Verify a decision

{"actor":"system:backfill","investigation_id":"e0a39169-9659-452b-baa1-a0f1978a1226","kind":"publish","page_slug":"bittensor","published_at":"2026-05-19T16:45:06.784Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Bittensor","sections":[{"content":"Bittensor is an open-source, decentralized AI network built on a custom blockchain (Subtensor) governed by the Opentensor Foundation. The network organizes participants into specialized sub-networks called subnets, where miners run AI models, validators score model outputs for quality, and subnet owners curate tasks. Rewards are distributed in the native TAO token under a fixed, Bitcoin-style halving emission schedule. As of 2024, Bittensor had become one of the more prominent decentralized AI infrastructure projects, with a market capitalization in the billions of dollars and approximately 70% of circulating TAO staked within the network.","heading":"Protocol Overview","severity":"low","sources":[{"credibility":2,"name":"Bittensor Protocol Overview — Metalamp","type":"research","url":"https://metalamp.io/magazine/article/bittensor-overview-of-the-protocol-for-decentralized-machine-learning"},{"credibility":2,"name":"Bittensor DeFiLlama Chain Page","type":"on_chain","url":"https://defillama.com/chain/bittensor"},{"credibility":2,"name":"Bittensor About Page — bittensor.com","type":"official","url":"https://bittensor.com/about"}]},{"content":"On or around May 22, 2024, an attacker uploaded a malicious version of the official Bittensor Python package to the Python Package Index (PyPI) under version number 6.12.2. The package was visually and functionally indistinguishable from a legitimate release. When users downloaded and installed the package, it intercepted coldkey decryption operations triggered by staking, unstaking, wallet transfers, delegation, or subnet registration. Upon decryption, the malware exfiltrated the unencrypted private key material to an attacker-controlled remote server, enabling subsequent unauthorized wallet drains. The malicious package was available for download from May 22 to May 29, 2024, a window during which an unknown number of users installed it. The stolen key material was later exploited on July 2, 2024, when the attacker began draining affected wallets. The Opentensor Foundation's post-mortem concluded that the attacker had either gained access to the Bittensor PyPI publishing account or injected code into the Bittensor codebase prior to the release being packaged. A separate campaign identified by GitLab in August 2025 employed typosquatted package names (such as 'bitensor' and 'bittenso') and a similar stake_extrinsic function hijack to target Bittensor users, indicating that supply chain attack vectors against this ecosystem have persisted beyond the initial incident.","heading":"PyPI Supply Chain Attack (July 2024)","severity":"critical","sources":[{"credibility":1,"name":"Bittensor Identifies Vulnerability Behind $8M Exploit — The Block","type":"news_article","url":"https://www.theblock.co/post/303547/bittensor-exploit"},{"credibility":2,"name":"Explained: The Bittensor Hack (July 2024) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-bittensor-hack-july-2024"},{"credibility":1,"name":"GitLab Uncovers Bittensor Theft Campaign via PyPI","type":"research","url":"https://about.gitlab.com/blog/gitlab-uncovers-bittensor-theft-campaign-via-pypi/"},{"credibility":2,"name":"Bittensor Rekt News Post-Mortem","type":"news_article","url":"https://rekt.news/bittensor-rekt"},{"credibility":2,"name":"Bittensor Halts Network — The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/bittensor-halts-network-after-users-fall-victim-to-malicious-python-software"}]},{"content":"The theft unfolded over approximately three hours on July 2, 2024, beginning at 7:06 PM UTC. The Opentensor Foundation initially reported that approximately 32,000 TAO tokens valued at roughly $8 million were stolen. Subsequent investigation by ZachXBT and litigation filings placed the total stolen amount at approximately 61,793.90 TAO tokens across 32 Bittensor wallets, valued at approximately $28–$30 million across the full attack window of May 22 to July 2, 2024, based on token prices at the time. The broader figure appears to account for multiple waves of theft enabled by the same malicious package. The TAO token declined approximately 15% in value in the immediate aftermath of the publicly disclosed halt.","heading":"Financial Impact","severity":"critical","sources":[{"credibility":1,"name":"Lawsuit