← Rust Crypto Clipper Malware — Fake GitHub Stars Campaign1 decision on this page

Audit log

Every state-changing event for Rust Crypto Clipper Malware — Fake GitHub Stars Campaign: moderation decisions on community submissions, plus corrections and updates from the news pipeline. URL-based decisions carry three independent witnesses — the original source, an Internet Archive snapshot taken at submission time, and a Solana memo signed by our publicly-disclosed publisher key.

#1publishby system:backfill
2026-06-21 17:33:17Z
Score: ? → ? (no score change)
anchoranchored
chain
●mainnet-betaslot 427,987,108
sig
52DerZ5fANot…mNqgHFgGexplorer ↗
hash
94EexPUQxmTw…hxwgTZTzsha256 → base58
verifying row…full verify ↗
canonical bytes (17032 B) ▸
{"actor":"system:backfill","investigation_id":"9db43d3a-a8d1-4673-80c0-6669bcbe0419","kind":"publish","page_slug":"rust-crypto-clipper-malware-fake-github-stars-campaign","published_at":"2026-06-21T17:33:17.065Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Rust Crypto Clipper Malware — Fake GitHub Stars Campaign","sections":[{"content":"Check Point Research published findings on June 19, 2026 exposing an ongoing malware distribution campaign that uses coordinated reputation manipulation across multiple platforms to deliver a Rust-based cryptocurrency clipboard hijacker. The campaign targets cryptocurrency traders and online gamblers by offering lures framed as high-demand edge tools: Solana and Pump.fun sniper bots that claim to front-run token launches, an 'Aviator Predictor' claiming to forecast crash-game outcomes, and several other crash-game predictors. All lures lead to the same underlying payload: a clipboard hijacker that monitors the system for copied wallet addresses and silently substitutes them with attacker-controlled addresses before the user completes a transaction. Check Point researchers noted that 'manipulating sentiment and reputation across crowd-sourced platforms marks a meaningful shift in how attackers build trust,' warning that the same playbook could be reused to deliver ransomware or more destructive payloads targeting enterprises.","heading":"Campaign Overview","severity":"critical","sources":[{"credibility":1,"name":"From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker — Check Point Research","type":"research","url":"https://research.checkpoint.com/2026/from-stars-to-upvotes-fake-reputation-fueling-a-crypto-clipboard-hijacker/"},{"credibility":2,"name":"Crypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/crypto-clipper-campaign-abuses-fake.html"}]},{"content":"The payload is a clipboard hijacker written in Rust, compiled for both Windows and macOS. Once executed, the binary installs persistence mechanisms and continuously monitors the system clipboard for strings matching known cryptocurrency wallet address formats. When a match is found, the malware silently replaces the copied address with one drawn from a large embedded list of attacker-controlled addresses before the user pastes and transmits the value. The Windows variant contains over 15,500 hardcoded attacker wallet addresses. Bitcoin addresses dominate at approximately 15,000 entries, split across the three major Bitcoin address formats: bech32 (native SegWit), legacy (P2PKH), and P2SH. Approximately 500 Ethereum addresses are also embedded. Additional supported currencies include Bitcoin Cash, Monero, Dogecoin, Cardano, Litecoin, Tron, XRP, and Zcash. The macOS variant uses a single attacker wallet address per supported cryptocurrency type and installs a LaunchAgent at '~/Library/LaunchAgents/com.example..plist' for persistence. It includes a self-healing watchdog loop that re-executes the malicious binary every 30 seconds to resist termination. The macOS build also bundles a social engineering 'unlocker' script that instructs victims to bypass Apple's Gatekeeper and quarantine security features, framed as a required installation step for the promised tool. Eleven Windows malware hashes and one macOS hash were identified in Check Point's indicators of compromise.","heading":"Malware Technical Analysis","severity":"critical","sources":[{"credibility":1,"name":"From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker — Check Point Research","type":"research","url":"https://research.checkpoint.com/2026/from-stars-to-upvotes-fake-reputation-fueling-a-crypto-clipboard-hijacker/"},{"credibility":2,"name":"Fake GitHub Stars and AI Videos Mask a Crypto Clipper — Infosecurity