A recent warning from the JFrog Security Research team highlights a malicious package that is specifically targeting crypto futures trading on the MEXC exchange. This scheme aims to steal user funds and expose sensitive trading credentials.
In a report released on April 15, the researchers outlined the “ccxt-mexc-futures” package, which masquerades as a legitimate tool by utilizing the Cryptocurrency Exchange Trading (CCXT) library to reroute user trading requests to a fraudulent server.
NEW SECURITY RESEARCH ALERT: The JFrog #Security Team found a phishing scheme in the Python Package Index (PyPI) targeting crypto futures trading, which reached $1.67B in Q1 2025. A malicious package redirects users to a fake MEXC site (https://t.co/H4IJLdEb5o), promoted on… pic.twitter.com/UUYaLKSZbW
— JFrog (@jfrog) April 15, 2025
The deceptive domain closely resembles the authentic MEXC website, making it easy for users to fall prey to the scam. Once unsuspecting victims engage with the counterfeit platform, attackers gain access to all cryptocurrency and sensitive information included in the trading requests.
Consequently, the attackers can steal critical Application Programming Interface (API) keys and secrets, thus jeopardizing the integrity of users’ crypto trading accounts.
According to the researchers, “the use of obfuscation techniques and a fake MEXC website further demonstrates the sophistication of this phishing campaign.” They noted that the fraudulent site is even advertised on social media platforms like Facebook.
Delving further into the issue, JFrog explained that the ccxt-mexc-futures package purports to enhance crypto trading capabilities using the legitimate CCXT package, which is widely recognized for facilitating trading across numerous exchanges, including MEXC.
However, the attackers falsely claim that their malicious package extends the CCXT library to enable “futures” trading on MEXC. In reality, it overrides three essential functions: describe, sign, and prepare_request_headers.
Adding, Rewriting, Redirecting, Stealing Crypto Futures
The investigation elaborates that within the CCXT framework, the MEXC interface comprises various APIs to facilitate diverse trading activities. The attackers specifically targeted two of these APIs: contract_private_post_order_submit and contract_private_post_order_cancel.
After compromising these APIs, the malicious ccxt-mexc-futures package introduces a third API, spot4_private_post_order_place. As a result, users inadvertently utilize the attackers’ versions of the APIs instead of the legitimate ones established by the CCXT library when creating, placing, or canceling trading orders.
“Every time a user utilizes these entries, instead of using the CCXT-defined entries, they will use the attacker’s entries, specifying futures trading in the request,” the researchers noted.
Intriguingly, the attackers took additional measures by manipulating the responses to encourage user confidence; a “BadRequest” response can be altered to appear as an “OrderFilled” message, leading users to believe their transactions have been successfully processed.
Furthermore, as the malicious package overrides the sign function, any attempt by a user to connect with MEXC through the package will result in requests being sent to the fraudulent domain. This action also entails sharing the user token within the request header with the attackers.
If a user fails to provide a token, the package will prompt them to add it before proceeding with any order. “If it is not a future-related entry, the package directs the flow to the original MEXC exchange implementation of the CCXT package,” the report indicates.
The researchers identified two distinct versions of the malicious package, each utilizing different techniques to conceal their operations and execute unauthorized code on the devices of affected users. However, both methods are characteristic of common strategies employed by cybercriminals to deploy malicious payloads.
In response to this growing threat, JFrog has included the malicious Python packages in its JFrog Xray system, a step designed to help users detect and mitigate these risks swiftly.
The post New Phishing Scheme Targets Crypto Futures On MEXC Exchange appeared first on Finance Newso.
