v2 said the math could detect them.
v3 turned it loose on the market.
v2 validated one operator. v3 pointed the calibrated math at seven adjacent verticals in a single workday. The farm has neighbors — at least nine more star-farm operators across two continents, two malware-kit fingerprints, one cross-vertical link, and one operator who left his real name in his college final-exam repository.
Coordinated inauthentic behavior on GitHub is not a phenomenon. It is a market.
v1 found one cluster. v2 calibrated the math. v3 ran the methodology against seven verticals in eight hours. What surfaced is not a single farm scaled up — it is a working market with multiple operator types running parallel campaigns against distinct victim populations.
The twelve operators surfaced
The toolchain detects each type with a different signal axis. The conjunction of axes plus per-operator anchor sets makes attribution falsifiable rather than impressionistic.
Output as of 2026-04-26: 154 distinct bots across 6 isolated cfnb-vertical fleets · 214 Polymarket seed accounts (extrapolated fleet ~1,000+) · 12 shell orgs running the Vietnamese kit · 4 shell orgs running the wallet-drainer kit · 13 aged accounts in the airdrop affiliate drop · 0 pairwise fleet overlap between the 6 cfnb-vertical operators · all verifiable from corpus/ecosystem/.
Operators don't all try to look organic.
The fastest and most-aggressive operator we surfaced makes no attempt at camouflage. The most-disciplined operator runs at a stargazer profile only six points above an organic-elevated AI vertical.
Bot-shape is the fraction of an account's top-100 stargazers that pass the filter (followers≤1, public_repos≤2, account_age relevant, no bio). It's a coarse but stable signal: organic viral repos sit at 2–5%, organic-elevated populations at 10–15%, and a campaign starts to be visible above 25%. Every additional point above the baseline costs the operator something — they need either dirtier accounts or more of them.
What this measures: per repo, take the top 100 stargazers, count how many pass the bot-shape filter (followers ≤ 1, public_repos ≤ 2, ≥ 80% star-only events, no bio, no key, no avatar). The percentage above is the count over 100. Cross-references: JuliusBrussee/caveman = 47K stars at 2% (organic viral). MemPalace at 20% looked borderline; propagation test confirmed organic-elevated. Polymarket at 96-97% required no further test.
Thirty-one accounts, eight days, one was four hours ago.
Each circle below is a fleet member's first-ever star on xinyitang3/cfnb. The operator created the repo on 2026-04-19 and has activated their bot warehouse in coordinated waves since. The latest activation came in four hours before this article was rendered.
Wave 3 is the smoking gun
Thirteen distinct accounts coordinated to star one repo within thirteen hours on April 21. Wave 1 (six accounts on launch day, seven hours after the repo was created) and Wave 2 (one account on April 20) could pass for early adoption. Wave 3 cannot. The probability that thirteen organic accounts would converge on a freshly-minted Chinese network-circumvention repository within a 13-hour window is rounding-error small.
Four of the Wave 3 accounts (cate6014-lang, cmycxr5vtr-afk, tazai-blip, ayouak1) were CREATED AND STARRED ANCHORS WITHIN 24 HOURS of each other. The most-anchored fleet member, ybzbderen, was created 2018-10-16, sat dormant for over six years, then in February 2025 created five repos in sixteen days — four of them forks of the cfnb cluster's anchor tools. They web-UI-committed (the GitHub auto-noreply email format means the operator never configured git config user.email locally), then on 2026-04-21 starred xinyitang3/cfnb and two stallTCP1.32V2 variants in a 22-minute window.
Operator locale: 25 of 31 fleet accounts leak nothing — pure stargazers, perfect operational hygiene. The 6 that DO leak give a Chinese-language signature: 3 leak QQ numeric IDs (375915328@qq.com, 1084021579@qq.com, 1353116457@qq.com), 3 leak random-string Gmails. cfnb's actual git commits are 100% timestamped UTC+0800 (China Standard Time). The cfnb operator is China-based with VPN routing.
Six independent star-farm operators in one vertical.
Take the 31 cfnb fleet members' full star streams. Build the co-stargazing matrix again — what other repos do ≥3 of them share, excluding the cfnb anchors? Forty-six candidates. Five validate as star-farm campaigns run by different operators.
The separation is operationally clean
Run the same per-operator dossier methodology on each of the six. Each operator runs 21–31 distinct seed repos, each on its own niche specialization (V2Ray panel admin, IPTV, Mihomo/Clash, IPTV API, iOS jailbreak), with zero pairwise fleet overlap across all 15 operator pairs. They overlap in tool usage — popular legitimate tools like iptv-org/iptv, MetaCubeX/mihomo, and blackmatrix7/ios_rule_script appear in multiple operators' matrices because the operators themselves use those tools — but their fleets are completely disjoint.
This is star-farm-as-a-service. cfnb is one node in it. The Chinese network-circumvention vertical alone has at least six active operators, and we did not enumerate the full vertical — we mapped the slice the cfnb cohort touches.
The operator left his name in his college final-exam repository.
