Typosquatted PyPI Packages Used by Threat Actors to Steal Cryptocurrency from Bittensor Wallets

GitLab’s Vulnerability Research team has uncovered a highly sophisticated cryptocurrency theft campaign exploiting typosquatted Python packages on the Python Package Index (PyPI) to target the Bittensor decentralized AI network.

The operation, detected through GitLab’s automated package monitoring system, involved the deployment of malicious packages mimicking legitimate Bittensor components, specifically designed to siphon funds from developers and users during routine staking operations.

This supply chain attack leverages common developer errors in package installation, such as typographical mistakes in pip commands, to infiltrate systems and execute unauthorized transfers on the Bittensor blockchain.

Targets Bittensor Ecosystem

The campaign’s precision timing all packages uploaded within a 25-minute window on August 6, 2025 suggests a coordinated effort by threat actors aiming to maximize impact before detection.

The affected packages include [email protected], [email protected], [email protected], [email protected], and [email protected], each crafted to resemble the authentic bittensor and bittensor-cli libraries, which are essential for interacting with Bittensor’s peer-to-peer AI training protocol.

By exploiting these naming similarities, attackers ensure that inadvertent installations lead to the compromise of high-value cryptocurrency wallets, highlighting the persistent vulnerabilities in open-source software ecosystems.

The technical sophistication of the attack lies in its manipulation of core functionality within the Bittensor CLI.

Specifically, the malicious packages alter the stake_extrinsic function in the bittensor_cli/src/commands/stake/add.py module, injecting code at line 275 that redirects staking operations into a full wallet drain.

Instead of performing a standard extrinsic call to lock tokens for network validation and reward earning, the hijacked function invokes a transfer_extrinsic with parameters set to transfer_all=True, prompt=False, and a hardcoded destination address of 5FjgkuPzAQHax3hXsSkNtue8E7moEYjTgrDDGxBvCzxc1nqR.

This results in the silent exfiltration of all available TAO tokens the native cryptocurrency of Bittensor without user prompts or confirmations, masquerading as legitimate blockchain activity.

The choice to target staking is strategically sound from a threat actor’s perspective: staking requires wallet unlocking and authentication, providing the necessary permissions for fund diversion, while users with substantial holdings are drawn to these operations for yield generation.

Moreover, the routine nature of staking in proof-of-stake-like networks fosters user complacency, delaying detection as balance discrepancies might be misattributed to transaction fees or temporary holds.

This attack vector not only exploits technical protocols but also psychological patterns in blockchain interactions, making it particularly insidious for experienced Bittensor participants who regularly stake to contribute to the network’s decentralized machine learning consensus.

Implications for Supply Chain Security

Blockchain forensics conducted by GitLab revealed a multi-layered money laundering scheme following the initial thefts.

Stolen funds are funneled to the primary wallet 5FjgkuPzAQHax3hXsSkNtue8E7moEYjTgrDDGxBvCzxc1nqR before being dispersed through intermediary addresses such as 5HpsyxZKvCvLEdLTkWRM4d7nHPnXcbm4ayAsJoaVVW2TLVP1, 5GiqMKy1kAXN6j9kCuog59VjoJXUL2GnVSsmCRyHkggvhqNC, 5ER5ojwWNF79k5wvsJhcgvWmHkhKfW5tCFzDpj1Wi4oUhPs6, and 5CquBemBzAXx9GtW94qeHgPya8dgvngYXZmYTWqnpea5nsiL, ultimately consolidating at 5D6BH6ai79EVN51orsf9LG3k1HXxoEhPaZGeKBT5oDwnd2Bu and cashing out via 5HDo9i9XynX44DFjeoabFqPF3XXmFCkJASC7FxWpbqv6D7QQ.

This obfuscation technique employs rapid, multi-hop transfers to evade tracing on the public ledger, a common tactic in cryptocurrency crime to anonymize illicit gains.

The typosquatting strategy further amplifies the threat, relying on subtle naming variations like omitting letters (e.g., bitensor for bittensor) or truncations (e.g., bittenso) coupled with version numbers mirroring legitimate releases to exploit human error in development workflows.

Looking forward, this incident underscores the critical need for enhanced supply chain defenses, including automated anomaly detection in package registries and blockchain transaction monitoring.

GitLab’s proactive identification exemplifies how continuous vulnerability research can mitigate such risks, fostering greater resilience across decentralized finance and AI ecosystems.

Indicators of Compromise

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free