DEV Community

Cover image for How My Open-Source Scanner Caught a Crypto Scammer Exposing Their Own Keys
Khaled Hani
Khaled Hani

Posted on

How My Open-Source Scanner Caught a Crypto Scammer Exposing Their Own Keys

GitHub Issue Phishing Site UI
Exposing the keys in the GitHub Issue The Phishing Site (Notice the Spotify option)

There is a golden rule in cybersecurity: the weakest link is almost always human error. But what happens when that human error comes from a malicious actor trying to orchestrate a crypto phishing scam? The result is surprisingly comedic.

Here is the story of how my newly built open-source secret scanner, Sentinel, accidentally neutralized a Tether (USDT) phishing operation during a routine benchmark.

The Setup: Testing in the Wild

I recently released Sentinel, a statically compiled, context-aware Git secret scanner and pre-commit hook written in Go. After fine-tuning its engine to achieve near-zero false positives, I decided to benchmark it "in the wild" by scanning random, recently updated repositories on GitHub.
The goal was to see if Sentinel could catch edge-case credentials that traditional, regex-heavy tools often miss or drown in noise. During the scan, Sentinel instantly flagged a critical severity finding in a rather suspicious repository.

The Catch: AI Copy-Paste Gone Wrong

Upon inspecting the flagged file, the issue was immediately apparent: a fully exposed, hardcoded Firebase configuration object containing the API key, project ID, and messaging sender ID.
It was a textbook case of a script kiddie asking an AI for a web login template and blindly copy-pasting the frontend code into a public repository. They had effectively handed over the administrative keys to their backend infrastructure before the project even launched.

The Phishing Site: Logging into Crypto with Spotify?

Out of professional curiosity, I checked the Vercel deployment linked to the repository. The project was attempting to impersonate Tether (USDT), the world's largest stablecoin. It featured the official logo, a catchy slogan, and a login prompt designed to harvest credentials.
However, because the scammer had blindly copied a generic consumer application template, the authentication options presented to the victims were:

  • Continue with Google
  • Continue with Phone
  • Continue with Spotify Yes, the threat actor was attempting to steal cryptocurrency wallets by asking victims to authenticate via their music streaming accounts. It was a masterpiece of absolute incompetence.

The Confrontation

I could not let this slide. I navigated to the scammer's GitHub repository, opened a public Issue, and left them a piece of professional advice.
Issue Title: If you want to scam someone, you must first learn how to protect yourself.
Comment: "Ask the AI you used about the dangers of leaving this information public, you fool. Learn first before you experiment."
By exposing their keys publicly in the issue and highlighting the flaw, their Firebase project was flagged, effectively neutralizing the phishing attempt before it could claim any victims.

The Technical Takeaway

While the story provides a good laugh, it highlights a severe reality in modern software development:

  1. AI Code Generation is a Double-Edged Sword: The blind reliance on AI-generated code without understanding environment variables (.env) is causing a massive spike in leaked secrets.
  2. Standard Tools Miss Context: Many traditional scanners rely heavily on mathematical entropy and might ignore loosely structured configurations if they do not match strict regular expressions. This architectural flaw is exactly why I built Sentinel. It does not just look for random strings; it utilizes lexical context-awareness to catch hardcoded assignments. This ensures that whether you are a senior engineer making a late-night mistake or a clueless scammer copying code, your secrets are caught before they enter the version control history.

Secure Your Code (Don't be like our Tether guy)

If you want to ensure you never accidentally push your API keys, AWS credentials, or database connection strings to GitHub, take a look at Sentinel. It installs in seconds as a pre-commit hook and runs silently in the background, utilizing a three-tier detection pipeline built for speed.
🔗 Check out Sentinel on GitHub
If you enjoyed this case study, consider dropping a star on the repository, and let me know in the comments about the most absurd bug or leak you have ever encountered in the wild.

Top comments (0)