Crypto Quant Tool CCXT Embroiled in "Code Commission" Scandal, Hidden Commission Business Behind Free Facade
TechFlow Selected TechFlow Selected
Crypto Quant Tool CCXT Embroiled in "Code Commission" Scandal, Hidden Commission Business Behind Free Facade
Sometimes, the most expensive cost is precisely hidden beneath the facade of "free."
Navigating Web3 tides with focused insightsAuthor: Frank, PANews
Recently, CCXT, the most renowned open-source quantitative trading library in the cryptocurrency space, was exposed for hiding a secret mechanism within its core code: by hardcoding preset referral IDs, the software quietly captures exchange fee rebates that should belong to users, all without their knowledge.
This revelation sent ripples through the community, exposing not only a hidden business model lurking beneath the open-source halo but also startling countless developers and trading teams who relied on its "free" convenience—revealing that the foundation of trust may have long been underpinned by costly hidden fees.
Over 36,000 stars on GitHub: The most widely adopted open-source crypto code
CCXT (CryptoCurrency eXchange Trading Library) is a popular open-source software library in the cryptocurrency trading domain. Its core function is to provide developers, traders, and financial analysts with a unified interface to connect and operate across numerous global cryptocurrency exchanges. Initiated by Russian developer Igor Kroitor and first launched in 2016, the library supports multiple programming languages including JavaScript, Python, PHP, C#, and Go, greatly expanding its applicability and adoption across different development environments.
By deploying CCXT's open-source tools, users can develop various cryptocurrency trading-related functions such as market analysis, indicator development, algorithmic trading, strategy backtesting, and order execution. In essence, CCXT serves as a simplified, free version of TradingView. To date, CCXT supports over 100 cryptocurrency exchanges, including nearly all major platforms like Binance, OKX, Coinbase, Bybit, and Bitget, enabling direct integration to meet trading needs.
This convenient open-source approach has rapidly made CCXT the most widely used tool among quantitative and algorithmic trading teams. On GitHub, CCXT boasts over 36,000 stars—more than QuantLib, a well-known open-source project in finance. According to a 2025 report by security firm JFrog, CCXT’s cumulative downloads on Python’s official package manager PyPI have exceeded 93 million. Such massive download numbers reflect that tens of thousands of quantitative traders and development teams worldwide are actively using CCXT. In 2024, CCXT ranked 28th on GitHub and was selected as one of the most popular Python projects of the year.
A hidden commission mechanism: Hardcoded Broker IDs yielding millions in invisible revenue
Yet behind this widespread acclaim lies a little-known business tactic.
On May 27, social media user @sunlc_crypto revealed that while using the CCXT framework, they noticed significant anomalies in rebate fees. Further investigation into CCXT’s source code for multiple exchanges uncovered that CCXT had embedded its own broker ID—pre-setting rebate accounts so that unless users were aware and manually changed them, most of their fee rebates would be siphoned off. The user claimed that about $15,000 in rebates had been taken from them over two months via CCXT on Hyperliquid, Kucoin, and Bybit alone. Extrapolating from this, CCXT could have already earned tens or even hundreds of millions of dollars in rebates through this method.
PANews reviewed CCXT’s open-source code and confirmed that default brokerId parameters are indeed present in the Python adapters for multiple exchanges including OKX, KuCoin, Hyperliquid, Bitget, and Binance.
Overall, CCXT does pre-configure default brokerId parameters across adapters for many major exchanges, mostly implemented via hardcoding. When users place orders directly through CCXT without explicitly setting or modifying these options, the default broker IDs are automatically included in requests, directing potential fee rebates to accounts controlled by CCXT. However, this practice is not prominently disclosed in CCXT’s official documentation.
The exact amount of revenue CCXT has generated through this method remains unknown, particularly since most involved exchanges are centralized. PANews attempted to locate the rebate address within Hyperliquid’s source code but failed to find direct evidence, as the specific address is not stored in plaintext but accessed via internal interfaces.
From “paid” to “free,” from “optional referral” to “hidden hardcoding”: A business evolution
Reviewing CCXT’s development history, PANews found that this practice may date back to 2018. Early versions of CCXT offered a Pro subscription service starting at $29 per month. Later, CCXT transitioned entirely to free access. In 2018, a GitHub user suggested adding an optional referral ID system to support CCXT’s maintenance. Lead maintainer kroitor welcomed the idea and incorporated such code updates. However, according to the original proposal, this was intended solely for referral sign-up bonuses and meant to be an optional field where users could choose whether or not to credit CCXT.
Nonetheless, this appears to have marked the beginning of CCXT’s monetization strategy. Over time, the lead maintainer clearly expanded this logic into the codebases of most major exchanges. Given the discreet implementation, most users remained unaware. To date, aside from whistleblower @sunlc_crypto raising concerns, there has been almost no public discussion online regarding this coding design.
Of course, CCXT seems to have anticipated eventual exposure. In its disclaimer, the project states: "API agent means CCXT receives rebates from exchanges' API agent programs and is an official API agent for many exchanges." This effectively serves as a subtle disclosure of its revenue model to users.
When @sunlc_crypto raised the issue within the community, they received considerable support. Yet, numerous critical comments also emerged—some questioning how a skilled quant trader could care about such minor rebates, while others argued that since it’s open-source code, failing to detect and modify these settings is the user’s own responsibility, implying CCXT bears no fault. Nevertheless, given CCXT’s widespread adoption and high-profile reputation, this covert coding “trick” clearly violates the trust placed in it by the community.
After the incident came to light, PANews observed that CCXT continued updating its code daily. However, as of May 29, no changes had been made to address the community’s concerns about the hidden hardcoded brokerId. Neither the official CCXT team nor its representatives responded to the matter on social media or GitHub.
Certainly, compared to some open-source projects that embed backdoors posing direct threats to user funds, CCXT’s default rebate collection isn’t even a bug—it’s merely a developer’s subtle “design choice.” Yet, this seemingly insignificant tweak might generate far more profit than straightforward subscription fees. For users, on one hand, increasingly powerful AI programming tools today can not only quickly detect such malicious designs but also enable building fully independent trading code from scratch. On the other hand, blindly trusting famous “free” open-source libraries may end up costing more than standard subscription models. To safeguard their rebate rights, users must perform proper initialization and parameter checks before adopting similar codebases.
This incident ultimately serves as a wake-up call to all users: in the highly competitive world of cryptocurrency, maintaining necessary scrutiny and caution toward any “free lunch,” and carefully reviewing every line of supposedly “trusted” code, may be the most fundamental and critical defense for protecting one’s interests—because sometimes, the most expensive costs are precisely those hidden beneath the surface of “free.” Trust should never be so easily encoded into profit.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News
PANews
