Making millions of dollars on fake GitHub stars

TL;DR

Startups buy fake GitHub stars for as little as 6 cents each to fraudulently attract VC funding worth millions, exploiting investors who use star counts as traction signals.

Key Points

• 1.Fake GitHub stars are a $50 problem with multi-million dollar consequences. A CMU/NC State/Socket study analyzed 6.7 billion GitHub events and found ~6 million fake stars across 18,600 repos from 301,000 accounts, with fake star campaigns accelerating sharply in 2024 to affect 16%+ of repos with 50+ stars.
• 2.Stars can be purchased for as little as 3–6 cents each through a mature shadow economy. Dozens of active marketplaces, Fiverr gigs, star-exchange platforms, and WeChat groups operate openly; premium aged-account stars cost 80–90 cents, and one vendor claims 3.1 million stars delivered to 53,000 clients.
• 3.The fake-star-to-VC-funding pipeline is explicitly documented by investors themselves. Redpoint Ventures partner Jordan Seagal published benchmarks showing median star counts of 2,850 at seed and 4,980 at Series A — giving startups a price list: $85–$285 buys a seed-round appearance, yielding an ROI up to 117,000x on rounds of $1–10M.
• 4.Union Labs topped Runa Capital's ROSS index with 74,300 stars despite ~47% suspected fake. The widely cited VC sourcing report ranked it #1 for Q2 2025 with 54x star growth; analysis found 32.7% zero-repo accounts and 52% zero-follower accounts — canonical fingerprints of purchased stars.
• 5.Fork-to-star and watcher-to-star ratios are reliable manipulation detectors. Organic projects like Flask show ~235 forks per 1,000 stars and watcher ratios of 0.005–0.03; manipulated repos like FreeDomain show 17 forks per 1,000 stars and a watcher ratio of 0.001 — 26x lower than Flask.
• 6.AI and crypto repos are the most manipulated categories. Raga AI showed 76% zero-follower stargazers and 28% ghost accounts; OpenAIFM had 66% suspicious accounts with a median account age of only 116 days; blockchain projects like FreeDomain had 81% zero-follower stargazers, nearly identical to bot-farm patterns.
• 7.Legal exposure exists but no one has been charged specifically for fake GitHub stars yet. The FTC's October 2024 consumer review rule explicitly bans fake social influence metrics with penalties up to $53,000 per violation; the SEC charged Headspin's CEO with wire fraud and securities fraud for metric inflation, carrying up to 20 years in prison.
• 8.GitHub's enforcement is reactive and structurally inadequate. It removed 90% of flagged repos but only 57% of fake accounts, preserving the bot labor force; it has never published a transparency report on star manipulation, and has not implemented CMU's recommended weighted popularity metric based on network centrality rather than raw counts.