Author: Claude, Deep Tide TechFlow
Deep Tide Intro: A peer-reviewed study from Carnegie Mellon University (CMU) found approximately 6 million fake Stars on GitHub, involving 18,600 repositories and 301,000 accounts. AI/LLM projects are the largest non-malicious category for star-buying. The market price for a single star can be as low as $0.03. Redpoint data shows the median number of Stars for VC seed-stage projects is 2,850—meaning spending less than $200 can 'buy' a false level of popularity that meets the seed-round threshold.
GitHub Stars are becoming an elaborately packaged scam.
According to an investigative report published by Awesome Agents on April 13th, a mature gray market around GitHub Stars is operating in plain sight: academic papers have quantified the scale of the problem, over a dozen websites openly sell Stars, and venture capital firms directly incorporate Star counts into their project screening decisions.
The investigation team independently verified 20 repositories and found that 36% to 76% of the Stars for some projects came from accounts with zero followers, with fork-to-star ratios less than one-tenth of the baseline for organic projects.
The core academic support for this report comes from a peer-reviewed paper jointly published by CMU, North Carolina State University, and Socket at ICSE 2026 (International Conference on Software Engineering). The research team's detection tool, StarScout, analyzed 20TB of GitHub metadata (6.7 billion events, 326 million Stars, covering 2019 to 2024), ultimately flagging approximately 6 million suspicious fake Stars, 18,600 involved repositories, and about 301,000 participating accounts.
6 Million Fake Stars: Explosive Growth in 2024, AI Projects Heavily Affected
Fake Stars are not a new phenomenon, but their scale exploded in 2024. CMU paper data shows that before 2022, there were no more than 10 repositories involved in fake Star activity per month. By the peak in July 2024, this number skyrocketed to 3,216 repositories and 30,779 participating accounts. As of July 2024, 16.66% of repositories with more than 50 Stars had engaged in fake Star activity.
The detection accuracy of the research team was indirectly validated by GitHub's own actions: 90.42% of the repositories flagged by StarScout have been deleted, and 57.07% of the flagged accounts have been purged.
In the classification of fake Star usage, most are used to promote short-lived phishing/malware repositories. But among non-malicious categories, AI and LLM-related projects rank first, with a total of 177,000 fake Stars, surpassing blockchain/cryptocurrency projects. The paper notes that "many of these are academic paper repositories or products from LLM-related startups." More critically, 78 repositories detected with fake Star activity had appeared on the GitHub Trending page, proving that purchased Stars can indeed successfully manipulate the platform's recommendation algorithm.
A Star for as Low as 3 Cents: The Openly Operating Star-Buying Market
This is not a dark web transaction. The investigation confirmed that at least a dozen websites openly sell GitHub Stars, including SocialPlug.io, Buy.fans, Boost-Like.store, etc. There are 24 active Star-buying services on Fiverr, ranging from basic packages for $5 to "organic promotion" packages for $25 and above.
Pricing is tiered: cheap tier (disposable new accounts) $0.03 to $0.10 per star, mid-tier $0.20 to $0.50, premium tier (aged accounts with years of history) $0.80 to $0.90. Premium services promise "non-drop stars" and a 30-day refill guarantee. SocialPlug claims to have delivered 3.1 million Stars cumulatively, serving over 53,000 customers, and even offers an API interface for programmatic bulk purchasing.
Star exchange platforms like GithubStarMate.com and SafeStarExchange.com use a points-based mutual brushing model, allowing users to exchange Stars without spending money. There are also at least 7 open-source tools on GitHub (e.g., fake-git-history, commit-bot, etc.) specifically designed to forge contribution history graphs. Pre-made GitHub accounts with 5 years of commit history and the Arctic Code Vault contributor badge are sold on Telegram for about $5,000.
A 2020 study from Tsinghua University documented the operations of promotion groups on QQ and WeChat in China: groups with over 1,020 members process about 20 repository star-buying tasks daily, estimating an annual industry profit of $3.4 million to $4.4 million.
VCs Use Stars for Project Screening, Spending $200 Can "Meet" Seed Round Standards
The relationship between Stars and funding is not speculation; it's something venture capital firms themselves publicly admit.
Redpoint Ventures partner Jordan Segall analyzed 80 developer tool companies and found that the median number of GitHub Stars at seed funding was 2,850, and 4,980 at Series A. He explicitly stated: "Many VCs write internal crawlers to find GitHub projects with fast Star growth. Stars are the metric they most commonly track."
These numbers essentially give startups a precise shopping list. Using cheap Stars, spending $85 to $285 can manufacture 2,850 Stars to reach the seed round median; spending $990 to $4,500 can reach the Series A threshold. Compared to the typical seed round funding range of $1 million to $10 million, the return on investment ranges from 3,500x to 117,000x.
The ROSS Index (Ranking of Open Source Startups), published quarterly by Runa Capital, further amplifies this incentive. According to TechCrunch, 68% of the companies on the ROSS Index received investment at the seed stage, with total tracked funding reaching $169 million. An independent analysis in the investigative report found that Union Labs, ranked first in the Q2 2025 ROSS Index (Star growth 54.2x, total 74,300 Stars), showed severe signs of star-buying: 32.7% of its Stars came from accounts with zero repositories, 52% from accounts with zero followers, and StarScout flagged 47.4% of its Stars as suspicious. The top project on an industry ranking widely cited by VCs had nearly half its Stars涉嫌造假 (suspected of being fake).
Actual cases already corroborate the conversion chain from Stars to funding: Lovable (formerly GPT Engineer) secured a $7.5 million pre-seed round with 50,000+ Stars, with a Series A valuation of $1.8 billion; Browser-use received a $17 million seed round after gaining 50,000 Stars in three months; Pangolin entered Y Combinator with 1,000 Stars and completed a $4.7 million seed round within eight months.
GitHub's Asymmetric Enforcement: Delete Repositories but Keep Accounts
GitHub's Acceptable Use Policies explicitly prohibit "artificial engagement," "ranking manipulation," and creating a secondary market for fake Stars, even specifically banning star-buying behavior incentivized by "cryptocurrency airdrops."
But enforcement is passive and asymmetric. GitHub deleted 90.42% of the repositories flagged by StarScout but only purged 57.07% of the executing accounts. The "workforce" of the fake Star industry remains largely intact. After Dagster published an investigative report in 2023, the related fake Star accounts were deleted within 48 hours—but this was a reaction to public exposure, not the result of proactive detection.
The CMU research team suggested GitHub adopt a network centrality-based weighted popularity metric to replace the raw Star count, structurally dismantling the fake Star economy. GitHub has not implemented this to date.
This forms a self-reinforcing loop: VCs use Stars as a screening signal → Startups buy Stars → VCs see artificial hype → More VCs adopt Star tracking → More startups buy Stars. The benchmark numbers publicly released by Redpoint (seed: 2,850, Series A: 4,980) essentially gave startups a clearly priced shopping list.
As one commentator in the investigative report said: "Star counts can be faked, but saving someone a weekend of bug fixes cannot."
