Kaspersky reports that hackers are setting up fake GitHub projects to steal crypto from users.
According to Kaspersky, hackers stole 5 Bitcoin—valued at roughly $442,000—from at least one individual through a malware-infected fake project last November.
A cybersecurity report from Kaspersky reveals that hackers are flooding GitHub with fake projects to deceive users into installing credential- and crypto-stealing malware.
In a Feb. 24 report, Kaspersky’s Georgy Kucherin stated that the “GitVenom” malware campaign involves hackers uploading fake repositories loaded with remote access trojans (RATs), clipboard hijackers, and data-stealing malware.
Hackers included a Bitcoin wallet management bot for Telegram and a tool that automates Instagram interactions among their fake projects.
The malware developers “went to great lengths“ to enhance the legitimacy of their projects by adding “well-designed” guides and documentation, which they may have created using AI, Kucherin stated.
They faked project activity by inflating the number of “commits” and referencing supposed updates, giving the impression of regular development.
“To do that, they placed a timestamp file in these repositories, which was updated every few minutes.”
“Clearly, in designing these fake projects, the actors went to great lengths to make the repositories appear legitimate to potential targets,” Kucherin said in the report.
The functionalities outlined in the instruction and explainer files did not exist, as Kaspersky noted that the projects mostly carried out meaningless operations.
Some of the deceptive projects have remained active for over two years, reinforcing the idea that the infection method is highly efficient, as hackers have consistently attracted victims.
Kucherin noted that while these fake projects may look different, they all contain “malicious payloads” that deploy an info stealer, which siphons credentials, crypto wallet data, and browsing history before transmitting the stolen information to hackers through Telegram.
One of the malware’s additional components, a clipboard hijacker, targets cryptocurrency wallet addresses and swaps them with those under the attackers’ control.
Kucherin revealed that in November, hackers used these malicious programs to steal 5 Bitcoin—worth approximately $442,000—by transferring the funds to a wallet they operated.
Although GitVenom infections have appeared worldwide, Kaspersky states that hackers particularly focus on users in Russia, Brazil, and Turkey.
Since developers worldwide frequently use code-sharing services like GitHub, Kucherin believes hackers will continue using deceptive software to infect victims.
He advised developers to thoroughly check the operations of any external code before proceeding with a download.
Kucherin warned that cybercriminals will likely keep publishing fake projects, though they may slightly modify their tactics, techniques, and procedures.
In October 2024, Kaspersky revealed that the Lazarus Group, a notorious North Korean cybercrime organization, took advantage of a flaw in Google Chrome. By creating a counterfeit NFT game, they set a trap aimed specifically at those involved in cryptocurrency.
Upon visiting the site, an invisible script activated a zero-day vulnerability in Chrome, furtively planting malware on users’ devices. This malicious software enabled the hackers to seize control of the victims’ computers, extracting valuable information such as cryptocurrency wallet details.
