In the ever-evolving landscape of cyber threats, two platforms traditionally viewed as safe spaces for content creation, learning and open-source collaboration have become targets for distributing malware aimed at stealing crypto and personal data — YouTube and GitHub.

In 2024, the threat landscape has shifted and cybercriminals are using increasingly sophisticated methods to exploit these platforms, taking advantage of their broad user bases and trusted reputations.

So, how are cybercriminals using YouTube and GitHub to spread malware and how you can protect yourself?

Why YouTube and GitHub are targets for crypto malware

If you are a content creator or data scientist, you trust YouTube and GitHub to be safe platforms, making it all the more dangerous when they’re misused. Why are these platforms now targets for crypto malware distribution?

Let’s uncover the reasons:

Large user base: Both platforms have millions of users, offering cybercriminals an enormous pool of potential victims.

Open accessibility: Anyone can upload code on GitHub, providing cybercriminals with a low-barrier opportunity to hide malicious scripts in what seem to be useful open-source projects.

Trust and credibility: People trust the content they find on YouTube tutorials or GitHub repositories, making it easier to disguise malware as legitimate software or tools.

User engagement: High user interaction on these platforms, such as starring GitHub repositories or watching YouTube tutorials, creates a perfect environment for spreading malware quickly.

Lack of scrutiny: Many users download files or follow instructions from popular content creators without a second thought, allowing malware to slip through undetected.

Did you know? Malware-as-a-service (MaaS) platforms make sophisticated malware available to anyone willing to pay, turning cybercrime into a rentable service. These platforms often offer various packages, including info-stealers like RedLine, which target crypto wallets.

How crypto malware is spread via GitHub

GitHub — a platform traditionally used for sharing open-source code — has become a significant cyberattack target. Its reputation as a trusted repository for developers and tech enthusiasts makes it easy for attackers to hide malicious code in plain sight, mainly targeting crypto wallets and personal information.

The Stargazers Ghost Network: A case study

In July 2024, Check Point Research uncovered a sophisticated malware distribution-as-a-service (DaaS) network called the Stargazers Ghost Network. This malware had been operating on GitHub for at least a year.

This network involved a series of “ghost” accounts that looked legitimate because they engaged in typical GitHub activities, like starring repositories and following other users. This created the illusion that they were regular accounts contributing to the open-source community.

However, these ghost accounts were distributing malware by embedding malicious links in their GitHub repositories. In one particularly notable campaign, the network spread the Atlantida Stealer, a new family of malware designed to steal cryptocurrency wallets, login credentials and personally identifiable information (PII). Within four days, more than 1,300 users were infected by Atlantida Stealer through GitHub repositories.

Malware families spread by the network include Atlantida Stealer, Rhadamanthys, Lumma Stealer and RedLine.

How they were able to misuse GitHub? Let’s find out.

README.md as a Trojan Horse: You might think the README.md file in a GitHub repository is just an ordinary description of the project or instructions for use. The trick? Such files can be filled with malicious links disguised as helpful resources to grow your social media following, leading to phishing or malware.

The power of “stars” and “forks”: In GitHub, when a project gets a lot of stars or is forked frequently, it appears to be popular and trustworthy. Cybercriminals take advantage of this by creating multiple fake accounts (or “ghost” accounts) to star and fork their own repositories, making their malicious code look legitimate. The more stars, the more credible the project seems at first glance. Users often trust high-engagement projects without digging deeper into what’s being offered.

Constant rotation of accounts: Cybercriminals like Stargazers Ghost Network are often one step ahead. To evade detection, they constantly create new accounts and rotate their operations, making it difficult to shut down their malicious activities even after the platform bans them.

Malware hidden in releases: Malicious files are hidden in password-protected archives (like .zip or .7z files), making them harder to detect. These files are often disguised as legitimate software and downloaded by unsuspecting users.

Perhaps even more alarming is how these ghost accounts became a dark web business (rented out to boost legitimacy). Criminals charged others for starring, forking and making malicious projects appear trustworthy. Stargazers Ghost Network earned around $100,000 through these services.

You can avoid falling into cybercriminals’ traps by understanding the above manipulation techniques.

Did you know? When you “star” a repository on GitHub, you’re essentially bookmarking it for later. It’s a way to show your appreciation or interest in a project. By contrast, “forking” a repository allows you to create a copy of it. This allows you to experiment, make changes or even build upon the original project without affecting the original version.

How crypto malware is hidden on YouTube

With more than 2.5 billion users, YouTube has become a go-to platform for tutorials, entertainment and educational content. This massive user base makes it a lucrative target for cybercriminals looking to exploit unsuspecting users. The method? Misleading videos, fake tutorials and malicious links embedded in video descriptions.

For example, cybercriminals often utilize videos that claim to offer “cracked” versions of popular software, such as AutoCAD, Adobe After Effects or Photoshop, attracting users who are either unwilling or unable to pay for legitimate versions.

