Cryptocurrency users in the Bittensor ecosystem face a new wave of wallet-draining attacks after security researchers at GitLab uncovered a sophisticated supply chain campaign deployed through typosquatted Python packages on the Python Package Index (PyPI). The attack, launched on August 6, 2025, specifically targets staking operations and has raised alarm across the broader crypto community about the vulnerabilities inherent in open-source package distribution.
The Exploit Mechanics
The attackers published five malicious packages within a 25-minute window starting at 02:52 UTC on August 6. Each package mimicked legitimate Bittensor tools through common typosquatting techniques: bitensor (missing a “t”), bittenso-cli (truncated), and several other variants, all versioned at 9.9.4 or 9.9.5 to closely match the legitimate package releases.
Once installed, the malicious packages execute a modified version of the stake_extrinsic function found in bittensor_cli/src/commands/stake/add.py. At line 275, the attackers inserted code that silently diverts all funds to a hardcoded wallet address: 5FjgkuPzAQHax3hXsSkNtue8E7moEYjTgrDDGxBvCzxc1nqR. The malicious code sets transfer_all=True to drain the entire wallet balance, and uses prompt=False to bypass user confirmation dialogs entirely.
What makes this attack particularly devastating is its psychological layer. Users believe they are performing routine staking operations—locking tokens to support network operations and earn rewards. Instead, the hijacked function empties their wallets while the transaction appears to proceed normally on the blockchain.
Affected Systems
The attack specifically targets developers and users of the Bittensor decentralized AI network who install Python packages via pip. Bittensor operates a blockchain-based machine learning network where participants stake TAO tokens to validate and contribute to AI model training. With Bitcoin trading around $115,000 and the broader crypto market capitalization exceeding $3.5 trillion, the financial stakes for users holding substantial token balances are significant.
GitLab researchers traced the stolen funds through a multi-hop laundering network involving at least five intermediary wallets before consolidation at a final collection point. The sophistication of the laundering infrastructure suggests this is a well-organized operation, not an opportunistic attack.
The Mitigation Strategy
GitLab has reported all five malicious packages to PyPI for immediate takedown, and the Bittensor community has issued urgent advisories for users to verify their installed packages. Security professionals recommend the following immediate actions:
First, verify all installed Bittensor-related packages against the official package names: bittensor and bittensor-cli. Any package with a typo in the name should be removed immediately. Second, check transaction histories for unexpected transfers to unknown addresses. Third, regenerate wallet keys from a clean environment if there is any suspicion of compromise.
Longer-term, developers should implement package integrity verification using checksums and digital signatures. Tools like pip-audit and safety can scan installed packages against known vulnerability databases.
Lessons Learned
This incident highlights the ongoing risks of supply chain attacks in the cryptocurrency ecosystem. Package registries like PyPI, npm, and RubyGems remain attractive targets for attackers because they serve as centralized distribution points trusted by millions of developers. The Bittensor attack demonstrates that targeting high-value staking operations—where users already expect to send large transactions—provides ideal cover for malicious activity.
The attack also underscores the importance of the “trust but verify” principle in open-source software. While the open-source model enables rapid innovation, it also requires vigilant community oversight and automated security scanning to detect tampering before it reaches end users.
User Action Required
If you have installed any Bittensor-related Python packages since August 5, 2025, take the following steps immediately: audit your installed packages, verify transaction history, move remaining funds to a fresh wallet, and report any losses to the Bittensor community and relevant law enforcement. The broader crypto community should treat this as a wake-up call to implement multi-layered verification for all package installations involving financial operations.
Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals before making decisions about cryptocurrency holdings.
DeFi yields are finally sustainable without token emissions
The transfer_all=True with prompt=False in the hijacked stake_extrinsic function is brutal. Users thought they were staking and got drained with no confirmation dialog. Targeting staking ops specifically is a new level of sophistication.
transfer_all=True with prompt=False is malicious by design. no legitimate staking function silently drains everything without a confirmation step. this was built to steal
Permissionless lending is still the most powerful use case in crypto
Smart contract audits have improved dramatically since 2022
Audits do not help when the malicious package is live on PyPI for 25 minutes with version 9.9.4. The typosquatting was subtle too. bitensor vs bittensor is easy to miss at 2 AM when updating dependencies.
bitensor vs bittensor. at 2AM during a deploy you would miss that 100%. typosquatting attacks prey on developer fatigue
2AM deploys with unpinned dependencies is how every supply chain attack succeeds. CI/CD should fail on unpinned packages automatically, no exceptions
Five malicious packages deployed in a 25-minute window starting at 02:52 UTC. Hardcoded wallet 5FjgkuPzAQ… received everything. Always pin your exact package versions people. pip install -r requirements.txt with locked hashes only.
pinning versions with sha256 hashes is non-negotiable now. pip install –require-hashes should be the default, not the exception
line 275 in stake_extrinsic. one line of code drained every wallet that ran pip install. version pinning saves wallets
5 packages in 25 minutes version bumped to 9.9.4 to match legitimate releases. the attacker understood the bittensor release cycle perfectly. inside knowledge or very thorough recon
the version number matching was the giveaway. 9.9.4 right after a legit 9.9.3 release. CI should flag that pattern automatically