How Hackers Are Quietly Draining Bitcoin Wallets Through Fake GitHub Projects

Imagine stumbling across a slick GitHub project that promises to streamline your Telegram bot for managing Bitcoin wallets or supercharge your favorite gaming tool. It looks legitimate, complete with a polished README file that practically begs you to dive in.

But here’s the catch: that code you’re about to run could be a silent thief, siphoning off your Bitcoin and other crypto assets without you even noticing. According to a recent Kaspersky report, this isn’t just a hypothetical scenario; it’s a growing reality tied to a sneaky campaign dubbed “GitVenom,” which has been lurking in the shadows for at least two years and is picking up steam.

GitHub has long been a go-to hub for developers, especially those tinkering with crypto projects where a single app can rake in millions. That popularity, though, makes it a prime target for bad actors. The GitVenom scheme hooks unsuspecting users with what appear to be harmless projects. Think Telegram bots or gaming utilities, all dressed up with professional-looking documentation that’s often whipped up by artificial intelligence to earn your trust.

Under the hood, however, the code is anything but innocent. In Python projects, attackers slip in a malicious script after an absurd stretch of 2,000 tabs, which quietly decrypts and unleashes a harmful payload. JavaScript projects hide rogue functions right in the main file, ready to kick off the attack the moment you run them. Once the trap is sprung, the malware reaches out to a separate hacker-controlled GitHub repository to fetch more tools and get to work.

The Devastating Fallout and How It Unfolds

Once your system is compromised, the damage spreads fast. A Node.js-based stealer jumps into action, scooping up passwords, any crypto wallet details, and browsing history before packaging it all up and shipping it off. Remote access trojans like AsyncRAT and Quasar dig deeper, seizing control of your device, tracking every keystroke, and snapping screenshots to capture anything valuable.

Then there’s the “clipper,” a particularly nasty piece of work that swaps out any wallet address you copy with one belonging to the hackers, redirecting your funds straight into their pockets. One wallet tied to this scheme reportedly pocketed 5 BTC in November alone, a haul worth $485,000 at the time. The campaign has hit users hardest in places like Russia, Brazil, and Turkey, but its tentacles stretch worldwide, according to Kaspersky’s findings.

What makes GitVenom so tricky is how well it flies under the radar. The attackers play the part of active developers, regularly tweaking their projects and switching up their coding tricks to dodge antivirus detection. That stealth keeps the operation humming along, and it’s been active for at least two years with no signs of slowing down.