Security Report: Organized Malware Campaign Targeting Crypto Users via Fake Balance Tools

[LotusHirasawaSusumu]

Security Report: Organized Malware Campaign Targeting Crypto Users via Fake Balance Tools

Report Date: January 28, 2026
Reporter: Previous malware victim
Status: Active distribution, immediate community action requested

Summary

An organized criminal group is currently operating a network of repositories on GitHub distributing malware disguised as "fake balance" or "flash" tools for cryptocurrency wallets (Phantom, Trust, OKX, Electrum, Atomic, Exodus).

These repositories are not harmless prank tools. They distribute actual malware designed to display fake balances and trick victims into sending real cryptocurrency to attackers. Multiple samples contain confirmed trojans and downloaders.

• 12+ repositories following identical patterns
• Confirmed trojan in at least one release (VirusTotal 12/63)
• Coordinated throwaway accounts creating new repos regularly

Technical Evidence

Confirmed Malicious Sample

• Repository: Syedaayan/Electrum-Fake-Balance-Flash-Crypto-CryptoCurrencies-Wallet
• File: OKX.sandbox.7z (via GitHub Releases)
• SHA-256: 93a9b82398bea54ea98d0e4ddcfbb24f81f4bc861db57c72b567288cde992924
• VirusTotal: Analysis Link
• Detection Rate: 12/63 engines (AhnLab, Avast, DrWeb, Kaspersky, Sophos, etc.)
• Classification: Trojan-Downloader, Evo-gen, Mal/Generic-S

Notable Detections:

• Kaspersky: HEUR:Trojan-Downloader.Script.Agent.gen
• DrWeb: Trojan.Siggen32.19580
• Avast: Win64:Evo-gen [Trj]
• Sophos: Mal/Generic-S

This is a confirmed trojan, not a false positive.

Attack Pattern Analysis

This operation shows characteristics of an organized criminal effort:

Indicator	Details
Repository Naming	Systematic 70-90 character strings containing "Fake-Web3-Flash-Balance-CryptoCurrencies"
Code Base	Uniformly C# projects with identical structure
Metadata	Copy-pasted topics/tags (crypto, ethereum, wallet, fake-balance)
Descriptions	Verbatim text across repos, some explicitly stating intent to "trick users into sending real assets"
Account Patterns	Throwaway usernames (Astrivaapt, Aestrivuapt, Aide1978, Daeena75, HangTheD14, etc.)
Timeline	Coordinated creation in clusters (Jun/Jul/Oct/Dec 2025, Jan 2026)

Confirmed Malicious Repositories

The following repositories are confirmed to be part of this campaign and should be reported:

1. Astrivaapt/Phantom-Wallet-Fake-Web3-Flash-Balance-CryptoCurrencies-Crypto (Jun 2025)
2. Aide1978/okx-fake-balance (Updated 1 week ago)
3. dariavoronin6/trust-fake-balance (Updated 1 week ago)
4. Aestrivuapt/Okx-Wallet-Fake-Balance-CryptoCurrencies-Web3-Flash-Crypto (Oct 2025)
5. Aestrivuapt/Trust-Wallet-Fake-Web3-Flash-Balance-CryptoCurrencies-Crypto (Oct 2025)
6. Astrivaopd/Phantom-Wallet-Fake-Web3-Flash-Balance-CryptoCurrencies-Crypto (Jul 2025)
7. Daeena75/Phantom-Wallet-Fake-Web3-Flash-Balance-CryptoCurrencies-Crypto (Oct 2025)
8. Dalcna75/Phantom-Wallet-Fake-Web3-Flash-Balance-CryptoCurrencies-Crypto (Dec 2025)
9. HangTheD14/Electrum-Fake-Balance-Flash-Crypto-CryptoCurrencies-Wallet (Oct 2025)
10. HangTheDrt/Electrum-Fake-Balance-Flash-Crypto-CryptoCurrencies-Wallet (Dec 2025)
11. Aestrivuapt/Atomic-Wallet-Fake-Balance-Flash-Crypto-CryptoCurrencies (Oct 2025)
12. Syedaayan/Electrum-Fake-Balance-Flash-Crypto-CryptoCurrencies-Wallet (Updated 1 hour ago, contains live trojan)
13. logan0311/Electrum-Fake-Balance-Flash-Crypto-CryptoCurrencies-Wallet
14. Harmo7niasz/Trust-Wallet-Web3-Balance-CryptoCurrencies-Crypto
15. AesopEabt/Atomic-Wallet-Crypto-CryptoCurrencies
16. spiderwebsdk/Exodus-Fake-Balance
17. Hyzetva/Electrum-Crypto-CryptoCurrencies-Wallet

#	Repository	Notes
1	Astrivaapt/Phantom-Wallet-Fake-Web3-Flash-Balance-CryptoCurrencies-Crypto
2	Aide1978/okx-fake-balance
3	dariavoronin6/trust-fake-balance
4	Aestrivuapt/Okx-Wallet-Fake-Balance-CryptoCurrencies-Web3-Flash-Crypto
5	Aestrivuapt/Trust-Wallet-Fake-Web3-Flash-Balance-CryptoCurrencies-Crypto
6	Astrivaopd/Phantom-Wallet-Fake-Web3-Flash-Balance-CryptoCurrencies-Crypto
7	Daeena75/Phantom-Wallet-Fake-Web3-Flash-Balance-CryptoCurrencies-Crypto
8	Dalcna75/Phantom-Wallet-Fake-Web3-Flash-Balance-CryptoCurrencies-Crypto
9	HangTheD14/Electrum-Fake-Balance-Flash-Crypto-CryptoCurrencies-Wallet
10	HangTheDrt/Electrum-Fake-Balance-Flash-Crypto-CryptoCurrencies-Wallet
11	Aestrivuapt/Atomic-Wallet-Fake-Balance-Flash-Crypto-CryptoCurrencies
12	Syedaayan/Electrum-Fake-Balance-Flash-Crypto-CryptoCurrencies-Wallet	Contains confirmed trojan
13	logan0311/Electrum-Fake-Balance-Flash-Crypto-CryptoCurrencies-Wallet
14	Harmo7niasz/Trust-Wallet-Web3-Balance-CryptoCurrencies-Crypto
15	AesopEabt/Atomic-Wallet-Crypto-CryptoCurrencies
16	spiderwebsdk/Exodus-Fake-Balance
17	Hyzetva/Electrum-Crypto-CryptoCurrencies-Wallet

Additional similar repositories continue to appear.

Note: Additional similar repositories are being identified daily.

Recommended Actions

For GitHub Users (Community Action)

Please report each repository:

1. Navigate to the repository
2. Click Report abuse
3. Select This abuses GitHub by distributing malware or spam
4. Reference this coordinated campaign in your report

For GitHub Security Team

• Immediate suspension of listed repositories and associated accounts
• Pattern analysis to identify additional accounts in this network
• Review of release attachments for the listed SHA-256 hash and related samples

Impact

These repositories actively distribute malware that results in direct financial loss to victims. The tools are designed to socially engineer users into transferring real cryptocurrency to attacker-controlled addresses, resulting in irreversible transactions.

Community reports help accelerate takedowns. If you encounter additional repositories matching this pattern, please comment below.

---

Thank you for helping maintain the security of the GitHub community.

[josephjames8]

Thanks for sharing this reports like this are crucial since these “fake balance” tools keep trapping new users. A good reminder to stick to verified wallets and legit Real Earning APPs only. Hopefully this helps others avoid getting burned.