Kaspersky Exposes Massive Crypto Theft Scheme Hiding in GitHub Projects

Cybersecurity firm Kaspersky has warned that hackers are using fake GitHub projects to distribute malware that steals cryptocurrency and login credentials.

In a report on February 24, Kaspersky analyst Georgy Kucherin detailed a campaign called “GitVenom,” in which cybercriminals create deceptive GitHub repositories hosting remote access trojans (RATs), info-stealers, and clipboard hijackers.

GitHub Malware Alert ⚠️

Our Global Research & Analysis Team (GReAT) uncovered GitVenom—a stealthy, multi-stage #malware campaign exploiting open-source code. Infected repositories targeted #gamers and #crypto investors, hijacking wallets and siphoning $485,000 in #Bitcoin.

Get… pic.twitter.com/YhZJbSHCBV

— Kaspersky (@kaspersky) February 26, 2025

To appear legitimate, hackers design convincing documentation, often generated with AI, and simulate project activity with frequent code updates.

Some fake repositories mimic tools like a Telegram bot for Bitcoin wallet management or an Instagram automation tool.

However, these projects do not function as described and instead deploy malware once installed.

The malicious software extracts saved credentials, cryptocurrency wallet data, and browsing history, sending it to hackers via Telegram.

Clipboard hijackers scan for crypto wallet addresses and replace them with the hacker’s address, leading to potential financial losses.

One victim reportedly lost 5 Bitcoin ($442,000) to GitVenom malware in November.

The campaign primarily targets users in Russia, Brazil, and Turkey, though it poses a global threat.

Kaspersky urges users to scrutinize third-party code before downloading and warns that attackers may evolve their methods to evade detection.

About The Author