The Polymarket operator runs ~1,000 bot accounts across 20 shell orgs. Their stargazers run 96–97% bot-shape — the operator does not even attempt to look organic. The user-owned variant in the campaign is Pompeiuss. Pompeiuss has a public repository history.
AlarconEnzoPRG3final12_20255 decodes to "Programación 3 final" — third-year programming-course final exam.
The operator is named Enzo Alarcón.
The decode: the first thirteen Pompeiuss repositories are not crypto-trading bots. They are medical-records-management apps, a portfolio site, an image converter, a sound-promo landing page, and a Spanish-language third-year college programming final. The pivot to polymarket-arbitrage-trading-bot is on 2026-04-09. The bio reads "Top Trader On Polymarket"; location "Argetina" (typo for Argentina). The AlgoInfraTech shell org leaks shaneriddell41@gmail.com — possibly a partner or a fake-name contact channel. This is the largest, fastest-moving, and most cleanly attributed operator in this report.
When stars don't matter, the file boilerplate does.
Gaming-cheat operators don't need stars — their attack vector is GitHub-search visibility, not trending. Hunter's joint test is silent on them. But the kit emits boilerplate files at deterministic byte sizes, and that signature catches the operator regardless of which shell org owns the repo.
Verticals hit: gaming-cheats (Valorant · CS2 · FiveM · Apex) · Discord-raid · info-stealer · UAC-bypass
Targets: Atomic Wallet · Phantom Wallet · Electrum · OKX · Exodus · MetaMask · MyAlgo
Description observed: "Exploits Electrum wallets by displaying fake balances..." — operator does not hide intent
v0.7 hunter axis · --malware-kits DIR · 1 REST call per owned repo · ≥3-sentinel match flags account · cross-kit isolation verified
A gaming-cheat operator also runs Discord raid bots.
The Vietnamese kit's byte-size signature is preserved across verticals. Same .gitignore=95, same LICENSE=1187, same SECURITY.md=739 — but the repos targeting them sit in algorithmic shell orgs across four distinct attack categories.
The operator candidate
Looking at who actually owns the kit-matched repos: most are organizations (Kanwmwr et al.), but there's one user account in the cluster — coderduc, created 2019-01-01, 38 followers, 94 public repos, public email tuanloantuduc123@gmail.com. The email decodes to a Vietnamese name pattern (Tuan Loan Tu Duc). Their repo history shows kernel-driver research targeting game anti-cheat (EAC, BattlEye, CS2, Valorant) since 2024, including a Chaos-Rootkit ("Now You See Me, Now You Don't"), a Go-based binary packer (pakkero, 2024-12), and a Pubg-Memory-Dumper. Their April 17, 2026 pivot: Pixmenu-Valorant-Aimbot-IMGUI.
This is exactly the toolkit needed to build the malware that's distributed via the kit fingerprint: a kernel hooker plus a binary packer plus an aimbot front-end. The LAwmwm shell org — created 2026-04-08, four repos all created the next day (Discord-MASS-DM, Discord-Raider, Muck-Stealer, UAC-Bypass-FUD) — confirms the operator is not a gaming-cheat specialist. They run a vertically-integrated malware factory: gaming cheats + Discord raid bots + info-stealers + Windows privilege-escalation tools, all built from the same template, distributed through algorithmically-named shell orgs across multiple verticals. The kit fingerprint catches all of it.
Aged real accounts, same-day burst, the math doesn't see them.
On 2026-04-23, at least thirteen GitHub accounts created airdrop-bot repositories targeting different testnet projects. All on the same day. All with similar emoji-laden README templates. The accounts are not freshly created — they are aged, organic-looking, with histories going back as far as five years.
Why the v0.4 lifecycle axis misses them
Hunter's lifecycle axis flags fresh-burst (Cohort B, age < 180 days) and mature-dormant (Cohort A, age > 365 days with one burst-of-activity). These accounts are neither. They have organic-looking history and a single suspicious recent action. The lifecycle axis sees them as Cohort OTHER, the joint test passes them, and the v0.4 calibration is silent.
The pattern is one of three things: an affiliate scam (an operator paying real users to push the same scam tool, varying the brand by victim project); a GitHub account rental market (an operator buying access to credible-looking aged accounts); or a compromised account chain. The same-day timing, identical README template style, and diversity of account ages favor the affiliate-scam hypothesis. We don't have positive evidence to discriminate among the three.
v0.8 capability: a single-day-burst-on-aged-account axis that flags accounts with established history that suddenly create a repo matching a campaign-naming pattern on the same day as other accounts doing the same. We persisted the 13 known logins as corpus/ecosystem/anchors_airdrop_drop_2026-04-23.txt so a future v0.8 has a labeled positive set to calibrate against.
The methodology returns no campaign on the AI-tools vertical.
We deliberately tested against a vertical we did not expect to have a star farm. The hypothesis: today's AI-tools ecosystem has so much organic attention that there's no purchase for fake stars to add value. Top user-owned AI/agent/LLM repos created in the past 30 days surfaced MemPalace/mempalace (49,835 stars in 21 days), JuliusBrussee/caveman (47,205 in 22 days), and kyegomez/OpenMythos (10,662 in 8 days) at the top by velocity.
