Cybercriminals Exploit Fake Github Projects To Steal Bitcoin

Cybercriminals are leveraging counterfeit GitHub repositories to distribute malware, resulting in the theft of approximately $485,000 in Bitcoin, according to cybersecurity firm Kaspersky. The malicious campaign, dubbed“GitVenom,” has been active for at least two years and primarily targets developers and cryptocurrency enthusiasts.

Kaspersky's Global Research and Analysis Team identified over 200 deceptive repositories on GitHub. These repositories masquerade as legitimate projects, such as automation tools for Instagram, Telegram bots for managing Bitcoin wallets, and software for popular games like Valorant. However, instead of providing the advertised functionalities, these projects are embedded with multistage malware designed to steal personal and financial data.

The GitVenom campaign employs a variety of programming languages, including Python, JavaScript, C, C++, and C#. The malicious code is strategically placed within the projects, often concealed within seemingly benign files. Once executed, the malware can hijack clipboard contents to replace cryptocurrency wallet addresses, enabling the redirection of funds to the attackers' wallets. Additionally, it can exfiltrate sensitive information, such as login credentials and personal data, from the victim's system.

One notable incident involved a developer who downloaded a purported Telegram bot from GitHub to manage Bitcoin transactions. Unbeknownst to the developer, the bot contained malicious code that intercepted and altered wallet addresses during transactions. This led to the loss of over 5 Bitcoins, equivalent to approximately $485,000 at the time of the theft.

The geographical distribution of the attacks indicates a global reach, with the highest number of incidents reported in Brazil, Turkey, and Russia. The widespread nature of the campaign underscores the importance of vigilance among developers and cryptocurrency users worldwide.

Kaspersky's analysis reveals that the threat actors behind GitVenom meticulously craft their repositories to appear authentic. They include detailed README files, comprehensive documentation, and even AI-generated activity logs to enhance credibility. This level of sophistication makes it challenging for users to distinguish between legitimate and malicious projects.

The cybersecurity community has raised concerns about the ease with which malicious actors can upload and distribute harmful code on open-source platforms like GitHub. While these platforms are invaluable resources for developers, they also present opportunities for exploitation. Experts advocate for enhanced security measures, including stricter verification processes for contributors and automated scanning for malicious code, to mitigate such risks.

In response to the GitVenom campaign, GitHub has been notified of the malicious repositories and is actively working to remove them. However, the dynamic nature of the threat necessitates continuous monitoring and prompt action to prevent further incidents.

MENAFN27022025000152002308ID1109255863