It happened - as he tells me - via a private GitHub repository where he puts the source code of his app. He made a dumb mistake of using his private key for the wallet inside the code more than one week ago, and thus, the private key was uploaded to the repository.
He noticed it at first, but he didn't react immediately because he thought that the repository is private, so no instant harm would happen since no one else has access to the repository but him.
A few days later, his central crypto wallet for the platform was hacked, and the $300k was stolen. The hacker moved the money from the wallet to 3 separate wallets on Binance. Big amount of TRX is staked in the wallet, the attacker changed the owner permission and locked him out the wallet, then he unstaked the TRX where it will be unfreezed after 14 days,
My friend contacted Binance and asked them to freeze the hacker's wallets, but they refused saying that they only accept official legal requests from the country. Since this is a 3rd-world country with no such communication channel established, nothing is done to stop the hacker so far. The country does not have a cybercrime department, and officials said they can't do anything at all.
My friend says the hack happened either:
- via Claude Code, since he was using the service to edit his files. - via an internal GitHub staff who might have access to the private repo.
He assures me no 3rd-party apps and no cracked accounts were responsible for what happened.
Publishing for tips and advice and what can we do, and using a throwaway account for obvious reasons.