Author: Joker&Thinking
In early July 2025, the SlowMist security team received a request for help from a victim user, requesting assistance in analyzing the reasons for the theft of his encrypted assets. The investigation found that the incident originated from the user's use of an open source project zldp2002/solana-pumpfun-bot hosted on GitHub, which in turn triggered a covert theft of coins. For details, seeGitHub's popular Solana tool contains hidden coin theft traps.
Recently, another user used a similar open source project - audiofilter/pumpfun-pumpswap-sniper-copy-trading-bot, which led to the theft of encrypted assets and contacted the SlowMist security team. In response, the team further analyzed the attack method.
We first use static analysis to find the traps set by the attacker. After analysis, it was found that the suspicious code was located in the /src/common/config.rs configuration file, mainly concentrated in the create_coingecko_proxy() method: From the code, it can be seen that the create_coingecko_proxy() method first calls import_wallet(), which further calls import_env_var() to obtain the private key.
In the import_env_var() method, it is mainly used to obtain the environment variable configuration information in the .env file.
During the call, if the environment variable exists, it returns directly; if it does not exist, it enters the Err(e) branch and prints the error message. Due to the existence of a loop {} loop without an exit condition, resources will continue to be consumed.
PRIVATE_KEY(private key) and other sensitive information are also stored in the .envfile.
Back to the import_wallet() method, when import_env_var() is called to obtain the PRIVATE_KEY (private key), the malicious code will determine the length of the private key:
If
the length of the private key is less than 85, the malicious program will print an error message, and due to the existence of a loop {} loop without an exit condition, resources will continue to be consumed, and the malicious program will not be able to exit normally;If the private key length is greater than 85, the Solana SDK is used to convert the Base58 string into a Keypair object, which contains the private key information.
Then, the malicious code uses Arc to encapsulate the private key information to support multi-threaded sharing.
Back to the create_coingecko_proxy() method, after successfully obtaining the private key information, the malicious code then decodes the malicious URL address.
The method first obtains the hard-coded constant of the encoded HELIUS_PROXY (attacker's server address).
Then, the malicious code decodes HELIUS_PROXY (attacker's server address) using bs58, converts the decoded result into a byte array, and further converts the byte array into a UTF-8 string through from_utf8().
By writing a script, the real address of HELIUS_PROXY after decoding can be restored as follows:
After successfully decoding the URL (http://103.35.189.28:5000/api/wallets), the malicious code first creates an HTTP client and converts the obtained private key information payer into a Base58 string using to_base58_string().
Then, the malicious code constructs a JSON request body and encapsulates the converted private key information in it, and sends the private key and other data to the server pointed to by the above URL by constructing a POST request, while ignoring the response result.
No matter what result the server returns, the malicious code will continue to run to avoid user awareness.
In addition, the create_coingecko_proxy() method also contains normal functions such as obtaining prices to cover up its malicious behavior; the name of the method itself has also been disguised and is somewhat confusing.
Through analysis, it can be seen that the create_coingecko_proxy() method is called when the application starts, specifically in the configuration file initialization stage of the main() method in main.rs.
In the new() method of the configuration file src/common/config.rs, the malicious code first loads the .env file and then calls the create_coingecko_proxy() method.
According to analysis, the IP address of the server is located in the United States.
(https://www.virustotal.com/gui/ip-address/103.35.189.28)
It was observed that the project was updated on GitHub recently (July 17, 2025), and the main changes were concentrated in the configuration file config.rs in the src directory.
In the src/common/config.rs file, you can see that the original address encoding of HELIUS_PROXY (attacker's server address) has been replaced with a new encoding.
After using the script to decode the original address encoding, the original server address can be obtained.
In order to more intuitively observe the theft process of malicious code, we used a dynamic analysis method and wrote a Python script to generate Solana public and private key pairs for testing.
At the same time, we built an HTTP server on the server that can receive POST requests.
Write a Python script to generate the code corresponding to the test server, and replace it with the malicious server address code set by the original attacker, that is, HELIUS_PROXY (attacker server address).
