Researchers at Check Point have detailed a cryptocurrency-theft campaign that weaponizes something most people instinctively trust: popularity. The operator hides clipboard-hijacking malware inside "tools" that promise easy money, then wraps them in a thick layer of fake credibility, inflated GitHub stars, coordinated five-star comments, AI-narrated YouTube reviews, and even articles on legitimate-looking news sites, to convince victims the software is safe.
The lures target people hunting for shortcuts: Solana and Pump.fun "sniper bots," an "Aviator Predictor," and various crash-game "predictors" that claim to forecast when an online betting game will crash. The real payload is a clipboard hijacker written in Rust, with builds for both Windows and macOS.
How the scam works
A WordPress phishing page acts as the central hub, funneling victims from social media, crypto forums, and Telegram toward downloads hosted on GitHub and SourceForge. Check Point says the operator runs at least six GitHub accounts and uses "Ghost Networks" of fake accounts to repeatedly star and fork the repositories, manufacturing the appearance of a popular, trusted project. The same trick extends to VirusTotal, where some samples picked up benign votes and "safe" comments that, combined with a low detection rate, mislead both users and reputation-based security tools. Check Point counted over 5,000 downloads from GitHub alone, including more than 1,250 of the macOS build.
What the malware does
Once installed, the Rust binary sets up persistence and silently watches the clipboard. When it spots a string that looks like a cryptocurrency wallet address, it swaps in an attacker-controlled address from a large embedded list, so funds a victim believes they are sending to themselves or a trusted party land in the thief wallet instead. Check Point reports the attacker wallets have already received multiple transactions, indicating real losses. This clipboard-swap technique has become a favorite for crypto thieves; IntelFusions recently covered a fake BlueWallet Mac app that swapped wallet addresses mid-copy, as well as the broader pattern of abusing GitHub as malware infrastructure.
What you should do
Treat "sniper bots," game predictors, and other get-rich-quick tools as malware by default, no matter how many stars or glowing reviews they carry, since that engagement is easy to fake. Always verify a cryptocurrency address after pasting it and before sending, ideally on a hardware wallet screen. Download software only from official vendor sites, and remember that a clean-looking VirusTotal page or a popular repository is not proof of safety.
Indicators of compromise
Selected defanged indicators (SHA-256): 5518942d9d21794aaeff41a01b88606a96659fc329b481a2f0946d8163ab4d61 and 33c86ecfc324de3af97150bd009aba7925a6ba7a0842e127e94cf351013c0fe6. The Telegram and WordPress handle observed by researchers was JoseCmanXD. Full indicators are in the original Check Point report.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.