Original author: Frank, PANews
Recently, CCXT, the most prestigious open source quantitative trading library in the cryptocurrency field, was revealed to have a secret hidden in its core code: by hard-coding the preset rebate ID, the software quietly pocketed the exchange fee rebate that should have belonged to the user without the users knowledge.
This revelation is like throwing a stone into a lake. It not only reveals another hidden business model under the halo of open source, but also makes countless developers and trading teams who rely on its free convenience realize that a high price may have been buried under the cornerstone of trust.
Github has over 36,000 stars, making it the most popular open source encryption code
CCXT (CryptoCurrency eXchange Trading Library) is a popular open source software library in the field of cryptocurrency trading. Its core function is to provide a unified interface for developers, traders and financial analysts to connect and operate many cryptocurrency exchanges around the world. The CCXT project was initiated by Russian developer Igor Kroitor as early as 2016. The library supports multiple programming languages, including JavaScript, Python, PHP, C# and Go, which greatly broadens its applicability and adoption in different development environments.
By deploying CCXT open source tools, users can develop a variety of functions related to cryptocurrency trading, such as market analysis, indicator development, algorithmic trading, strategy backtesting, and order placement. It can be said that CCXT is equivalent to a simplified and free version of Tradingview. As of now, CCXT supports more than 100 cryptocurrency exchanges, including Binance, OKX, Coinbase, Bybit, Bitget, and almost all mainstream exchanges can meet their trading needs through direct access through CCXT.
This convenient open source approach has also made CCXT quickly become the most popular tool for professional trading teams such as quantitative trading and strategy trading. On Github, CCXT has more than 36,000 stars, more than QuantLib, a well-known open source project in the financial field. According to a 2025 report by security company JFrog, CCXT has accumulated more than 93 million downloads on Pythons official package manager PyPI. Such a large number of downloads reflects that there are thousands of quantitative traders and development teams using CCXT around the world. In 2024, CCXT ranked 28th on Github and was selected as the most popular Python project in 2024.
Secret commission mechanism, hard-coded Broker ID, or tens of millions of dollars in hidden profits
But behind the widespread acclaim, CCXT has some unknown business secrets.
On May 27, @sunlc_crypto blogger exposed on social media that he found that the commission fees were abnormal when using the CCXT framework. Later, he found in the source code of multiple CCXT exchanges that CCXT added its own broker id, which means that the commission accounts of these exchanges were preset. If users are unaware and do not modify them, most of the commission fees will be deducted. CCXT said that about $15,000 was stolen from three exchanges including hyperliquid, Kucoin, and Bybit in two months. Based on this estimate, CCXT may have earned more than 10 million or even hundreds of millions of dollars in commissions in this way.
PANews found through reviewing CCXTs open source code that the Python adapters of multiple exchanges including OKX, KuCoin, Hyperliquid, Bitget, Binance, etc. do include a default brokerId.
In general, CCXT does preset default brokerId parameters in the adapters of multiple mainstream exchanges, most of which are hard-coded. When users place orders directly using CCXT and do not explicitly set or modify related options, these default broker IDs will be sent along with the request, and the potential commission rebate will be attributed to the account provided by CCXT. However, this point is not highlighted in the official description of CCXT.
It is still unknown how much the CCXT team has gained in this way, after all, most of them are centralized exchanges. PANews tried to find the rebate address from Hyperliquids source code, but because the specific address is not written in the code, but uses an internal interface, it is impossible to find the most direct proof.
From charged to free, from optional recommendation to hidden hard coding business secrets
Looking through the development history of CCXT, PANews found that this operation may have originated as early as 2018. Early CCXT had a Pro subscription service starting at $29 per month. Later, CCXT became completely free. In 2018, a user proposed on Github to add an optional referral ID to support CCXT. The main maintainer kroitor welcomed this and added these codes in the update. However, judging from the initiators suggestion, this suggestion is mainly for the reward of referral registration, and provides an optional option for users to choose to fill in CCXT or not.
But this seems to be the starting point for CCXT to make a profit. Later, the main maintainers obviously added this logic to the codes of most mainstream exchanges. In addition, the writing method is secretive, which makes it difficult for most users to find it. So far, except for @sunlc_crypto who raised questions as a whistleblower, there is almost no discussion on the Internet about this code design.
Of course, CCXT seems to have anticipated that this phenomenon would be exposed sooner or later, so in CCXTs disclaimer, there is a sentence: API agent means that CCXTs funds come from rebates from the exchanges API agent program, and it is the official API agent of many exchanges, which is actually equivalent to implicitly informing users of this way of profit.
When @sunlc_crypto raised this question to the community, he received support from many users. However, there were also a lot of doubts in the comment section. Some people questioned that as a strong quantitative trader, he should not care about these commission rebates. Others said that since it is open source code, it is their own fault for not discovering these settings and making changes when using it, and CCXT does not have any problems. However, considering the current situation of CCXTs widespread adoption and its widely watched reputation, this secret coding little trick does violate the communitys trust in it.
After the incident was exposed, PANews noticed that the CCXT code was still updated every day, but as of May 29, the secret hard-coded brokerId code proposed by the community had not been modified. CCXT officials also did not respond to the incident on social media or Github.
Of course, compared with some open source projects that have hidden backdoors and directly threaten the safety of users principal. CCXTs default rebate collection is not even a bug, it can only be said that the developer has some little thoughts in the design. However, this seemingly insignificant little thought may make more profit than other clearly marked subscription charges. For users, on the one hand, the current AI programming tools are becoming more and more powerful, which can not only quickly detect such ulterior motives design, but also support the design of a completely autonomous trading code from scratch. On the other hand, over-trust in the free open source library with a good reputation may result in higher fees than ordinary subscription fees. If you want to protect your trading rebate rights, you still need to perform initialization parameter operations before adopting similar code libraries.
This incident finally sounded a wake-up call to all users: in the field of cryptocurrency, which is full of games, it is necessary to maintain necessary scrutiny and vigilance against any free lunch and carefully check every line of trust code. This may be the most basic and critical line of defense to protect ones own rights and interests - because sometimes, the most expensive cost is hidden under the appearance of free. Trust, after all, should not be so easily encoded into profit.
