All Blogs
Case Study: MEXC API Keys Hijack - A Wake Up Call For Traders
Industry Insight
May 14, 2025

Case Study: MEXC API Keys Hijack - A Wake Up Call For Traders

This blog breaks down the MEXC API key hijack — how a fake code package stole keys, why trading infrastructure is vulnerable, and what it teaches us about securing trading API keys.
Table of contents
This is also a heading
This is also a heading
This is a heading
This is a heading
Book a Demo
Book a Demo
Share

TL;DR – A Malicious CEX Connectivity Code Package Stole Traders' API Keys:

  • A fake code package stole MEXC trading API keys from unsuspecting traders
  • How? It impersonated a legit code library and silently rerouted trades to hacker-controlled servers
  • Why? Today, anyone with access to your infrastructure also has direct access to your API keys  
  • The takeaway: Trading API keys require the same security measures of private keys for on-chain trading.

Sodot brings those same best practices to CEX trading with a secure, MPC-powered solution for securing Trading API Keys.

What Happened?

Recently, security researchers discovered a malicious Python package named ccxt-mexc-futures. It looked like a legitimate tool for interacting with the MEXC crypto exchange, but it had a dangerous twist: it silently hijacked API keys and rerouted trading activity to a server controlled by attackers. This wasn’t just a phishing scam - it was a supply chain attack aimed at developers. By simply installing and using this package, users unknowingly handed over the keys to their trading accounts. That’s the risk we all take when trusting external code, especially when that code handles sensitive API credentials that control real assets.

Why Did It Happen?

The deeper issue is: why is this even possible in the first place? If a piece of malicious code can steal your trading API keys, it means the machine running your trading logic has direct access to those keys. Which means developers, DevOps, and even attackers who gain access to that machine also have access. That’s the Achilles’ heel of every trading company’s security model: the keys that move funds are exposed to too many layers of infrastructure. We all accept this because programmatic trading requires signing API requests. But does it really have to be this way?

Web3 Has Already Solved Handling Sensitive Keys

In the world of Web3, teams are already securing private keys using tools like MPC (Multi-Party Computation) and multisig wallets. The keys never leave the secure environment—and no single system or person can act alone. So why aren’t we doing the same for trading API keys?

Enter Sodot Exchange API Vault

At Sodot, we’ve built exactly that: a secure, purpose-built key management system for trading API Keys. Inspired by the best practices of on-chain key management, Sodot ensures that your trading keys never live on developer machines, CI servers, or code repositories. They stay protected, yet fully usable for secure and high-performance programmatic trading.

Want to hear more? Let’s talk.

About Sodot

Sodot is an MPC key management infrastructure company built by a seasoned team of applied cryptographers and security experts. Sodo’t MPC infrastructure is designed for building custodial and self-custodial solutions, with full operational control and minimum dependencies.

Book a Demo
Book a Demo
Share

Related posts

Blog Image
Industry Insight
February 4, 2025

Exchange API Key Hacks - Part 1

This blog, the first in a series, explores the rising threat of Exchange API key hacks, including the risks and security challenges.
Blog Image
Industry Insight
November 25, 2024

MPC and Passkeys: When Security and UX Go Hand in Hand

In this blog post, we delve into the synergy between MPC and Passkeys, creating a secure and seamless experience for Web3 products.
Blog Image
Partnerships
May 7, 2024

Tholos Wallet Gets to Market 18 Months
Faster with Sodot MPC Infrastructure

Self-custodial institutional wallet solution, Tholos, launches faster, with market-leading MPC technology, and key certifications in hand.