Many don’t realize that following these video instructions may lead them to download malware, not the software they hoped for.

A real-world example: Lumma Stealer

Lumma Stealer malware has been circulating on YouTube throughout 2024. It is designed to extract highly sensitive information, such as saved browser passwords, cookies and even cryptocurrency wallet credentials.

Let’s understand how this works:

Malware hidden in ZIP files: Cybercriminals packaged the malware in a ZIP file that users were directed to download through the video description.

Deceptive tutorial videos: The videos were cleverly disguised as tutorials or “how-tos” for software installation, but once users followed the steps, they unknowingly infected their computers.

This kind of attack takes advantage of the trust users place in YouTube. After all, when a video has hundreds of thousands of views and positive comments, it doesn’t seem like something that could harm your computer. This is exactly what makes these attacks so effective: They blend into legitimate content seamlessly.

Did you know? Malware creators have devised a highly efficient method to distribute malware by using comments on public GitHub repositories. These comments often include a link to an encrypted archive hosted on Mediafire[.]com, along with the common password “changeme” to access the file. Once victims download and unpack the archive, their data becomes vulnerable to compromise.

Session hijacking and stream-jacking: Growing concerns

Cybercriminals have also begun employing more advanced techniques like session hijacking, which doesn’t even require your passwords or credentials.

Instead, it hijacks your session cookies — small files that track your active sessions on platforms like YouTube or Google. With these session cookies, attackers can bypass two-factor authentication (2FA) and access your accounts without needing your password.

In March 2024, a malware campaign was discovered spreading through YouTube video descriptions. This malware was designed to steal session cookies, allowing attackers to hijack user accounts and spread further.

In 2023, Cybersecurity firm Bitdefender identified a technique called “stream-jacking,” which cybercriminals used to hijack high-profile accounts, often featuring deepfakes of Elon Musk and Tesla content to lure users into scams.

By using phishing emails disguised as collaboration offers, hackers install Redline Infostealer malware, gaining control of accounts even with 2FA. These scammers direct users to crypto scam websites using malicious links or QR codes embedded in videos.

Original content is deleted or hidden, and descriptions are altered to resemble official Tesla channels. After detecting suspicious activity, YouTube typically closes these accounts, leading to significant losses for legitimate owners, including videos, subscribers and monetization.

Did you know? Phishing attacks frequently leverage deceptive domains to trick users into downloading malware or disclosing sensitive information. Cybercriminals use sites like pro-swapper[.]com, fenzor[.]com, and vortex-cloudgaming[.]com, mimicking legitimate platforms to lure victims. Always verify the authenticity of websites before downloading files or entering personal information.

Key ways to protect yourself from crypto malware on YouTube and GitHub

Given the growing prevalence of cyberattacks, it’s more important than ever for users to be vigilant. Here are some ways to protect yourself:

Monitor your accounts: Many platforms, including Google and GitHub, allow you to see recent logins and devices connected to your account. If anything looks suspicious, immediately change your passwords and log out of all sessions.

Use strong, unique passwords and enable 2FA: While 2FA isn’t foolproof against session hijacking, it’s still an essential layer of protection. Using strong, unique passwords for each platform can also prevent attackers from accessing multiple accounts if one is compromised.

Use phishing-resistant MFA: Opt for hardware security keys or biometric-based MFA for stronger protection against phishing attacks.

Check links before clicking: Always check the legitimacy of links in YouTube video descriptions or GitHub repositories before clicking. Look for signs that something might be off, such as shortened URLs or domains that don’t match the platform’s typical structure.

Be skeptical of free software offers: If something seems too good to be true, it probably is. Be wary of any video or GitHub repository offering cracked software, especially if it requires downloading files from unfamiliar sites. Always download software from official, trusted sources.

Update software regularly: Keeping your operating system, antivirus software and applications up to date is crucial for protecting against known vulnerabilities that malware exploits.

The future of malware distribution

Unfortunately, the trend of using platforms like YouTube and GitHub to distribute malware shows no signs of slowing. As such platforms continue to expand, so will the creativity and sophistication of cybercriminals looking to exploit them.

Looking ahead, cybercriminals integrating AI-powered tools may make these attacks even more challenging to detect. Imagine AI-driven ghost accounts that can autonomously interact with users, tailoring phishing messages based on real-time interactions and personalized responses. This could lead to a more convincing wave of malware distribution, which might be almost impossible to distinguish from legitimate activity.

Understanding and mitigating these risks is critical in a world where cryptocurrency adoption is growing, and digital platforms are becoming central to many aspects of life.

Users must remain vigilant, platforms must ramp up their security measures and collaboration among cybersecurity experts, developers and other key stakeholders to ensure a safer digital future.

Disclaimer：

1. This article is reprinted from [Guneet Kaur], All copyrights belong to the original author [cointelegraph]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
2. Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
3. Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.