Forked and Burned: Hunting Live Stealer Operators Through GitHub | Intercept Cell
Open-source malware is an assembly line. Developers publish fully functional infostealers on GitHub under the fiction of "educational purposes." Script kiddies fork them, paste in their own Discord webhooks and Telegram bot tokens, and deploy. They rarely consider that their exfiltration infrastructure is now permanently indexed in a public repository. We systematically scanned forks of popular stealer projects and found live operators with active Telegram bots and Discord channels still receiving stolen data. One operator \u2014 a Dutch-speaking actor operating as "Stonertje420" \u2014 committed a compiled Go-based stealer binary, a live Telegram bot, and a Discord webhook to GitHub nine days ago. A second finding: an Enigma Stealer Telegram bot still active with a PHP webhook pointing to a multi-subdomain C2 network on a DGA-style .sbs domain.
The premise is simple. If you fork a stealer on GitHub and commit your own exfiltration credentials, those credentials are now public. We wrote scrapers to systematically check forks of popular open-source malware projects for hardcoded Telegram bot tokens, Discord webhook URLs, and cryptocurrency wallet addresses. Then we tested every token and webhook against the live APIs. What we found was active infrastructure, identifiable operators, and in one case, a fully compiled malware binary sitting in a public repository. GitHub hosts dozens of actively maintained stealer and RAT projects. The developers tag them as "educational" or "for research only" while providing GUI builders, anti-analysis modules, and exfiltration pipelines. The tools are functional out of the box. The barrier to entry is a GitHub account and the ability to paste a webhook URL into a config file. We targeted forks of five projects: **PySilon-malware** (1,177 stars, 193 forks \u2014 a Discord-controlled Python RAT), **Blank-Grabber** (994 stars, 275 forks \u2014 a Python stealer with builder GUI), **phantom-stealer** (26 stars \u2014 a Go-based infostealer), **Discord-RAT**, and **PySpy**. For each project, we pulled the fork list via the GitHub API, filtered for forks that had been pushed after the parent repository\u2019s last commit (indicating the fork had been modified), and then fetched the configuration files from each modified fork. We extracted any Telegram bot tokens, Discord webhook URLs, and cryptocurrency wallet addresses that differed from the parent\u2019s placeholders. A fork of **phantom-stealer** by GitHub user lorenzofilali \u2014 account created January 10, 2026 \u2014 contained a fully configured Go infostealer with live exfiltration infrastructure. The operator made four commits on February 25, 2026 with messages including "Update config.go", "Improvement", "ewa", and "yes." The config file contained: We queried each indicator against the live APIs: