Cybercriminals have executed an elaborate phishing campaign that hijacks GitHub’s notification system to impersonate the startup accelerator Y Combinator and steal cryptocurrency from developers.
The attackers used GitHub’s own legitimate infrastructure, specifically its issue tracking system, to mass-distribute phishing notifications. This method allowed them to easily bypass common email security filters.
The threat actors set up multiple malicious GitHub accounts using names that closely resembled Y Combinator, such as "ycombinato" and "ycoommbinator," and created a malicious GitHub application called "ycombinatornotify."
They showed a sophisticated knowledge of GitHub’s system by generating hundreds of issues in their fake repositories, tagging numerous random users in each one to maximize the notifications sent. Because these notifications originated from GitHub's official system, they appeared authentic to recipients.
The phishing messages claimed the developers had been "selected for funding" and required them to verify their cryptocurrency wallets or make an authorization deposit to access the supposed investment opportunity. This social engineering tactic exploited the developer community's desire for the prestige and funding associated with Y Combinator.
Stealing Crypto Credentials
The operation used a technique called typosquatting by registering a fake domain, y-comblnator.com (using an "L" instead of an "I"). This domain hosted a convincing, but fake, replica of the official Y Combinator website designed to harvest cryptocurrency wallet credentials and private keys from unsuspecting victims.
GitHub's security team responded by suspending the malicious accounts and repositories. However, the attack's distributed nature across multiple accounts created persistence issues for users. Affected developers reported having phantom notification badges that could only be manually cleared using complex API commands.
This incident underscores a growing vulnerability in collaborative platforms, where legitimate notification systems can be weaponized for large-scale phishing campaigns targeting high-value targets like technical professionals who are likely to hold digital assets.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
