When a Job Offer Turns into a Crypto Heist

Diluk AngeloDiluk Angelo
4 min read

Hey fellow devs,

So, there I was, sipping my coffee, scrolling through LinkedIn, when a message popped up. "Hi, we’re hiring for a Web3 developer role. Your profile looks promising. Interested?" Naturally, I was intrigued. Who wouldn't be?

But little did I know, this was the beginning of a scam that would nearly cost me my crypto wallet.

The Setup

The recruiter seemed legit. They had a polished profile, mutual connections, and even a company website. They asked me to clone a GitHub repository to assess my skills. "Just run npm install and npm start," they said. Seemed harmless enough.

So, I did. And that's when things got weird.

The Red Flags

As I navigated the project, I noticed some oddities:

  • Obfuscated Code: Some files were minified, making it hard to understand what they did.

  • Suspicious Dependencies: Packages like @solana/web3.js and bitcoin-core were included. Why would a job test need these?

  • Network Activity: The code was making requests to unknown domains.

  • File System Access: There were scripts that accessed directories I hadn't authorized.

  • Cryptocurrency Wallet Interaction: Some functions seemed to interact with wallet files.

  • AI-Generated Artifacts: The comments were oddly formal, and the code formatting was inconsistent.

The Analysis

I decided to dig deeper. Using GitHub Copilot's code analysis capabilities, I ran the project through a security scanner. Here's what I found:

  1. Heavily Obfuscated Malware: In server/routes/userRoute.js, there was a chunk of code that used base64 encoding and dynamic code generation. It connected to http://w3capi.marketing/ and had file system manipulation capabilities. It was a data exfiltration trojan designed to steal sensitive information.

  2. Dangerous eval() Usage: In server/controllers/paymentController.js, the code used eval(error.response.data). This executed arbitrary code from external network responses, creating a remote code execution vulnerability.

  3. Suspicious Cryptocurrency Dependencies: The project included libraries like @solana/web3.js and bitcoin-core. These could facilitate unauthorized cryptocurrency transactions.

  4. Suspicious Network Activity: The code was making requests to w3capi.marketing and api.mainnet-beta.solana.com, among others. These domains were not related to the job or the company.

  5. Questionable Dependencies: Packages like execp (minimal downloads, security risk) and request (deprecated HTTP library) were included. These could pose security risks.

  6. File System Manipulation: Scripts in server/data/util/fileDelete.js were deleting files and accessing system directories without authorization.

The Takeaway

This experience was a wake-up call. Scammers are getting more sophisticated, using job offers to deploy malware and steal crypto assets. Here's how you can protect yourself:

  • Verify Recruiters: Always check the recruiter's profile and the company's website. If something feels off, trust your instincts.

  • Inspect Code Before Running: Never run code from unknown sources without reviewing it first.

  • Use Security Tools: Utilize tools like GitHub Copilot's code analysis to scan for vulnerabilities.

  • Be Cautious with Dependencies: Be wary of unfamiliar packages, especially those related to cryptocurrency.

  • Report Suspicious Activity: If you encounter a scam, report it to the platform and relevant authorities.

Stay safe out there, and remember: not every job offer is what it seems.

AI Prompt to scan Project DIR

Analyze the provided project files for any signs of malicious behavior, particularly focusing on:

Suspicious Scripts: Check for the presence of postinstall, preinstall, or other lifecycle scripts that could execute unintended actions.

Obfuscated Code: Look for code that is intentionally difficult to understand, such as minified code, excessive use of eval(), or dynamically generated code.

Unusual Dependencies: Identify any dependencies that are uncommon, outdated, or have known security vulnerabilities.

Network Activity: Detect any code that attempts to make network requests to unknown or suspicious domains.

File System Access: Monitor for code that accesses or modifies files outside the expected directories, especially in hidden or system directories.

Cryptocurrency Wallet Interaction: Be alert for any code that interacts with cryptocurrency wallets, especially if it attempts to read, modify, or send transactions without user consent.

AI-Generated Artifacts: Identify patterns indicative of AI-generated code, such as unnatural comments, inconsistent formatting, or unusual naming conventions.

Provide a detailed report highlighting any potential risks or malicious activities detected.

Other Cases

https://www.linkedin.com/posts/samerafach_i-have-noticed-a-spike-in-scammers-targeting-activity-7198328523734822913-VSxJ/

https://www.reddit.com/r/Scams/comments/1b8ckap/cryto_developer_metamask_scam

https://www.reddit.com/r/Upwork/comments/14nat71/scam_warning_blockchain_developer_job_postings/

https://www.reddit.com/r/ethdev/comments/1550dsd/i_fell_victim_to_my_firstever_wallet_drain_scam

0
Subscribe to my newsletter

Read articles from Diluk Angelo directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Web3CryptocurrencyLinkedInScam

Written by

Diluk Angelo
Diluk Angelo

Hey there! I'm Diluk Angelo, a Tech Lead and Web3 developer passionate about bridging the gap between traditional web solutions and the decentralized future. With years of leadership experience under my belt, I've guided teams and mentored developers in their technical journey. What really drives me is the art of transformation – taking proven Web2 solutions and reimagining them for the Web3 ecosystem while ensuring they remain scalable and efficient. Through this blog, I share practical insights from my experience in architecting decentralized solutions, leading technical teams, and navigating the exciting challenges of Web3 development. Whether you're a seasoned developer looking to pivot to Web3 or a curious mind exploring the possibilities of decentralized technology, you'll find actionable knowledge and real-world perspectives here. Expect deep dives into Web3 architecture, scalability solutions, team leadership in blockchain projects, and practical guides on transitioning from Web2 to Web3. I believe in making complex concepts accessible and sharing lessons learned from the trenches. Join me as we explore the future of the web, one block at a time!