Filing — JustM2J LLC v. Brewer et al., Case 2:25-cv-00380 (E.D. Cal.)","type":"court_filing","url":"https://www.casemine.com/judgement/us/67a82f6fa1572e13dd1d2ce2"},{"credibility":2,"name":"Bittensor $28M Hack — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/bittensor-tao-gains-12-as-28-mln-hack-mystery-clears-more-gains/"},{"credibility":2,"name":"Bittensor Hack Post-Mortem — CCN","type":"news_article","url":"https://www.ccn.com/news/crypto/bittensor-suspend-network-8-million-security-exploit/"}]},{"content":"The Opentensor Foundation detected an abnormality in transfer volume at approximately 7:25 PM UTC on July 2, 2024. By 7:41 PM UTC — roughly 35 minutes after the theft began — validators were placed behind a firewall and the chain was placed in 'safe mode,' halting all transactions while allowing block production to continue. The foundation removed the malicious 6.12.2 package from PyPI and conducted a review of the Bittensor GitHub codebase, reporting that no additional malicious code was identified. The network was subsequently restarted after the investigation concluded. The Opentensor Foundation published a community update on July 3, 2024 providing a timeline and describing its response. The foundation also proposed a 10% supply burn to stabilize the TAO token following the exploit, though the status of that proposal's implementation was subject to community governance.","heading":"Network Halt and Opentensor Foundation Response","severity":"high","sources":[{"credibility":1,"name":"Bittensor Community Update — July 3, 2024 — Opentensor Foundation","type":"official","url":"https://blog.bittensor.com/bittnesor-community-update-july-3-2024-45661b1d542d"},{"credibility":2,"name":"Decentralized AI Network Bittensor Halted in Response to $8M Hack — Protos","type":"news_article","url":"https://protos.com/decentralized-ai-network-bittensor-halted-in-response-to-8m-hack/"},{"credibility":2,"name":"Bittensor Proposes Burning 10% Supply — CryptoSlate","type":"news_article","url":"https://cryptoslate.com/bittensor-proposes-burning-10-supply-to-stabilize-tao-following-8-million-exploit/"},{"credibility":2,"name":"Bittensor Network Security Breach: Founders Issue Detailed Community Update — BitNewsBot","type":"news_article","url":"https://bitnewsbot.com/bittensor-network-security-breach-founders-issue-detailed-community-update/"}]},{"content":"On-chain investigator ZachXBT published a detailed post-mortem of his investigation into the Bittensor hack. ZachXBT traced stolen TAO tokens from affected wallets through the Bittensor native bridge to Ethereum, then into instant exchanges where funds were converted to Monero. Separately, approximately $4.94 million in ETH, USDC, and WETH was deposited into the Railgun privacy protocol. ZachXBT employed timing and amount heuristics — exploiting the unique denominations and short deposit intervals — to de-mix the Railgun withdrawals with high confidence, identifying three recipient addresses. The investigation then followed those addresses into NFT wash-trading activity, specifically the purchase and resale of anime-themed 'Killer GF' NFTs at prices substantially above floor value, a money-laundering approach ZachXBT described as extremely rare in hack scenarios. One recipient address was linked through on-chain activity to a Bittensor community member known as 'Rusty,' the operator of Skrtt Racing, a cryptocurrency betting platform for toy car races. Court records identified this individual as Ayden Brewer. Brewer acknowledged ownership of the connected wallets but denied involvement in the theft. ZachXBT stated he earned a white-hat bounty for his investigative work and expressed hope that law enforcement would pursue a criminal case.","heading":"ZachXBT Investigation and Suspect Identification","severity":"critical","sources":[{"credibility":2,"name":"ZachXBT on X — Investigation Thread","type":"social_media","url":"https://x.com/zachxbt/status/1978465677578301723"},{"credibility":2,"name":"ZachXBT Cracks Railgun Privacy to Expose Bittensor Hacker — Protos","type":"news_article","url":"https://protos.com/zachxbt-deanonymizes-withdrawals-from-crypto-mixer-railgun/"},{"credibility":2,"name":"This $28M Crypto Hack Was Nearly Perfect — Until ZachXBT Stepped In — CryptoRank","type":"news_article","url":"https://cryptorank.io/news/feed/cd5a2-zach-xbt-traces-28-million-bittensor-hack-to-nft-purchases"},{"credibility":2,"name":"ZachXBT Reveals Details of Bittensor Hack