Then, replace the PRIVATE_KEY (private key) in the .env file with the test private key just generated.
Next, start the malicious code and observe the response of the server-side interface.
We can see that the test server successfully received the JSON data sent by the malicious project, which contained the PRIVATE_KEY (private key) information.
IPs:
103.35.189.28
Domains:
storebackend-qpq3.onrender.com
SHA256:
07f0364171627729788797bb37e0170a06a787a479666abf8c80736722bb79e8 - pumpfun-pumpswap-sniper-copy-trading-bot-master.zip
ace4b1fc4290d6ffd7da0fa943625b3a852190f0aa8d44b93623423299809e48 - pumpfun-pumpswap-sniper-copy-trading-bot-master/src/common/config.rs
Malicious warehouse:
https://github.com/audiofilter/pumpfun-pumpswap-sniper-copy-trading-bot
Similar implementation techniques:
https://github.com/BitFancy/Solana-MEV-Bot-Optimized
https://github.com/0xTan1319/solana-copytrading-bot-rust
https://github.com/blacklabelecom/SAB-4
https://github.com/FaceOFWood/SniperBot-Solana-PumpSwap
https://github.com/Alemoore/Solana-MEV-Bot-Optimized
https://github.com/TopTrenDev/Raypump-Executioner-Bot
https://github.com/deniyuda348/Solana-Arbitrage-Bot-Flash-Loan
In the attack method shared this time, the attacker disguised himself as a legitimate open source project to trick users into downloading and executing the malicious code. The project reads sensitive information from the .env file locally and transmits the stolen private key to a server controlled by the attacker. This type of attack is usually combined with social engineering techniques, and users may fall into it if they are not careful.
We recommend that developers and users remain vigilant against unknown GitHub projects, especially when it comes to wallet or private key operations. If you really need to run or debug, it is recommended to do so in an independent environment without sensitive data to avoid executing malicious programs and commands from unknown sources.
Matr1x, a Singapore-based NFT gaming company, has announced a significant funding boost of $10 million for its mobile gaming initiatives. This recent financial injection, disclosed on Thursday, marks a substantial step forward for the firm's gaming ventures.
JoyHTX, formerly Huobi Global, grapples with its fourth hack in two months, losing $30 million, raising concerns about the exchange's security despite reassurances from executives.
JasperBank of Korea pioneers a revolutionary CBDC pilot involving 100,000 citizens, marking a significant step towards the Digital Won era.
Hui XinFormer Binance CEO CZ Zhao faces travel restrictions as U.S. prosecutors challenge bond conditions, citing flight risk concerns amidst legal troubles, while the cryptocurrency market rebounds from regulatory scrutiny.
JasperJPMorgan analysts forecast potential outflows of over $2.7 billion from the Grayscale Bitcoin Trust (GBTC) upon its conversion to an ETF, citing traders' speculative accumulation driven by the discount to net asset value.
JasperBitcoin transaction raises eyebrows as a whale mistakenly pays an unprecedented $3.1 million fee, sparking speculation and uncertainty in the crypto community.
JasperSingapore's Monetary Authority strengthens crypto regulations to protect retail investors, introducing measures to curb speculative activities while facing concerns that such stringent oversight may impede the nation's crypto industry aspirations.
JasperBill Gates envisions a shorter 3-day workweek with AI progress, echoing industry discussions on technology's transformative impact on work structures.
Hui XinSam Bankman-Fried, ex-FTX CEO, navigates prison life by trading mackerel ('macks'), revealing adaptability and offering insights into unconventional prison commerce amid legal challenges.
Hui XinSBF now explores an unexpected economy in Brooklyn's Metropolitan Detention Center. Cooling his heels while awaiting sentencing, he delves into the world of prison economics, where mackerel replaces cigarettes as the preferred currency. SBF's unique adaptation involves trading pouches of preserved fish, known as 'macks,' for services within the confines of the detention centre.
Joy