Author: Frank, PANews

Recently, CCXT, the most prestigious open source quantitative trading library in the cryptocurrency field, was revealed to have a secret hidden in its core code: by hard-coding the preset rebate ID, the software quietly pocketed the exchange fee rebate that should have belonged to the user without the user's knowledge.

This revelation is like throwing a stone into a lake. It not only reveals another hidden business model under the halo of open source, but also makes countless developers and trading teams who rely on its "free" convenience realize that a high price may have been buried under the cornerstone of trust.

Over 36,000 stars on Github, the most popular open source encryption code

CCXT (CryptoCurrency eXchange Trading Library) is a popular open source software library in the field of cryptocurrency trading. Its core function is to provide a unified interface for developers, traders and financial analysts to connect and operate many cryptocurrency exchanges around the world. The CCXT project was initiated by Russian developer Igor Kroitor as early as 2016. The library supports multiple programming languages, including JavaScript, Python, PHP, C# and Go, which greatly broadens its applicability and adoption in different development environments.

By deploying CCXT open source tools, users can develop a variety of functions related to cryptocurrency trading, such as market analysis, indicator development, algorithmic trading, strategy backtesting, and order placement. It can be said that CCXT is equivalent to a simplified and free version of Tradingview. As of now, CCXT supports more than 100 cryptocurrency exchanges, including Binance, OKX, Coinbase, Bybit, Bitget, and almost all mainstream exchanges can meet their trading needs through direct access through CCXT.

This convenient open source approach has also made CCXT quickly become the most popular tool for professional trading teams such as quantitative trading and strategy trading. On Github, CCXT has more than 36,000 stars, more than QuantLib, a well-known open source project in the financial field. According to the 2025 report of security company JFrog, the cumulative downloads of CCXT on Python's official package manager PyPI have exceeded 93 million times. Such a large number of downloads reflects that there are thousands of quantitative traders and development teams using CCXT around the world. In 2024, CCXT ranked 28th on Github and was selected as the most popular Python project in 2024.

Secret commission mechanism, hard-coded Broker ID, or tens of millions of dollars in hidden profits

But behind the widespread acclaim, CCXT has some unknown business secrets.

On May 27, @sunlc_crypto blogger exposed on social media that he found that the commission fees of the rebate were very abnormal when using the CCXT framework. Later, he found in the source code of multiple exchanges of CCXT that CCXT added its own broker id, which means that the rebate accounts of these exchanges were preset, resulting in the withdrawal of most of the rebate fees if the user is unaware and does not modify it. CCXT claimed that about $15,000 was stolen from three exchanges including hyperliquid, Kucoin, and Bybit in two months. Based on this estimate, CCXT may have earned more than 10 million or even hundreds of millions of dollars in rebates in this way.

PANews found through reviewing CCXT's open source code that the Python adapters of multiple exchanges including OKX, KuCoin, Hyperliquid, Bitget, Binance, etc. do include a default brokerId.

In general, CCXT does preset default brokerId parameters in the adapters of multiple mainstream exchanges, most of which are hard-coded. When users place orders directly using CCXT and do not explicitly set or modify related options, these default broker IDs will be sent along with the request, and the potential commission rebate will be attributed to the account provided by CCXT. However, this point is not highlighted in the official description of CCXT.

It is still unknown how much the CCXT team has gained in this way, after all, most of them are centralized exchanges. PANews tried to find the rebate address from Hyperliquid's source code, but because the specific address is not written in the code, but uses an internal interface, it is impossible to find the most direct proof.

From "charged" to "free", from "optional recommendation" to "hidden hard coding" business secrets

Looking through the development history of CCXT, PANews found that this operation may have originated as early as 2018. In the early days, CCXT had a Pro subscription service, starting at $29 per month. Later, CCXT became completely free. In 2018, a user proposed on Github to add an optional referral ID to support CCXT. The main maintainer kroitor welcomed this and added these codes in the update. However, judging from the initiator's suggestion, this suggestion is mainly for the reward of referral registration, and provides an optional option, where users can choose to fill in CCXT or not.

But this seems to be the starting point for CCXT to make a profit. Later, the main maintainer obviously added this logic to the codes of most mainstream exchanges. In addition, the writing method is secretive, which makes it difficult for most users to find it. So far, except for @sunlc_crypto who raised questions as a whistleblower, there is almost no discussion on the Internet about this code design.

Of course, CCXT seems to have anticipated that this phenomenon would be exposed sooner or later, so in CCXT's disclaimer, there is a sentence: "API agent means that CCXT's funds come from rebates from the exchange's API agent program, and it is the official API agent of many exchanges", which is actually equivalent to implicitly informing users of this way of profit.

When @sunlc_crypto raised this question to the community, he received support from many users. However, there were also a lot of doubts in the comment area. Some people questioned that as a strong quantitative trader, he should not care about these commission rebates. Others said that since it is open source code, it is their own fault for not discovering these settings and making changes when using it, and there is no problem with CCXT. However, considering the current situation of CCXT's widespread adoption and its widely watched reputation, this secret coding "little trick" does violate the community's trust in it.

After the incident was exposed, PANews noticed that the CCXT code was still updated every day, but as of May 29, the secret hard-coded brokerId code proposed by the community had not been modified. CCXT officials did not respond to the incident on social media or Github.

Of course, compared with some open source projects that have hidden backdoors and directly threaten the safety of users' principal. CCXT's default rebate collection is not even a bug, it can only be said that the developer has some "little thoughts" in the design. However, this seemingly insignificant little thought may make more profit than other clearly marked subscription charges. For users, on the one hand, the current AI programming tools are becoming increasingly powerful, which can not only quickly detect such "ulterior motives" designs, but also support the design of a completely autonomous trading code from scratch. On the other hand, excessive trust in the "free" open source library with a good reputation may result in higher fees than ordinary subscription fees. If you want to protect your trading rebate rights, you still need to initialize the parameters before using similar code libraries.

This incident finally sounded a wake-up call to all users: in the field of cryptocurrency, which is full of games, it is necessary to maintain necessary scrutiny and vigilance against any "free lunch" and carefully check every line of "trust" code. This may be the most basic and critical line of defense to protect one's own rights and interests - because sometimes, the most expensive cost is hidden under the appearance of "free". Trust, after all, should not be so easily encoded into profit.