The hybrid software-defined networks (SDN) architectures are beneficial for a smooth transition and less costly SDN deployment. However, legacy switches and SDN switches coexistence brings new challenges of deployment inconsistency management and security. Security is not well studied for hybrid SDN architecture. In this paper, we study the topology poisoning attacks in hybrid SDN for the first time. We propose new attack vectors for link fabrication in hybrid SDN. The new attack is named “multi-hop link fabrication”, in which an adversary successfully injects a fake multi-hop link (MHL) by exploiting the link discovery protocols. We presented the Hybrid-Shield, a link verification framework for hybrid SDN link discovery. Hybrid-Shield introduces a novel verification technique that includes: i) monitoring legacy switch and host generated traffic at MHL and ii) validating the existence of legacy switches contained in an MHL. This paper presents the prototype implementation of Hybrid-Shield over a real SDN controller. The experimental evaluation is performed with the mininet virtual network emulation. Our evaluation shows that Hybrid-Shield is capable of detecting MHL fabrication attacks in real-time with high accuracy. Hybrid-Shield’s performance evaluation shows that it is lightweight at the controller as it causes less overhead and requires no additional functionalities at the SDN controller for deployment.