An Exposed .git Folder Let Us Dox a Phishing Campaign
Key topics
We took up to research it and because of clumsy decisions by the attacker we got their GitHub and their operational Telegram bot.
Screenshots: https://imgur.com/a/FTy4mrH
Sometimes the attacker incompetence can be a defender's best weapon ¯\_(ツ)_/¯
The phishing page was a standard clone of an "email", unbranded anf generic service. A bit of gobuster reconnaissance and we got the site's .git directory publicly accessible and listing its contents.
Inspecting of the requests also got us the first Telegram bot token. This is the digital equivalent of leaving the blueprints to your entire operation, including past versions and deleted files, lying on the front lawn.
We pulled the repository, found automated deployments and multiple fake pages with different hardcoded Telegram bot tokens and Chat IDs.
With the source code, repo and the active Telegram bot token, we filed detailed abuse reports:
- GitHub: We reported the repository containing the phishing kit's source code. It was taken down for violating TOS.
- Telegram: We reported the bot using the provided token and chat ID, leading to its removal.
- Hosting Provider: The malicious site was reported and taken offline.
Lesson learned? Never deploy a .git folder to production. Even if you are a criminal.
Acknowledgement: This was a collaborative effort by members of the BeyondMachines Discord community. The crowdsourced speed and collaboration helped us take this down very fast.
A phishing campaign was taken down after the attackers exposed their .git folder, allowing the community to discover their GitHub repository and Telegram bot token, and sparking a discussion on security best practices and responsible disclosure.
Snapshot generated from the HN discussion
Discussion Activity
Moderate engagementFirst comment
1h
Peak period
6
4-6h
Avg / period
3
Based on 21 loaded comments
Key moments
- 01Story posted
Nov 16, 2025 at 4:29 AM EST
about 2 months ago
Step 01 - 02First comment
Nov 16, 2025 at 5:33 AM EST
1h after posting
Step 02 - 03Peak activity
6 comments in 4-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Nov 17, 2025 at 10:14 AM EST
about 2 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
You take down C&C and phishing pages=great but maybe don't brag exactly what you did especially if the people are out to do it again but better?
We're you able to get the phishing data so that you can help the victims? Is it a good idea to try and do so?
Also, can you please share some bits of the phishing kit for easier detection?
Thank you for your efforts!
Yes, the git directory has all current and historical versions of the files packed into it, but that's not what the OP used to get information about the scammer.
When you deploy a simple page with them it exposes .git/CONFIG and the x-access-token that grants access to the repository.
On the other hand just blacklisting .git/* is not great, maybe I want to publish something on that path, just like any other filename. It's prone to lead to false positives.
Part of our deployment script for sites has something like:
So no .git directory, .gitignore, and so on.