Magazine","type":"news_article","url":"https://www.infosecurity-magazine.com/news/crypto-clipboard-hijacker-fake/"}]},{"content":"The campaign is distinguished by its systematic abuse of trust signals across multiple platforms simultaneously, a tactic Check Point researchers describe as a 'fake reputation engine.' On GitHub, the threat actor operated at least six accounts — including handles 'Decryptor-j,' 'crash-predictor1,' 'roblox-script1,' 'hack-scripts,' and 'stake-mines' — whose repositories were artificially boosted using Ghost Networks of fake or compromised accounts. One repository accumulated 146 stars and 62 forks. Over 5,000 genuine downloads were recorded from GitHub, with macOS 'Aviator Predictor' downloads alone exceeding 1,250. On SourceForge, the campaign maintained a project page reporting 44,485 total downloads. Check Point researchers noted the implausibility of 37,460 of those downloads being attributed to Android devices despite the malware being exclusively built for Windows and macOS, suggesting an automated Android device farm was used to inflate the figure. A YouTube channel with over 91,000 subscribers, created in July 2020, featured AI-generated narrator demonstrations with suspicious view spikes and coordinated positive comments reinforcing the illusion of an active user community. On VirusTotal, ghost network accounts cast favorable votes and posted 'safe' comments on malware samples to counteract low-detection-rate flags. The combination of few antivirus detections and a chorus of positive community feedback created a misleading impression of safety. Additionally, coordinated promotional articles were planted on legitimate news websites in a single-day burst on April 27, 2026, suggesting an organized press release campaign. Distribution via EIN Presswire resulted in syndication across USA TODAY Network partner sites. A dedicated WordPress phishing hub served as the central landing page, linking to the GitHub repositories and SourceForge project.","heading":"Fake Reputation Infrastructure","severity":"critical","sources":[{"credibility":1,"name":"From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker — Check Point Research","type":"research","url":"https://research.checkpoint.com/2026/from-stars-to-upvotes-fake-reputation-fueling-a-crypto-clipboard-hijacker/"},{"credibility":2,"name":"Crypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/crypto-clipper-campaign-abuses-fake.html"},{"credibility":2,"name":"Cybercriminals abused GitHub, YouTube and VirusTotal to push crypto-stealing malware — Help Net Security","type":"news_article","url":"https://www.helpnetsecurity.com/2026/06/19/fake-github-stars-crypto-stealing-malware/"}]},{"content":"The threat actor operates under the handle '@JoseCmanXD' across Telegram and multiple other platforms. The WordPress phishing hub distributing the malware is maintained under this same handle. Check Point Research identified early signs of the actor's activity on a hacking forum dating to 2019. In 2022, the user posted a thread titled 'BLACKHAT | Bitcoin Stealer | Advanced Builder | Tutorial | Clipper [Address Changer]+Re-Fud method,' in which they shared a malicious crypto-related tool. Promotional posts were also found on BitcoinTalk.org. No formal legal attribution, law enforcement identification, or regulatory action against the actor had been reported as of the date of Check Point's publication.","heading":"Threat Actor Attribution","severity":"high","sources":[{"credibility":1,"name":"From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker — Check Point Research","type":"research","url":"https://research.checkpoint.com/2026/from-stars-to-upvotes-fake-reputation-fueling-a-crypto-clipboard-hijacker/"},{"credibility":2,"name":"Threat Actor Uses Ghost Networks to Boost Malicious Crypto Tools on GitHub and SourceForge — CyberPress","type":"news_article","url":"https://cyberpress.org/ghost-networks-boost-crypto-malware/"}]},{"content":"More than 5,000 genuine downloads were confirmed from GitHub repositories alone, with over 1,250 attributed to the macOS 'Aviator Predictor' variant. The SourceForge page reported 44,485 total downloads, though a significant portion of that figure is attributed to likely artificial inflation via an Android device farm. The geographic distribution of SourceForge downloads showed a majority of activity from Pakistan and India. The malware's primary mechanism — silent address substitution — means