Investigation — PANews","type":"news_article","url":"https://www.panewslab.com/en/articles/98c4bb51-5236-40b6-8392-7c108eead61d"},{"credibility":1,"name":"Bittensor Halts Network After Reported Security Attack — The Block","type":"news_article","url":"https://www.theblock.co/post/303235/bittensor-halts-network-after-reported-security-attack-on-wallets-zachxbt"}]},{"content":"On January 27, 2025, JustM2J LLC filed a civil complaint in the United States District Court for the Eastern District of California (Case No. 2:25-cv-00380-DAD-SCR) against Ayden Brewer, Jon Litz, Jason St. George, and unidentified individuals. The complaint alleges that the defendants orchestrated the supply chain attack against the Bittensor network, stealing and laundering approximately 61,793.90 TAO tokens — valued at approximately $30.3 million as of February 28, 2025 — from 32 Bittensor wallets. The lawsuit asserts that the defendants acted with premeditation, exploiting technical expertise gained as former or prospective employees of the Opentensor Foundation. Ayden Brewer is alleged to have been employed by Opentensor as a developer until February 29, 2024. Jason St. George is alleged to have worked for Opentensor until April 12, 2024. Jon Litz is alleged to have previously applied for a position at the company. On August 19, 2025, the court denied a motion by the defendants to stay discovery. On November 14, 2025, the court granted in part and denied in part the defendants' motions to dismiss, allowing key fraud claims to survive. All allegations remain unproven in court, and the defendants have denied involvement.","heading":"Civil Litigation — JustM2J LLC v. Brewer et al.","severity":"critical","sources":[{"credibility":2,"name":"Lawsuit Alleges Former Opentensor Employees Orchestrated $28M Crypto Heist — BlockTribune","type":"news_article","url":"https://blocktribune.com/lawsuit-alleges-former-opentensor-employees-orchestrated-28m-crypto-heist/"},{"credibility":1,"name":"JustM2J LLC v. Brewer — Case Docket (CaseMine)","type":"court_filing","url":"https://www.casemine.com/judgement/us/67a82f6fa1572e13dd1d2ce2"},{"credibility":2,"name":"Court Allows Discovery in Bittensor Crypto Theft Case — BlockTribune","type":"court_filing","url":"https://blocktribune.com/court-allows-discovery-in-bittensor-crypto-theft-case/"},{"credibility":2,"name":"Judge Rules on Motions in $30M Bittensor Cyberattack Lawsuit — BlockTribune","type":"court_filing","url":"https://blocktribune.com/judge-rules-on-motions-in-30m-bittensor-cyberattack-lawsuit/"},{"credibility":1,"name":"Justia — Case Filing Document","type":"court_filing","url":"https://cases.justia.com/federal/district-courts/california/caedce/2:2025cv00380/459602/50/0.pdf"}]},{"content":"GitLab's Vulnerability Research team identified a separate, subsequent campaign in August 2025 in which five typosquatted PyPI packages mimicking Bittensor (including 'bitensor,' 'bittenso,' and 'bittensor-cli' variants) were published within a 25-minute window. These packages employed the same stake_extrinsic function hijack technique as the 2024 attack, diverting staking operations to an attacker-controlled wallet address. A separate report from StepSecurity documented a compromise of the bittensor-wallet 4.0.2 package on PyPI, in which a backdoor was inserted to exfiltrate private keys. These incidents indicate that Bittensor's PyPI ecosystem remains an active target for supply chain attackers, and that the attack methodology first observed in May 2024 has been replicated by additional threat actors. Users and developers installing Bittensor-related Python packages face elevated risk if packages are not verified against official checksums and distribution channels.","heading":"Ongoing Supply Chain Threat Surface","severity":"high","sources":[{"credibility":1,"name":"GitLab Uncovers Bittensor Theft Campaign via PyPI","type":"research","url":"https://about.gitlab.com/blog/gitlab-uncovers-bittensor-theft-campaign-via-pypi/"},{"credibility":2,"name":"bittensor-wallet 4.0.2 Compromised on PyPI — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/bittensor-wallet-4-0-2-compromised-on-pypi---backdoor-exfiltrates-private-keys"},{"credibility":2,"name":"Multiple Malicious Python Packages Targeting Bittensor Crypto Developers — SafeDep","type":"research","url":"https://safedep.io/malicious-python-packages-target-crypto-developers/"},{"credibility":2,"name":"Typosquatted PyPI Packages Used to Steal Cryptocurrency from Bittensor Wallets — GBHackers","type":"news_article","url":"https://gbhackers.com/typosquatted-pypi-packages-used-by-threat-actors/"}]}],"sources_used":[{"credibility":1,"name":"Bittensor Halts Network — The Block","type":"news_article","url":"https://www.theblock.co/post/303235/bittensor-halts-network-after-reported-security-attack-on-wallets-zachxbt"},{"credibility":1,"name":"Bittensor Identifies Vulnerability Behind $8M Exploit — The Block","type":"news_article","url":"https://www.theblock.co/post/303547/bittensor-exploit"},{"credibility":2,"name":"Explained: The Bittensor Hack (July 2024) — Halborn","type":"research","url":"https://www.halborn.com/blog/post/explained-the-bittensor-hack-july-2024"},{"credibility":1,"name":"GitLab Uncovers Bittensor Theft Campaign via PyPI","type":"research","url":"https://about.gitlab.com/blog/gitlab-uncovers-bittensor-theft-campaign-via-pypi/"},{"credibility":2,"name":"Bittensor Rekt News","type":"news_article","url":"https://rekt.news/bittensor-rekt"},{"credibility":2,"name":"ZachXBT Cracks Railgun Privacy to Expose Bittensor Hacker — Protos","type":"news_article","url":"https://protos.com/zachxbt-deanonymizes-withdrawals-from-crypto-mixer-railgun/"},{"credibility":2,"name":"This $28M Crypto Hack Was Nearly Perfect — CryptoRank","type":"news_article","url":"https://cryptorank.io/news/feed/cd5a2-zach-xbt-traces-28-million-bittensor-hack-to-nft-purchases"},{"credibility":2,"name":"ZachXBT Reveals Details of Bittensor Hack Investigation — PANews","type":"news_article","url":"https://www.panewslab.com/en/articles/98c4bb51-5236-40b6-8392-7c108eead61d"},{"credibility":2,"name":"ZachXBT on X — Investigation Thread","type":"social_media","url":"https://x.com/zachxbt/status/1978465677578301723"},{"credibility":2,"name":"Lawsuit Alleges Former Opentensor Employees Orchestrated $28M Crypto Heist — BlockTribune","type":"news_article","url":"https://blocktribune.com/lawsuit-alleges-former-opentensor-employees-orchestrated-28m-crypto-heist/"},{"credibility":1,"name":"JustM2J LLC v. Brewer — Case Docket (CaseMine)","type":"court_filing","url":"https://www.casemine.com/judgement/us/67a82f6fa1572e13dd1d2ce2"},{"credibility":2,"name":"Court Allows Discovery in Bittensor Crypto Theft Case — BlockTribune","type":"court_filing","url":"https://blocktribune.com/court-allows-discovery-in-bittensor-crypto-theft-case/"},{"credibility":2,"name":"Judge Rules on Motions in $30M Bittensor Cyberattack Lawsuit — BlockTribune","type":"court_filing","url":"https://blocktribune.com/judge-rules-on-motions-in-30m-bittensor-cyberattack-lawsuit/"},{"credibility":1,"name":"Justia — Case Filing Document (2:25-cv-00380)","type":"court_filing","url":"https://cases.justia.com/federal/district-courts/california/caedce/2:2025cv00380/459602/50/0.pdf"},{"credibility":1,"name":"Bittensor Community Update July 3 2024 — Opentensor Foundation","type":"official","url":"https://blog.bittensor.com/bittnesor-community-update-july-3-2024-45661b1d542d"},{"credibility":2,"name":"Bittensor Proposes Burning 10% Supply — CryptoSlate","type":"news_article","url":"https://cryptoslate.com/bittensor-proposes-burning-10-supply-to-stabilize-tao-following-8-million-exploit/"},{"credibility":2,"name":"Decentralized AI Network Bittensor Halted — Protos","type":"news_article","url":"https://protos.com/decentralized-ai-network-bittensor-halted-in-response-to-8m-hack/"},{"credibility":2,"name":"bittensor-wallet 4.0.2 Compromised on PyPI — StepSecurity","type":"research","url":"https://www.stepsecurity.io/blog/bittensor-wallet-4-0-2-compromised-on-pypi---backdoor-exfiltrates-private-keys"},{"credibility":2,"name":"Multiple Malicious Python Packages Targeting Bittensor Developers — SafeDep","type":"research","url":"https://safedep.io/malicious-python-packages-target-crypto-developers/"},{"credibility":2,"name":"Bittensor DeFiLlama","type":"on_chain","url":"https://defillama.com/chain/bittensor"},{"credibility":2,"name":"Bittensor About — bittensor.com","type":"official","url":"https://bittensor.com/about"},{"credibility":2,"name":"Bittensor TAO Gains 12% as $28M Hack Mystery Clears — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/bittensor-tao-gains-12-as-28-mln-hack-mystery-clears-more-gains/"},{"credibility":2,"name":"AI Network Bittensor Token Drops 15% — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/bittensor-token-drop-security/"}],"summary":"Bittensor is a decentralized blockchain protocol functioning as a peer-to-peer marketplace for machine intelligence, using the TAO token to reward