If you’re a cryptocurrency developer, you’ve probably already seen the warning signs of this scam: sketchy LinkedIn messages and “too good to be true” freelance offers. Lately, scammers have been upping their game by using legitimate-looking tools to trick developers into installing malware through private GitHub repositories or npm packages. The latest threat? Forked and/or malicious packages, specifically targeting common Node.js modules like child_process, allowing scammers to perform various attacks on your computer.
Let’s break down how these scams work and, more importantly, how you can protect yourself.
This scam, although not specific to the Web3 space, has seen a surge in its popularity in the last few months according to our personal experience. We went from receiving one or two of them per month to over 10 per week recently. Although it is annoying to have to filter through this mass of malicious offers, it allowed us to gather a lot of data about the process these scammers use.
The beginning is always the same. Someone will contact you, presenting himself as the founder of a project or one of its key member, and tell you that he is looking for an “experienced web and blockchain developers who not only possess the technical prowess to bring our vision to life but also embody qualities of integrity and trustworthiness”, or something similar ChatGPT gave to him. In general, it will be a very broad message, sometime not even mentioning Web3. Most of the time, you can recognize that it’s a scam right from this first, lengthy and verbose, message.
The point of contact can be any platform you are on, be it Linkedin or freelancing platforms like Upwork. You will often see that their profile on these platforms are new ones, especially on freelancing platform as they do not intend on actually paying anyone. If you are using such platforms, we can only recommend checking the profile and never straying outside the platform with unknown clients.
If you respond to their message, they will be really enthusiastic to work with you, often proposing a generous paiement because they just have so much money and don’t know what to do with it. However, before they hire you, they want to check if you are actually good at your job whatever it may be. To do so, they will tell you to install their project, in general a generic React website, from github and then send them a screenshot of the project running on your computer. Not a weird request at all. Some are more subtle about it, and will just ask you to add some simple feature to it, like adding Web3 wallet connection, to make it look less suspicious. That’s the common point of all these scams, making you run their “project” on your computer, allowing them to run their well hidden malicious code. To what purpose? Only them know as we did not yet try to install their malware for further investigation. Our best guesses are trying to steal your cryptocurrencies if you ever log in your wallet on a compromised computer, or even your bank account like regular old scammer through a key logger or other standard means of attacks. Or simply just steal any private key it finds in any .env currently present on your computer. Fresh reminder to use separate wallets for testing and for securing your funds by they way.
To summarize how to recognize this type of scam:
Let’s take one of these scam project as an example. You can check the project below, but do not install it in any way unless you really know how to protect your computer and know what you are doing.
Here is today’s example: haroldcristopher/MetaTradingPlatform (github.com)
At first glance, it looks like a standard Next.js project. You can even check the files, and everything will seems pretty normal, just a regular project, nothing to see here mister officer. Nearly every time, it will be a project in it’s “beta phase”, waiting for you to install and make it production ready. Pushed in a single commit, with a single member in the repo, apart maybe from you or other potential victims of this scam. Again, please do not install this project or any similarly suspicious code.
After failing to find any malicious code in all these files, we finally decided to check what was not yet on the project, the dependencies. In each and every of these project, you will be able to find at least one extremely suspicious package in the context of a React/Next app, often related to the control of child processes. In our current case, you will be able to see that it imports the “command” package in the package.json file, which according to its npm description is “A Node.js chainable, promise-based utility for running commands with child_process.spawn”. In many other projects, similar package will be imported for no good reasons. Each time, it will either be legit packages used in malicious ways or straight up malicious packages mimicking legit ones.
As an additional example, you can find here on reddit several testimonies of devs falling for this scam: I fell victim to my first-ever wallet drain scam as a dev (malware) : r/ethdev (reddit.com)
In conclusion, the rise of sophisticated scams targeting cryptocurrency developers is a reminder of the always evolving landscape of cyber threats. These scams, often disguised as legitimate opportunities, exploit the trust and curiosity of developers, potentially leading to severe consequences such as financial loss and compromised security. By understanding the modus operandi of these scammers—from their initial contact to the deployment of malicious code through seemingly innocuous projects—you can better protect yourself and your work.
Here are the key takeaways to stay safe, true for most scams in life:
By adopting these practices, you can safeguard your digital assets and contribute to a more secure and trustworthy ecosystem for all developers. Stay alert, stay informed, and stay safe.