victims receive no indication of compromise at the time a transaction is redirected. The scale of embedded addresses (over 15,500 Bitcoin addresses across three format types) suggests the operation was designed to operate at volume and to rotate addresses to avoid detection and asset tracking. The total value of funds redirected to attacker-controlled wallets had not been quantified in public reporting as of June 2026.","heading":"Scale and Victim Impact","severity":"high","sources":[{"credibility":1,"name":"From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker — Check Point Research","type":"research","url":"https://research.checkpoint.com/2026/from-stars-to-upvotes-fake-reputation-fueling-a-crypto-clipboard-hijacker/"},{"credibility":2,"name":"Rust Clipboard Hijacker Uses Fake GitHub Stars and VirusTotal Upvotes to Steal Crypto — Cybersecurity News","type":"news_article","url":"https://cybersecuritynews.com/rust-clipboard-hijacker-uses-fake-github-stars/"}]},{"content":"The campaign demonstrates that widely trusted public platforms — GitHub, SourceForge, YouTube, and VirusTotal — can be systematically gamed to manufacture false signals of software legitimacy. Each platform's reputation signal (star counts, download counts, subscriber counts, community safety votes) was individually manipulated, and the combined effect created a cross-platform trust halo that security-aware users might find persuasive. Check Point's analysis warns that this playbook is payload-agnostic: the same fake reputation infrastructure used here for a clipboard hijacker could be reused to deliver ransomware or other high-impact payloads targeting enterprise environments. As of June 2026, no public statement from GitHub, SourceForge, YouTube, or VirusTotal regarding enforcement action against the identified accounts had been reported.","heading":"Platform Responsibility and Security Implications","severity":"high","sources":[{"credibility":1,"name":"From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker — Check Point Research","type":"research","url":"https://research.checkpoint.com/2026/from-stars-to-upvotes-fake-reputation-fueling-a-crypto-clipboard-hijacker/"},{"credibility":2,"name":"Crypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/crypto-clipper-campaign-abuses-fake.html"}]},{"content":"Check Point Research published indicators of compromise in their June 2026 report. Known malicious GitHub accounts include: 'Decryptor-j,' 'crash-predictor1,' 'roblox-script1,' 'hack-scripts,' and 'stake-mines.' The threat actor's contact handle is '@JoseCmanXD' on Telegram. Eleven Windows binary hashes and one macOS binary hash were documented (partial hashes noted: Windows samples include hashes beginning '5518942d,' '33c86ecf,' and '7a7ad4ae'; macOS sample hash begins 'b71efde'). The macOS persistence mechanism uses a LaunchAgent plist at '~/Library/LaunchAgents/com.example..plist.' The distribution chain originates from a WordPress phishing site maintained by the actor, linking to GitHub repositories and a SourceForge project page. Promotional news articles planted on April 27, 2026 via EIN Presswire across USA TODAY Network partner properties serve as additional distribution vectors.","heading":"Indicators of Compromise","severity":"critical","sources":[{"credibility":1,"name":"From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker — Check Point Research","type":"research","url":"https://research.checkpoint.com/2026/from-stars-to-upvotes-fake-reputation-fueling-a-crypto-clipboard-hijacker/"}]}],"sources_used":[{"credibility":1,"name":"From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker — Check Point Research","type":"research","url":"https://research.checkpoint.com/2026/from-stars-to-upvotes-fake-reputation-fueling-a-crypto-clipboard-hijacker/"},{"credibility":2,"name":"Crypto Clipper Campaign Abuses Fake Reviews, AI Narrators, and VirusTotal Comments — The Hacker News","type":"news_article","url":"https://thehackernews.com/2026/06/crypto-clipper-campaign-abuses-fake.html"},{"credibility":2,"name":"Fake GitHub Stars and AI Videos Mask a Crypto Clipper — Infosecurity Magazine","type":"news_article","url":"https://www.infosecurity-magazine.com/news/crypto-clipboard-hijacker-fake/"},{"credibility":2,"name":"Rust Clipboard Hijacker Uses Fake GitHub Stars and VirusTotal Upvotes to Steal Crypto — Cybersecurity News","type":"news_article","url":"https://cybersecuritynews.com/rust-clipboard-hijacker-uses-fake-github-stars/"},{"credibility":2,"name":"Cybercriminals