GitHub Notifications Abused to Impersonate Y Combinator and Steal Wallet Funds

In a recent surge of highly targeted phishing attacks, adversaries have exploited GitHub’s notification system to impersonate Y Combinator, tricking developers and startup founders into surrendering cryptocurrency wallet credentials and depositing funds under the guise of startup funding verification.

By registering typo-squatted GitHub accounts and repositories, the attackers generated automated issue tags and deployed fraudulent GitHub Apps to lend credibility to their messages.

This campaign highlights a worrying trend of cybercriminals abusing trusted collaboration platforms and esteemed brands to bypass user skepticism and execute financial theft.

The Attack Unfolds: Mass Issue Tagging and Phony Apps

The orchestrators of this scheme created dozens of GitHub accounts with names nearly identical to “Y Combinator,” including “ycombinato,” “ycombbinator,” and “yc-combinator”.

Each account spawned hundreds of new issues per minute across repositories, tagging random users en masse.

The notifications were crafted to mirror official Y Combinator communications, stating that recipients had been selected for funding and prompting them to complete an “authorization process.”

Victims received both GitHub alerts and email follow-ups urging them to “verify their wallets” or transfer a small deposit for the next funding phase.

To enhance the illusion of legitimacy, the attackers published GitHub Apps titled “ycombinatornotify” and “mail-notification-automatic.” These apps, once installed by unsuspecting users, further automate issue creation and notification delivery.

Automated scripts sustained the campaign until GitHub’s abuse detection systems flagged and deleted the rogue repositories and user accounts.

However, the attackers demonstrated agility by rapidly spawning replacement accounts, ensuring the phishing notifications persisted.

Fake Domains and Wallet Phishing

Victims clicking the GitHub notifications were often redirected to phishing domains such as “y-comblnator.com” and similarly typo-squatted URLs.

These sites reproduced Y Combinator’s official branding and user interface, guiding visitors through faux verification procedures designed to harvest private wallet keys or request cryptocurrency deposits.

The subtle character substitutions and hyphen insertions in the domain names allowed the phishing pages to evade casual detection by users and automated scanners.

Reports indicate that even after initial repos were taken down, victims continued to receive phishing notifications from newly registered accounts.

Users shared warnings on Hacker News and GitHub forums, urging peers to verify any Y Combinator communication through official channels before taking action.

Many tagged Y Combinator’s security team at [email protected] and filed abuse reports via GitHub, although some encountered delays or issues with the platform’s reporting workflow.

Persistent Threat and Mitigation Strategies

Beyond reporting, affected developers resorted to API-based filters and scripts to purge lingering spam notifications, as GitHub’s user interface often failed to display them properly.

They also submitted the fraudulent domains to browser and search engine phishing protection lists, curbing some of the redirect traffic.

In response, GitHub has accelerated its removal of scam repositories and suspended the associated accounts.

Yet, the adaptability of the attackers suggests that further waves of notification-based phishing could emerge.

This incident underscores the importance of verifying unsolicited platform notifications, especially those promising financial gain.

Developers and startup founders should confirm any funding or authorization communications directly with organizations via known, official channels.

Reporting suspicious activity immediately and applying strict filters to automated notifications can help mitigate this evolving threat vector.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates