The premise is simple. If you fork a stealer on GitHub and commit your own exfiltration credentials, those credentials are now public. We wrote scrapers to systematically check forks of popular open-source malware projects for hardcoded Telegram bot tokens, Discord webhook URLs, and cryptocurrency wallet addresses. Then we tested every token and webhook against the live APIs. What we found was active infrastructure, identifiable operators, and in one case, a fully compiled malware binary sitting in a public repository.
The Method
GitHub hosts dozens of actively maintained stealer and RAT projects. The developers tag them as "educational" or "for research only" while providing GUI builders, anti-analysis modules, and exfiltration pipelines. The tools are functional out of the box. The barrier to entry is a GitHub account and the ability to paste a webhook URL into a config file.
We targeted forks of five projects: PySilon-malware (1,177 stars, 193 forks — a Discord-controlled Python RAT), Blank-Grabber (994 stars, 275 forks — a Python stealer with builder GUI), phantom-stealer (26 stars — a Go-based infostealer), Discord-RAT, and PySpy. For each project, we pulled the fork list via the GitHub API, filtered for forks that had been pushed after the parent repository’s last commit (indicating the fork had been modified), and then fetched the configuration files from each modified fork. We extracted any Telegram bot tokens, Discord webhook URLs, and cryptocurrency wallet addresses that differed from the parent’s placeholders.
Operator 1: Stonertje420
A fork of phantom-stealer by GitHub user lorenzofilali — account created January 10, 2026 — contained a fully configured Go infostealer with live exfiltration infrastructure. The operator made four commits on February 25, 2026 with messages including "Update config.go", "Improvement", "ewa", and "yes." The config file contained:
| Field | Value |
|---|---|
| Discord Webhook | 1476012056774967446/QMoimc423mQeiJ5-kFb_6Ox2LEf2R-wTtWRQhLmCQfQfKuUR-svUlHqWdBjQnCqasBzc |
| Telegram Bot Token | 8663112401:AAH8iT2OITdNX5h4qWWQcFiU6wh3t-jToJI |
| Telegram Chat ID | 6044905994 |
| Build ID | phantom-v1.0 |
| Mutex | phantom_mtx_7f3a9b2c |
We queried each indicator against the live APIs:
- The Telegram bot resolved as @Patty_1312Bot, display name "L.G. Escorte Service," bot ID 8663112401. Status: live.
- The Discord webhook resolved as "Captain Hook" on guild 1476011897424973937, channel 1476011898565693464. Status: live.
- The Telegram Chat ID 6044905994 resolved to a private user: Stonertje420, username @stonertje.
The operator’s GitHub account has exactly two repositories: the phantom-stealer fork and a second repo called TheNewHelper — a repackaged copy of the same stealer with the module name phantom in go.mod. The TheNewHelper repo contains a committed compiled binary: __debug_bin.exe, an 11MB Go Windows executable. The build script (build.ps1) includes instructions for Garble obfuscation, UPX compression, and stripping debug symbols. The .gitignore lists config/prod.go and config/local.go as files that should never be committed — but the operator committed config.go with production credentials anyway.
Attribution indicators: The commit message "ewa" is Dutch/Moroccan-Dutch slang. The Telegram username @stonertje is Dutch (diminutive of "stoner"). The bot name includes "1312" — numeric shorthand for ACAB. The GitHub account was created two months ago with no profile information. This is consistent with a low-sophistication Dutch-speaking operator deploying commodity malware with zero operational security.
The Stealer: Full Capability Map
Phantom Stealer v1.0 is a Go-based infostealer targeting Windows. The configuration file maps the complete target set:
Browsers (Chromium + Firefox credential extraction via DPAPI/AES-GCM): Chrome, Edge, Brave, Opera, Opera GX, Vivaldi, Yandex, Chromium, Firefox, Waterfox. Extracts passwords, cookies, credit cards, autofill data, and browsing history.
Desktop crypto wallets (12 families): Exodus, Electrum, Atomic, Jaxx, Coinomi, Guarda, Bitcoin Core, Litecoin Core, Dash Core, Monero, ZCash, Wasabi.
Browser extension wallets (35+ extensions): MetaMask, TronLink, Binance Chain, Coin98, Phantom (Solana), Keplr (Cosmos), XDEFI, BitKeep, Ronin (Axie Infinity), Coinbase, Trust Wallet, TON, OneKey, and 20+ others. Each identified by Chrome extension ID.
Token theft: Discord (6 desktop client paths + 6 browser session paths), Telegram (tdata session files), Steam (ssfn + config).
File grabber: Desktop, Documents, Downloads — targeting .txt, .doc, .docx, .xls, .xlsx, .pdf, .json, .csv, .db, .sqlite, .key, .pem, .ppk, .kdbx, .rdp, .ovpn, .conf, .wallet, .dat. Max 5MB per file.
Evasion: Anti-VM detection, anti-debug checks, AMSI patching, ETW patching, Windows Defender exclusion injection. Optional registry persistence and self-deletion.
Exfiltration: Primary via Discord webhook, fallback to Telegram bot. All stolen data packaged and sent as a single archive.
Finding 2: Live Enigma Stealer C2
A separate search for Telegram bot tokens across public repositories surfaced a token embedded in the MITRE Center for Threat-Informed Defense’s TRAM training dataset — an Enigma Stealer sample documented for machine learning classification. The bot is still live:
| Field | Value |
|---|---|
| Bot Username | @EnigmaTestMessage_001_bot |
| Bot Display Name | EnigmaTestMessage_001 |
| Bot ID | 5894962737 |
| Webhook URL | https://mfjyb716[.]qermznc[.]sbs/100385/bot.php |
| Webhook IP | 104.21.22.138 (Cloudflare) |
| Max Connections | 40 |
The webhook points to a PHP endpoint on qermznc[.]sbs — a domain with a DGA-style name on the .sbs TLD, which is heavily abused by cybercriminals. Certificate Transparency logs reveal seven additional subdomains on the same domain, all following the same random-alphanumeric pattern:
| Subdomain | Certificate Issued |
|---|---|
mfjyb716[.]qermznc[.]sbs | 2026-01-17 |
jgudc567[.]qermznc[.]sbs | 2025-07-17 |
kjbpp508[.]qermznc[.]sbs | 2025-07-17 |
twszv363[.]qermznc[.]sbs | 2025-07-17 |
nhftt822[.]qermznc[.]sbs | 2025-07-17 |
bskoh933[.]qermznc[.]sbs | 2025-07-17 |
chxpf777[.]qermznc[.]sbs | 2025-07-17 |
jkwan723[.]qermznc[.]sbs | 2025-07-17 |
Each subdomain likely represents a separate campaign or victim grouping. The infrastructure has been active since at least July 2025, with the most recent certificate issued January 2026. All subdomains resolve to Cloudflare IPs and return HTTP 403 when accessed directly — the C2 only responds to properly formatted bot API callbacks.
The Open-Source Malware Ecosystem
The five parent repositories we targeted represent a fraction of the malware hosted openly on GitHub. PySilon alone has 193 forks and nearly 1,200 stars. Its feature set includes a crypto clipper, keylogger, file encryption (ransomware), fork bomb, and a GUI builder that generates ready-to-deploy payloads. The developer tags the repository with malware, stealer, keylogger, and remote-access-trojan — then wraps it in an MIT license and a disclaimer.
The Blank-Grabber project, with 275 forks, provides a point-and-click builder for credential-stealing malware. Several related projects — Hazard-Grabber, PirateStealer, Creal-Stealer — have been removed by GitHub, but their forks persist. The phantom-stealer project, despite being only three months old, has already been forked five times and produced at least one confirmed deployment with live exfiltration.
The pattern is consistent: a developer publishes a full-featured tool. Script kiddies fork it, configure their exfiltration endpoints, and deploy. The smarter ones use private repos. The rest leave their Telegram bot tokens, Discord webhooks, and cryptocurrency wallets permanently indexed in public code.
What This Means
Systematic fork scanning is a viable, repeatable intelligence collection method. Every fork of an open-source stealer is a potential window into an active operation. The indicators we extracted — bot tokens, webhook URLs, chat IDs, wallet addresses, mutex names, build IDs — are the operational fingerprints of real campaigns. Most will never appear in traditional threat intelligence feeds because nobody is looking at the forks.
We are.