Stargazer profiles: caveman at 2% bot-shape (organic viral). OpenMythos at 10% (clean). HKUDS/Vibe-Trading at 12% (clean). MemPalace at 20% (borderline). We ran the propagation step from Playbook 6 — extract MemPalace's bot-shape stargazers, snapshot their full star streams, build the matrix. The matrix surfaced a coherent AI-agents/Claude-Code cluster (obra/superpowers, karpathy/autoresearch, garrytan/gstack, mattpocock/skills), but every top candidate when independently profiled came back at 5–15% bot-shape. Not the 25%+ that defines a campaign.
MemPalace's stargazer profile is elevated because the AI vertical is full of "AI-curious" GitHub users who created low-friction accounts specifically to follow AI projects. They have 0 followers and few repos — exactly the bot-shape filter — but they are organic users, not operators. The propagation step distinguishes them: operator fleets cause secondary candidates' profiles to inherit the bot-shape signature. Organic-elevated populations don't.
This is the methodology working. The AI-tools vertical has no active star farm at the velocity-suspect tier we surveyed. The negative result is the calibration.
Every claim above ships with the corpus to verify it.
The toolchain ships at v0.7 with a multi-axis architecture you can run against any GitHub account. Detect known star-farm operators (10 anchor sets) AND known malware kits (2 fingerprints) on a suspect account in one command:
# v0.7 multi-operator + malware-kit scoring hunter score <login> \ --anchors-dir corpus/ecosystem/ \ --malware-kits corpus/malware_kits/ \ --identity \ --sterile-repos sterile.jsonl \ --snapshot snapshots/ \ | jq . # Output JSON reports per-axis advisory signals plus # attributed_operator (slug of which star-farm operator # the account belongs to, if any), malware_kit.matches # (which owned repos match which kit), and a calibrated # flagged: bool from the joint test.
The corpus that ships with v3
- corpus/anchors_v2.txt — cfnb anchors (14 repos)
- corpus/ecosystem/anchors_<8 operators>.txt — per-operator anchor sets
- corpus/ecosystem/seeds_<6 operators>.txt — confirmed seed accounts per operator
- corpus/cfnb_fleet_logins.txt — the 31-account cfnb fleet
- corpus/cfnb_activation_timeline.txt — chronological cfnb-stargaze events Apr 19–26
- corpus/malware_kits/vietnamese_cheat.json — Vietnamese-operator kit fingerprint
- corpus/malware_kits/wallet_drainer.json — wallet-drainer kit fingerprint
Add to your detection set as it grows. Each new operator surfaced in a future investigation is one more file in corpus/ecosystem/. Methodology details — the per-vertical recipe for surfacing a new operator's anchor set, the propagation test for distinguishing campaign from elevated-organic, the kit-fingerprint discovery process — live in the op-recon skill at ~/.claude/skills/op-recon/SKILL.md. Seven playbooks. Ten synthesis rules.
v1 found a farm. v2 calibrated the math. v3 mapped the market.
The honest claim is that the toolchain works and the corpus is real. The markets we mapped are bigger than we mapped, and the math we calibrated will keep generalizing as we point it at more verticals.
Three concrete claims this report makes that v1 and v2 did not:
1. Coordinated inauthentic behavior on GitHub is a market, not a phenomenon. At least nine star-farm operators run parallel campaigns across the verticals we sampled. They do not share fleets. They specialize in niches. The operator economy is mature enough to produce variation in attack pattern — shell-org-bombing, fake-legitimacy facade, dual-account simple, malware-kit boilerplate distribution, single-day affiliate drop.
2. The most-aggressive operator we found is operationally sloppy. The Polymarket operator, Enzo Alarcón, runs the largest measured fleet in this report (96–97% bot-shape, ~1,000+ accounts) and left his real name in a public college final-exam repository. Sophistication does not correlate with operational discipline. The detection-and-attribution pipeline is more effective on the loudest operators precisely because they don't bother to hide.
3. The next axis — beyond stars and beyond commits — is the file boilerplate. Malware-kit operators don't need stars. Ariadne's date-fabrication signal misses them. Hunter's joint test misses them. But the kit emits boilerplate files with deterministic byte-sizes, and that fingerprint is a per-repo signature that catches the operator regardless of vertical. Every additional kit fingerprint added to the corpus extends the toolchain's reach without adding new code.
What's still open
The aged-account affiliate drop is an attack pattern the math doesn't yet model — v0.8 specification. Hunter currently scores users only; most malware-kit operators run organizations, and org-scoring is a gap. The per-operator anchor sets have been validated on hit-rate against known seeds, not formally evaluated against negative pools — v3 ships them as detection infrastructure; v4 should evaluate them as classifiers. Cross-vertical operator linking — we found one with the kit fingerprint — is the most underexplored direction. The data is consistent with two-to-three verticals being run by the same operator simultaneously; we haven't enumerated the full overlap.
We pointed v2-calibrated math at seven new verticals in one workday. It returned coherent operator dossiers in five, a calibrated negative result in one, and an unsolved attack pattern in one. The corpus we ship is what it found.