID II financial instruments when provided to EU clients. If a venue admits EU residents to perps, investment‑services authorisations are ordinarily required (venue/market‑maker side).
• Anonymity escalates risk. Absence of KYC/appropriateness and EU gating is inconsistent with MiFID II norms (client protections, market integrity, AML/CFT expectations via the authorised channel).
• Spot doesn’t sanitize perps. Even if spot crypto‑to‑crypto sits within MiCA/CASP concepts, listing/access to perps for EU clients triggers the MiFID II perimeter for the provider.
• Pattern now replicated. Two EU jurisdictions (Italy & Austria) produced the same result—strengthening the factual basis.

What we observed on‑platform (concise)

1. Deposit: ETH from Ledger into Hyperliquid deposit flow (no KYC).
2. Spot: ETH sold for USDC on Hyperliquid Spot (trade executed).
3. Perps: USDC used to open Perps (order ticket live; trades placed).
4. Controls: No geo‑block, residency selection, KYC, or deposit caps encountered.

Editorial analysis (strong view)

Hyperliquid presents itself as a permissionless venue while functioning—de facto—for EU residents as a derivatives platform with no EU perimeter controls. In a post‑MiCA Europe increasingly aligning to MiFID II for derivatives, this posture looks less like innovation and more like a repeat of the “grow first, fix later” playbook we saw in earlier cycles. Scale doesn’t outrun jurisdiction.

Updated right‑to‑reply (for Hyperliquid)

1. Do you exclude EU/EEA/UK residents from Perps? If so, where are the effective controls (IP gating, residency attestation, KYC)?
2. On what basis do you allow anonymous deposits/trading (including Ledger‑funded flows) for users connecting from EU IPs?
3. Why does the Restricted Persons list in your Terms omit EU/EEA/UK while perps are available through your UI?
4. Do you rely on reverse solicitation for EU users? If so, what evidence do you maintain, and how do you prevent indirect solicitation via affiliates/influencers?
5. Have you engaged any EU NCA regarding your EU access posture for perpetual futures?

Evidence pack (on file)

• Several test runs: different EU jurisdictions, different IP addresses
• Flow artifacts: wallet connect prompts, ApproveAgent signature, deposit confirmations, spot ETH→USDC fills, Perps order tickets/executions
• Hashing & timestamps: screenshots/recordings with SHA‑256 hashes; environment details (IP geolocation, time, network)
• Terms snapshot: current Terms of Use (showing US/Ontario/sanctions only; no EU exclusion)

Risk signals for readers

• Regulatory: Potential exposure for unauthorised investment services if EU clients are admitted to perps.
• Operational: Possible sudden changes—account restrictions, position closure, or access blocks if/when enforcement tightens.
• Consumer: No MiFID II investor‑protection framework for these trades.

Next steps (FinTelegram)

• Send right‑to‑reply with a 72‑hour response window; publish reply verbatim or note no comment.
• Continue access monitoring from multiple EU ISPs; log any control changes (geo‑fencing/KYC prompts).
• Prepare a short comparative matrix (Hyperliquid vs. EU‑authorised venues): KYC, onboarding, derivatives permissions, market surveillance.