Original Author: Frank, PANews
Recently, the most renowned open-source quantitative trading library in the cryptocurrency field, CCXT, has been exposed for hiding secrets in its core code: by hardcoding preset rebate IDs, the software quietly collects trading fee rebates that should belong to users without their knowledge.
This revelation is like a stone thrown into a lake, not only revealing another hidden business model under the open-source halo but also awakening countless developers and trading teams who rely on its "free" convenience to the fact that the foundation of trust may have already buried an expensive cost.
Over 36,000 Stars on Github, the Most Popular Open-Source Crypto Code
CCXT (CryptoCurrency eXchange Trading Library) is a widely popular open-source software library in the cryptocurrency trading field, whose core function is to provide developers, traders, and financial analysts with a unified interface to connect and operate numerous cryptocurrency exchanges worldwide. The CCXT project was initiated by Russian developer Igor Kroitor and can be traced back to 2016. The library supports multiple programming languages, including JavaScript, Python, PHP, C#, and Go, greatly expanding its applicability and adoption in different development environments.
By deploying the CCXT open-source tool, users can perform various cryptocurrency trading-related functions such as market analysis, indicator development, algorithmic trading, strategy backtesting, and order placement. It can be said that CCXT is akin to a simplified and free version of TradingView. As of now, CCXT supports over 100 cryptocurrency exchanges, including almost all major exchanges like Binance, OKX, Coinbase, Bybit, and Bitget, which can meet trading needs through direct access via CCXT.
This convenient open-source approach has also made CCXT quickly become the most popular tool among professional trading teams engaged in quantitative trading and strategy trading. On Github, CCXT has over 36,000 stars, surpassing even the well-known open-source project QuantLib in the financial field. According to a report by security company JFrog in 2025, CCXT's cumulative download count on the official Python package manager PyPI has exceeded 93 million times. Such a massive download count reflects that there are thousands of quantitative traders and development teams using CCXT worldwide. In 2024, CCXT ranked 28th on Github and was selected as one of the most popular Python projects of 2024.
Hidden Commission Mechanism, Hardcoded Broker ID, Potentially Millions in Invisible Revenue
However, behind the widespread acclaim, CCXT has an unknown business operation.
On May 27, blogger @sunlc_crypto exposed on social media that while using the CCXT framework, he discovered significant anomalies in the rebate fees. Subsequently, he found in the source code of multiple exchanges within CCXT that it had added its own broker ID, meaning it preset these exchanges' rebate accounts, causing users to unknowingly lose most of their rebate fees if they did not modify the settings. CCXT claimed that it had lost about $15,000 in just two months from three exchanges: hyperliquid, Kucoin, and Bybit. Based on this estimate, CCXT may have profited over ten million or even a hundred million dollars through this method.
PANews found through reviewing CCXT's open-source code that the Python adapters for several exchanges, including OKX, KuCoin, Hyperliquid, Bitget, and Binance, indeed contain default brokerId parameters.
Overall, CCXT has indeed preset default brokerId parameters in the adapters of multiple major exchanges, most of which exist in hardcoded form. When users place orders directly using CCXT without explicitly setting or modifying the relevant options, these default broker IDs will be sent along with the requests, attributing potential rebate fees to the accounts provided by CCXT. However, this point is not prominently highlighted in CCXT's official documentation.
How much profit the CCXT team has specifically gained through this method remains unknown, as most are centralized exchanges. PANews attempted to find the rebate address from Hyperliquid's source code, but since the specific address was not written in plain text in the code but used an internal interface, it was impossible to find the most direct proof.
From "Paid" to "Free," From "Optional Recommendation" to "Hidden Hardcoding" Business Model
Looking back at CCXT's development history, PANews found that this operation may have originated as early as 2018. The early version of CCXT had a Pro subscription service starting at $29 per month. Later, CCXT completely transitioned to free, and in 2018, a user suggested on Github to add an optional referral ID to support CCXT. The main maintainer, kroitor, welcomed this and added the code in an update. However, from the advocate's suggestion, it was mainly aimed at referral registration rewards and provided an optional choice for users to fill in CCXT or not.
But this seems to have become the starting point for CCXT's profit. Later, the main maintainer clearly added this logic to the code of most major exchanges, and due to the secretive coding style, most users find it difficult to detect. As of now, apart from @sunlc_crypto raising concerns as a whistleblower, there has been almost no discussion about this code design online.
Of course, CCXT seems to have anticipated that this phenomenon would eventually be exposed, so in CCXT's disclaimer, there is a statement: "API proxy means that CCXT's funds come from rebates from the exchange's API proxy program, and it is the official API proxy for many exchanges," which essentially subtly informs users of this profit method.
When @sunlc_crypto raised this issue to the community, he received support from many users. However, there were also many doubts in the comments section, with some questioning that as a strong quantitative trader, one should not care about these rebate fees. Others stated that since it is open-source code, failing to discover and modify these settings during use is their own problem, and CCXT is not at fault. However, considering the widespread adoption of CCXT and its highly regarded reputation, this hidden coding "thoughtfulness" indeed violates the trust the community has in it.
After the incident was exposed, PANews noticed that CCXT's code still maintained a daily update frequency, but as of May 29, there had been no modifications to the hidden hardcoded brokerId code raised by the community. CCXT's official account has not responded to this matter on social media or Github. 
Of course, compared to some open-source projects that hide backdoors and directly threaten users' capital safety, CCXT's default rebate collection is not even a bug; it can only be said that the developers have some "thoughtfulness" in their design. However, this seemingly trivial thoughtfulness may profit more than other clearly priced subscription fees. For users, on one hand, the current AI programming tools are becoming increasingly powerful, not only capable of quickly detecting such "malicious" designs but also supporting the design of a completely autonomous trading code from scratch. On the other hand, overly trusting a well-known "free" open-source library may result in paying a higher cost than ordinary subscription fees. If one hopes to safeguard their trading rebate rights, it is still necessary to perform initialization parameter operations before using similar code libraries.
This incident ultimately serves as a wake-up call for all users: in the cryptocurrency field, which is full of competition, maintaining necessary scrutiny and vigilance towards any "free lunch," and carefully checking every line of "trusted" code may be the most fundamental and critical line of defense to protect one's rights—because sometimes, the most expensive cost is precisely hidden beneath the facade of "free." Trust should ultimately not be so easily coded into profit.
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
