Fake Polymarket copy-trading bots are stealing wallets. Here's how to not install one.
If you search "polymarket copy trading bot github" and run the first repo you find, there's a real chance you've just installed a credential stealer. Through the first half of 2026, security researchers documented a wave of fake "Polymarket copy-trading bots" on GitHub whose real function was to lift your wallet's private keys — including one hidden inside a hijacked, verified GitHub organization carrying hundreds of inflated stars. The searcher looking for a bot and the malware author looking for victims are typing into the same search box.
What actually happened on GitHub?
In March 2026, researchers at StepSecurity reported that a verified GitHub organization — dev-protocol, a legitimate Japanese DeFi project created in 2019 — had been taken over and used to host a repo named polymarket-copytrading-bot-sport. The repo looked real: a polished README, a bot that called Polymarket's actual APIs, and a few hundred stars. Hidden in its npm dependencies, per StepSecurity, were typosquatted packages that crawled the machine for .env files, private keys and Solana keypairs, shipped them to an attacker-controlled server, and opened an SSH backdoor.
To be clear about who is who: dev-protocol is the victim here, not the culprit. StepSecurity describes its account as hijacked — the attackers inherited a verified badge and years of credibility built by an unrelated open-source team, which is precisely why the lure worked.
It wasn't one repo, either. StepSecurity found the organization flooded, from late February 2026, with more than twenty near-identical "Polymarket bot" repositories, their stars and forks inflated by bot-farm accounts. Independent researchers at kmsec.uk and Panther tie a broader wave of these trading-bot repos to a suspected DPRK-nexus operation they track as "Contagious Trader" — kmsec attributes it to North Korea with high confidence and links its tradecraft to the Lazarus-associated "Contagious Interview" campaign, while Panther connected an April 2026 package to the same cluster. (StepSecurity's own report stopped short of naming a group.) The pattern predates all of it: back in December 2025, SlowMist flagged a malicious polymarket-copy-trading-bot doing the same private-key theft.
Why are copy-trading bots the perfect malware lure?
Because a copy-trading bot has a legitimate reason to touch your wallet. To mirror someone's trades into your account, real execution software needs the power to move your funds — so a "paste your private key to get started" prompt doesn't read as an attack, it reads as setup. That is the specific normalcy the attackers are renting.
Custody is the real risk in copy trading even when the bot is honest: in January 2026 the Polycule bot lost about $230,000 because it held users' keys on its own server. A malicious bot skips the breach entirely and just takes them. The one category of tool where surrendering keys feels routine is exactly the category being cloned.
Can you trust a repo with thousands of stars?
No — and the dev-protocol case is the reason. Every signal a hurried developer uses as a proxy for "this is safe" was present, and each one proved nothing.
| Surface signal | What it actually proves |
|---|---|
| Verified org badge | Nothing about who controls the account today — this one was hijacked |
| Thousands of stars and forks | Nothing — star counts are cheap to inflate with bot accounts |
| Polished README and screenshots | Nothing about the dependencies that run on install |
| Calls the real Polymarket API | Nothing — a working bot is the cover, not a clearance |
Popularity and polish are marketing, not provenance. A repo can sit at the top of your search results precisely because someone paid to put it there.
What should you check before running any bot?
Treat the bot's own code as a suspect, not just the wallet you plan to copy. Run this before you install anything:
- Trace the repo's provenance, not its stars. Read the account's real history — commit timeline, issues, whether the trading code fits the org's other projects — instead of trusting a star count or a verified badge. A trading feature that "just appeared" on an old, unrelated account is a red flag, not a credential.
- Never paste a private key or seed phrase into a prompt. Ever. No legitimate setup asks you to type a raw private key into a CLI, and "it stays encrypted" is close to the exact line researchers found in these installers. If a bot needs signing power, it should use a scoped, revocable permission — not your keys.
- Read what runs on install. These attacks fire from
postinstallhooks and imported dependencies, before you ever "use" the bot. Install in a throwaway VM or container first, and scan the dependency list for typosquatted package names. - Copy from a dedicated, minimally-funded wallet. Never point any bot at your main wallet. Fund a separate address with only what you're willing to lose, so a compromise is capped at that balance — the pre-automation checklist walks it in order.
- Prefer non-custodial, least-privilege execution. Choose a bot on custody and permissions, not latency and fees. One that never holds your keys can't leak them, and a scoped allowance can be revoked the moment something looks wrong.
The deeper rule: analysis is not execution
The through-line of every one of these incidents is that the tool making the decision got bundled with the tool holding the keys. Those are different jobs. Deciding who is worth copying is analysis; mirroring their trades is execution — and only the second one ever needs to touch your money. Keep them separate and a compromised bot can't cost you more than the wallet you scoped to it.
That separation is the entire design of CopyGrade. It scores and vets wallets and never executes a trade, holds a balance, or touches a key — the Copy Score and per-wallet verdict are a research opinion you read before you point any execution bot at anything. We can't be the thing that drains your wallet, because we never had access to it — and neither should the layer that picks your target.
CopyGrade is analysis-only — it never executes trades, holds funds, or custodies keys, and a Copy Score is a documented research opinion, not financial advice.