AI model contributors. In July 2024, the protocol was the target of a supply chain attack via a malicious version of its official PyPI package, resulting in the theft of approximately $28 million in TAO tokens from 32 wallets. A civil lawsuit filed in January 2025 alleges that former Opentensor Foundation employees orchestrated the attack, and on-chain investigator ZachXBT identified a key suspect through NFT wash-trade analysis and Railgun de-mixing.","timeline":[{"date":"2024-02-29","event":"Ayden Brewer's employment at the Opentensor Foundation ends, per allegations in subsequent civil litigation.","source":"JustM2J LLC v. Brewer — BlockTribune","source_url":"https://blocktribune.com/lawsuit-alleges-former-opentensor-employees-orchestrated-28m-crypto-heist/"},{"date":"2024-04-12","event":"Jason St. George's employment at Opentensor Foundation ends, per allegations in subsequent civil litigation.","source":"JustM2J LLC v. Brewer — BlockTribune","source_url":"https://blocktribune.com/lawsuit-alleges-former-opentensor-employees-orchestrated-28m-crypto-heist/"},{"date":"2024-05-22","event":"A malicious version of the Bittensor Python package (v6.12.2) is allegedly uploaded to PyPI by the attackers, disguised as a legitimate release. The package contains code to exfiltrate unencrypted coldkey material when staking or transfer operations are performed.","source":"Halborn — Explained: The Bittensor Hack (July 2024)","source_url":"https://www.halborn.com/blog/post/explained-the-bittensor-hack-july-2024"},{"date":"2024-05-29","event":"The malicious package is removed from PyPI. Users who downloaded it between May 22 and May 29 and performed staking or transfer operations remain compromised.","source":"Bittensor Post-Mortem — The Block","source_url":"https://www.theblock.co/post/303547/bittensor-exploit"},{"date":"2024-07-02","event":"At 7:06 PM UTC, the attacker begins draining affected Bittensor wallets using previously stolen private keys. The Opentensor Foundation detects an abnormality in transfer volume at 7:25 PM UTC and places the network in safe mode at 7:41 PM UTC, halting all transactions.","source":"Bittensor Community Update — Opentensor Foundation","source_url":"https://blog.bittensor.com/bittnesor-community-update-july-3-2024-45661b1d542d"},{"date":"2024-07-02","event":"ZachXBT publicly identifies the attacker wallet address and reports the active exploit on social media. The Block covers the network halt.","source":"Bittensor Halts Network — The Block","source_url":"https://www.theblock.co/post/303235/bittensor-halts-network-after-reported-security-attack-on-wallets-zachxbt"},{"date":"2024-07-03","event":"Opentensor Foundation publishes community update disclosing the PyPI supply chain vector, the timeline of the attack, the network halt, and initial remediation steps.","source":"Bittensor Community Update — Opentensor Foundation","source_url":"https://blog.bittensor.com/bittnesor-community-update-july-3-2024-45661b1d542d"},{"date":"2025-01-27","event":"JustM2J LLC files civil complaint in the US District Court for the Eastern District of California (Case No. 2:25-cv-00380) against Ayden Brewer, Jon Litz, and Jason St. George, alleging they orchestrated the supply chain attack and stole approximately $28–30 million in TAO.","source":"JustM2J LLC v. Brewer — CaseMine","source_url":"https://www.casemine.com/judgement/us/67a82f6fa1572e13dd1d2ce2"},{"date":"2025-08-06","event":"GitLab Vulnerability Research identifies a new campaign of five typosquatted Bittensor PyPI packages published within a 25-minute window, employing the same stake_extrinsic hijack technique as the 2024 attack.","source":"GitLab Uncovers Bittensor Theft Campaign via PyPI","source_url":"https://about.gitlab.com/blog/gitlab-uncovers-bittensor-theft-campaign-via-pypi/"},{"date":"2025-08-19","event":"US District Court for the Eastern District of California denies defendants' motion to stay discovery in JustM2J LLC v. Brewer.","source":"Court Allows Discovery in Bittensor Crypto Theft Case — BlockTribune","source_url":"https://blocktribune.com/court-allows-discovery-in-bittensor-crypto-theft-case/"},{"date":"2025-11-14","event":"US District Court grants in part and denies in part defendants' motions to dismiss, allowing key fraud claims to survive. Litigation is ongoing.","source":"Judge Rules on Motions in $30M Bittensor Cyberattack Lawsuit — BlockTribune","source_url":"https://blocktribune.com/judge-rules-on-motions-in-30m-bittensor-cyberattack-lawsuit/"}]},"v":1}