According to BlockBeats, Bittensor, a decentralized AI network, announced on July 4th that its community participants had suffered a severe security attack on July 2nd. The Bittensor Foundation took immediate action to prevent further outflow of funds and launched an in-depth investigation into the attack.
The attack reportedly originated from a malicious program disguised as a legitimate Bittensor package in version 6.12.2 of the PyPi package manager. When users downloaded this package and decrypted their cold wallet keys, the decrypted bytecode was sent to the attacker's remote server, resulting in the theft of funds.
The main victims were users who downloaded the Bittensor PyPi package and carried out transactions, pledges, and delegations between May 22nd and 29th. The Bittensor Foundation has removed the malicious package from PyPi and conducted a comprehensive review of the code, finding no other vulnerabilities so far.
To mitigate losses, the Bittensor Foundation has placed the verification node behind a firewall and initiated a security mode on Subtensor. All transactions on the Bittensor blockchain have been suspended until the vulnerabilities are fixed. The Foundation is working with trading platforms in an attempt to recover the stolen funds.
The Bittensor Foundation stated that it will learn from this incident, improve the package verification process, increase the frequency of external audits, and enhance security standards and monitoring levels. An AMA will be held soon to answer community questions and concerns. The Foundation urges users to transfer their funds to a new wallet as soon as possible and upgrade to the latest Bittensor package.