SlowMist has revealed that the widely used open source project “Solana-Pumpfun-bot” on the GitHub platform has code that steals cryptography from users’ wallets.
The survey began on July 2, 2025. The victim contacted the Slow Mist security team for assistance in analyzing the reasons for theft of the wallet assets.
The incident was caused by the use of an open source project hosted on GitHub the day before the encrypted assets were stolen. Slowmist says the stolen funds have been transferred to FixedFloat Exchange.
The project author is the main suspect
To elicit the attack, hackers pretended to be the official open source project (Solana-Pumpfun-bot) and forced people to download and run malicious code. It turns out that the suspicious dependency package, named “Crypto-Layout-Utils”, has been removed from the official NPM source through enquiries.
The hackers then uploaded a malicious version of the software instead of the original download URL. After searching the victim’s PC for wallet-related files, the sensitive data was sent to a server controlled by the attacker.
The investigation also found that the project authors suspected of managing multiple GitHub accounts. They were used to fork malicious projects, distribute malicious programs, and artificially inflate the popularity of projects. Several fork projects with similar malicious behavior were identified, some of which used another malicious package “BS58-Encrypt-Utils”.
Several GitHub accounts will cooperate throughout the attack chain. This increases the scope of widespread adoption, improves reliability, and is extremely deceptive. At the same time, the attack uses both social engineering and technical means, making it difficult to fully defend within an organization.
The malicious activity is believed to have begun on June 12, 2025. This is when the attacker creates the malicious package “BS58-Encrypt-Utils”.
Crypto hacking is not progressing much. They’ve become more unning
According to Slowmist, Crypto hacking techniques have not made much progress, but they have become much more unning. Lisa, head of operations at Slow Mist, said in the company’s second quarter Mist Truck Theft Fund Analysis report, the fraud was more refined, although there was no progress in hacking techniques.
Fake browser extensions, tampered hardware wallets, and social engineering attacks are on the rise. “We see a clear shift from purely on-chain attacks to chain-off-chain entry points. Browser extensions, social media accounts, authentication flows, and user behavior are all becoming common attack surfaces.” Lisa said.
Causes of theft in Q2 2025 | Source: SlowMist
For example, an attacker will lead users to access well-known, commonly used websites such as concepts and Zoom. When users try to download software from these official sites, the delivered files have already been maliciously replaced.
Another way is when a hacker sends a compromised cold wallet to the user. They tell the victim that they have won a free device under a “lottery draw” or that their existing device has been compromised and their assets need to be transferred. Better yet, hackers have introduced fake websites.
The final hit is usually manipulation. “Attackers know that phrases like “high-risk signature” can cause panic and encourage users to hurry and take action. Once that emotional state is triggered, it becomes much easier to manipulate it as normal, such as clicking a link or sharing sensitive information. ” Lisa said.
Other attacks used hacking methods using EIP-7702, which was added in the latest version of ETEREUM PECTRA. Another attack took over the accounts of several WeChat users and targeted them. According to SlowMist, Ethereum led all ecosystems to security losses in the first half of 2025, with the Defi platform losing around $470 million.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
