📈 Get daily crypto insights that make you smarter about your money

Bittensor Supply Chain Attack: How a Malicious PyPi Package Compromised $8 Million in TAO Tokens

By /
LinkedInMessengerRedditTelegramThreadsWhatsApp

The decentralized AI network Bittensor suffered a devastating security breach on July 2, 2024, resulting in the theft of approximately $8 million worth of TAO tokens from user wallets. The Opentensor Foundation (OTF), which oversees the Bittensor protocol, published a detailed post-mortem on July 3, revealing that the attack originated from a compromised Python package distributed through the PyPi Package Manager. As Bitcoin trades around $60,174 and the broader crypto market reels from Mt. Gox repayment fears, this incident underscores the persistent vulnerability of even the most innovative blockchain projects to supply chain attacks.

The Exploit Mechanics

The attack vector was both sophisticated and deceptively simple. A malicious version of the Bittensor package — specifically version 6.12.2 — was uploaded to PyPi, the official Python package repository. This tainted package masqueraded as a legitimate update while containing hidden code designed to intercept and exfiltrate unencrypted coldkey data. When users installed the compromised package and performed key operations, the decrypted private key bytecode was silently transmitted to a remote server controlled by the attacker.

The malicious package was available on PyPi from May 22 at 7:14 PM UTC through May 29 at 6:47 PM UTC — a window of approximately seven days. However, the actual theft began on July 2 at 7:06 PM UTC, suggesting the attacker waited to accumulate sufficient compromised keys before striking. Users who performed sensitive operations during this period — including staking, unstaking, wallet transfers, delegation, and subnet registration — were potentially affected.

Affected Systems

The breach specifically targeted users of Bittensor version 6.12.2 who executed operations involving the decryption of hotkeys or coldkeys. The affected commands included btcli stake add, btcli stake remove, btcli wallet transfer, btcli root delegate, btcli root undelegate, btcli root set take, and btcli subnet register. Critically, the OTF confirmed that the underlying Bittensor blockchain and Subtensor code remained uncompromised. Users who were merely delegating stake without performing these operations, using third-party applications, or whose funds remained stationary during the exposure window were not affected.

The attack timeline reveals a rapid response from the Opentensor Foundation. The anomalous transfer volume was detected at 7:25 PM UTC on July 2, just 19 minutes after the attack began. By 7:41 PM UTC, the OTF had placed chain validators behind a firewall and activated safe mode, halting all network transactions to prevent further theft.

The Mitigation Strategy

The OTF implemented a multi-layered response. The malicious 6.12.2 package was immediately removed from PyPi. A comprehensive code review of both Subtensor and Bittensor repositories was initiated to identify any remaining attack vectors. The foundation also engaged with cryptocurrency exchanges, providing attack details to help trace the stolen funds and potentially facilitate recovery.

For affected users, the foundation recommended creating entirely new wallets and transferring remaining funds once the network resumed normal operations. All users were advised to upgrade to the latest Bittensor version using the standard pip install command. The network was gradually brought back online after the code review confirmed no additional vulnerabilities.

Lessons Learned

This incident highlights a critical weakness in the blockchain ecosystem’s dependency on third-party package managers. PyPi, npm, and similar repositories have repeatedly been vectors for supply chain attacks, yet many blockchain projects rely on them for distributing essential software. The Bittensor breach demonstrates that even projects with strong on-chain security can be compromised through off-chain infrastructure.

The seven-day window between the malicious package upload and the actual exploitation also reveals a patient, methodical attacker who understood the value of accumulating compromised credentials before executing the theft. This patience made the attack harder to detect during the exposure period but ultimately created a distinctive transfer pattern that triggered the monitoring systems.

User Action Required

If you used Bittensor during late May 2024 and performed any wallet operations, consider your keys compromised regardless of whether funds have been moved. Generate new wallets, never reuse private keys after a suspected exposure, and always verify package integrity before installing blockchain software. The crypto industry lost over $1.7 billion to scams and hacks in 2023 alone — proactive security practices are not optional, they are essential for survival in this ecosystem.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research before making investment or security decisions.

🌱 FOR BUSINESSES BitcoinsNews.com
Reach 100K+ Crypto Readers
Sponsored content, press releases, banner ads, and newsletter placements. Put your brand in front of Bitcoin's most engaged audience.

12 thoughts on “Bittensor Supply Chain Attack: How a Malicious PyPi Package Compromised $8 Million in TAO Tokens”

  1. trashpanda42

    version 6.12.2 was the poisoned package. always pin your dependencies people, this could have been avoided

    Reply
    1. kernel_panic

      pinning dependencies saved my node. everyone auto-updating got wrecked. basic opsec would have prevented most of the losses here

      Reply
  2. Michele R.

    decrypted private key bytecode transmitted to a remote server… that is terrifying. how was this not caught in code review?

    Reply
    1. 0xMidas.eth

      unencrypted coldkey data in 2024 is wild. thats like leaving your seed phrase in a plaintext file on your desktop

      Reply
      1. tarpit

        the part that gets me is the package had 4 days up on PyPi before anyone detected it. how many devs installed in that window

        Reply
        1. pool_side_

          4 days is actually fast for detection. some malicious packages sit on npm for months before anyone notices. the whole package registry trust model is fragile

          Reply
    2. Sam W.

      code review on a PyPi package? most people pip install and move on. the trust model for package managers is the real vulnerability

      Reply
      1. Annika F.

        most teams dont have the resources for proper code review on every dependency. the industry needs automated scanning at the registry level, not individual vigilance

        Reply
  3. CryptoCarol

    The fact that this happened while everyone was distracted by Mt. Gox repayment news is not a coincidence. Attackers time these things.

    Reply
  4. yolo_cap

    8 million stolen from a supply chain attack on a top 50 project. the cost of a fake pypi upload was basically zero. asymmetric warfare at its finest

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

BTC$62,455.00-2.9%ETH$1,658.89-5.3%SOL$69.05-6.4%BNB$573.32-3.6%XRP$1.11-2.9%ADA$0.1536-4.8%DOGE$0.0793-5.5%DOT$0.9021-6.2%AVAX$6.23-1.3%LINK$7.59-5.3%UNI$2.87-5.1%ATOM$1.77-3.1%LTC$43.56-3.1%ARB$0.0784-8.8%NEAR$2.00-7.1%FIL$0.7561-6.3%SUI$0.7012-2.8%BTC$62,455.00-2.9%ETH$1,658.89-5.3%SOL$69.05-6.4%BNB$573.32-3.6%XRP$1.11-2.9%ADA$0.1536-4.8%DOGE$0.0793-5.5%DOT$0.9021-6.2%AVAX$6.23-1.3%LINK$7.59-5.3%UNI$2.87-5.1%ATOM$1.77-3.1%LTC$43.56-3.1%ARB$0.0784-8.8%NEAR$2.00-7.1%FIL$0.7561-6.3%SUI$0.7012-2.8%
Scroll to Top