abused GitHub, YouTube and VirusTotal to push crypto-stealing malware — Help Net Security","type":"news_article","url":"https://www.helpnetsecurity.com/2026/06/19/fake-github-stars-crypto-stealing-malware/"},{"credibility":2,"name":"Threat Actor Uses Ghost Networks to Boost Malicious Crypto Tools on GitHub and SourceForge — CyberPress","type":"news_article","url":"https://cyberpress.org/ghost-networks-boost-crypto-malware/"},{"credibility":2,"name":"Hackers Use AI-Generated YouTube Narrators to Promote Crypto Clipper Malware — GBHackers","type":"news_article","url":"https://gbhackers.com/ai-generated-youtube-narrators/"}],"summary":"An active malware campaign discovered by Check Point Research in June 2026 distributes a Rust-based cryptocurrency clipboard hijacker for Windows and macOS disguised as crypto trading tools and gambling predictors. The operation manufactured false legitimacy through coordinated fake GitHub star networks, AI-narrated YouTube tutorials, inflated VirusTotal ratings, and a SourceForge page showing over 44,000 downloads, achieving more than 5,000 confirmed genuine GitHub downloads. The clipper silently replaces copied wallet addresses with attacker-controlled addresses drawn from an embedded list of over 15,500 addresses, primarily Bitcoin.","timeline":[{"date":"2019-01-01","event":"Threat actor operating under the handle '@JoseCmanXD' first identified as active on a hacking forum. Exact date within 2019 not specified in public reporting.","source":"Check Point Research","source_url":"https://research.checkpoint.com/2026/from-stars-to-upvotes-fake-reputation-fueling-a-crypto-clipboard-hijacker/"},{"date":"2020-07-01","event":"YouTube channel later used to promote the malware campaign was created. Exact date within July 2020 not specified.","source":"Check Point Research","source_url":"https://research.checkpoint.com/2026/from-stars-to-upvotes-fake-reputation-fueling-a-crypto-clipboard-hijacker/"},{"date":"2022-01-01","event":"Actor '@JoseCmanXD' posted thread on a hacking forum titled 'BLACKHAT | Bitcoin Stealer | Advanced Builder | Tutorial | Clipper [Address Changer]+Re-Fud method,' sharing a malicious crypto-related tool. Exact date within 2022 not specified.","source":"Check Point Research","source_url":"https://research.checkpoint.com/2026/from-stars-to-upvotes-fake-reputation-fueling-a-crypto-clipboard-hijacker/"},{"date":"2026-04-27","event":"Coordinated promotional articles promoting the malicious tools were published simultaneously across multiple legitimate news websites, distributed via EIN Presswire and syndicated to USA TODAY Network partner outlets.","source":"Check Point Research","source_url":"https://research.checkpoint.com/2026/from-stars-to-upvotes-fake-reputation-fueling-a-crypto-clipboard-hijacker/"},{"date":"2026-06-18","event":"GBHackers and Infosecurity Magazine publish coverage of the campaign based on Check Point findings.","source":"Infosecurity Magazine","source_url":"https://www.infosecurity-magazine.com/news/crypto-clipboard-hijacker-fake/"},{"date":"2026-06-19","event":"Check Point Research publishes full technical report 'From Stars to Upvotes: Fake Reputation Fueling a Crypto Clipboard Hijacker,' disclosing the campaign with indicators of compromise. Help Net Security also publishes coverage.","source":"Check Point Research","source_url":"https://research.checkpoint.com/2026/from-stars-to-upvotes-fake-reputation-fueling-a-crypto-clipboard-hijacker/"},{"date":"2026-06-19","event":"The Hacker News and Cybersecurity News publish coverage of the campaign, expanding public awareness of the malicious GitHub accounts, SourceForge page, and YouTube channel.","source":"The Hacker News","source_url":"https://thehackernews.com/2026/06/crypto-clipper-campaign-abuses-fake.html"}]},"v":1}
Verify offline (run on your own machine)
python -m src.verify_decision 83048438-467c-45b0-a98d-9e3843a6c4f5

How verification works. The “Row integrity” check above is computed in your browser — your machine recomputes the SHA-256 of the canonical bytes and compares against the stored hash. No avoid.net server can fake that check. The “full verify” link goes one level deeper: your browser fetches the on-chain transaction from a Solana RPC node and confirms the same hash is in the memo. If you don’t want to trust either avoid.net or the public RPC, run the CLI verifier on your own machine — python -m src.verify_decision <event_id>.