Crypto job scams
Does this article need to be translated?
A frustrating reality of being online, especially within web3, is co-existing with scammers. While ripping people off is a dishonest trade as old as time reserved for the truly heinous, it pays to be aware of increasingly evolved and sophisticated traps, if only to totally avoid it.
One attack vector that stands out is Crypto Job Scams. As the crypto space grows, so do employment opportunities, and unfortunately, scam targets.
Whether you're seeking a job or looking to hire someone, being aware of these attacks is a critical step to safeguarding your assets, your company’s assets, and/or your users' assets. Over the past year alone, we’ve observed a convergence of diverse threat groups targeting individuals on both sides of the hiring equation.
This comprehensive article dives into common crypto job scams identified by our Security Research team, with tips on how to avoid them. Remember, if something seems too good to be true or feels off, it probably is.
- Job Ponzi Schemes and Task Scams
- Games looking for beta-testers and non-technical roles
- Fake Recruiters, Skills Tests, and Requests for Help
- Freelance Job Sites and Malicious Job Offers
- Scammers that get hired
Job Ponzi Schemes and Task Scams
This type of scam is a mashup of classic pig butchering, ponzi/MLM tiers, and actual work. The scheme starts off by promising candidates high hourly rates, flexible hours, and the ability to work from home, all for minimal effort.
Victims often start by completing a brief "training" for a small payment before doing daily tasks that earn them commissions, paid out periodically to their on-chain wallets.
Soon, the victim comes across a job that requires them to pay a small amount in order to submit or finalize the job. The scammer support staff assure them that “this happens from time to time” and they will “always be reimbursed.” Victims who take the risk are in fact reimbursed, and also receive a higher commission or bonus for that job. Some schemes have leveling systems which unlock bonuses, higher commissions, or access to more jobs.
From there though, the scam escalates quickly. Occasional, small payments turn into larger payments. However, these “jobs” also yield even larger commissions and bonuses. Unfortunately, the actual payouts have stopped at this point but victims can see the amount to be paid out on their dashboard and assume the payouts will come, just as they always have before.
Alas, the payouts never arrive. Sometimes support staff will tell the user there's a technical issue or they need to complete "verification" as is common in classic pig butchering scams but, generally, these job ponzi schemes escalate and end more quickly.
Watch out for:
- Job posts that offer exceptionally high hourly rates for a low number of flexible hours.
- Jobs shared on social media (example: Facebook groups) or job sites, where scammers impersonate recruiters or agencies.
- Repetitive, task-based work like assembling 'travel packages' or reviewing hotels or products.
- Websites that only have a mobile layout, even when viewed on a computer.
- Recruiters or support staff use WhatsApp and/or Telegram to communicate with workers.
- There is a referral or invite code required to sign up to "start working".
- The platforms may impersonate or refer to legitimate businesses or services in the sector (e.g. Navan, Airbnb, Main Event Music, Resy).
- All payments and payouts are done via cryptocurrency—typically USDT on Ethereum or Tron.
- You are required to pay to complete the job/task.
How you can protect yourself and avoid job ponzi and task scams:
- Always verify the legitimacy of job offers. Check the company's official website and contact them directly using contact information from the website.
- Be wary of any job that requires you to pay, especially in cryptocurrency. Do not pay your employer! (a good rule of thumb in life)
- Stay skeptical. If it's too good to be true, it likely is! This still applies, even when "work" is involved.
- Check the website's URL on Whois to see when the domain was first registered. Often—but not always—scams like these are short-lived and change frequently. If the URL was registered in the last few days or weeks, it's almost certainly a scam. (If it's existed for longer, it could still be a scam, so watch out for other telltale signs)
- Google unique words or phrases in the URL, on the website, or emphasized by the scammer, along with the word "job scam" or "site:reddit.com". For example, navan vip job scam and "music mentor" "crypto" "job scam" reveal countless reports and discussions.
Games looking for beta-testers and non-technical roles
This type of ongoing scam is essentially malware-posing-as-games. It typically starts with cold DMs from a person on Twitter or Discord offering jobs at blockchain or metaverse companies.
The jobs are usually entry-level or non-technical (moderators, customer support, etc.), and require installing “games”, often impersonating legitimate games.
Their websites are often extremely polished. (all links work, matching socials, etc.) The game however doesn’t actually exist—the installer works but the app displays an error as if it didn’t. In the background, the victim’s device has been compromised by crypto-stealing malware like Redline, Realst, Atomic/Amos, or Stealc that instantly searches for crypto wallets, credit cards, passwords, and anything financial or secret.
Victims’ wallets will be drained quickly and they may experience attempted logins, account takeovers, credit card fraud, and subsequent thefts for months to come.
What to do if you’ve installed malware disguised as a game
- Disconnect from the internet immediately and completely power down your device.
- Using a different device, transfer any assets out of wallets or secret recovery phrases that were on that device.
- If you need your compromised device to do this, be sure to ensure you have turned it completely off and on again and keep it disconnected from the internet as much as possible. Do NOT create new wallets or passwords via the compromised device!
- Begin with the highest value assets and accounts you most frequently access. Continue to any seeds or keys that were also on your device (e.g. seed phrases in notes, on your desktop, in your password manager, etc.)
- Change your passwords, especially for your Google, Apple, CEX's, business/company logins, bank accounts, Twitter, and Discord. Set up MFA via Google Authenticator with Cloud sync turned OFF. Remove any account recovery or 2FA via Email and/or SMS. Stay on the lookout for any attempted logins or new login notifications.
- Document and report any assets stolen and file a report via ChainAbuse and IC3. Include:
- Your on-chain addresses that had assets stolen from them.
- Primary transaction hashes of your funds being stolen—denote the chain/network, or simply link to the block explorer.
- The addresses the stolen funds were immediately sent to.
- The social media links/usernames of the scammer(s).
- The website URL you were directed to and/or downloaded the malicious application from.
- Any other suspicious or irregular activity on your accounts.
- A concise summary/timeline told from your point of view of what happened. Example: On Mar 3, 2024, a user with the handle XXX reached out to me via Twitter DM. He offered me a job at a game called __. He told me to go to the URL __ and install the game. On Mar 4, 2024, I did so. It didn't work. Then I noticed unauthorized transactions had been sent from my wallet beginning Mar 4, 2024 at 11:00 UTC. My addresses are: __. The stolen funds were sent to: ____. Here is one transaction where $50k worth of USDT was stolen from my account. On Mar 5, 2024 someone attempted to login to my Bitgo account with the IP address __ but they were not able to. In total, approximately $200k worth of crypto was stolen from me.
- Run a comprehensive malware scan on the compromised device. Consider simply wiping the device and starting clean for peace of mind.
How you can protect yourself and avoid game scams:
- Avoid downloading and installing software sent to you via DM—even if it appears to be a widely-used piece of software (Zoom, Anydesk).
- If you are interested in beta testing, only accept offers from well-known, reputable companies.
- Use antivirus software and keep it up-to-date.
- Use a hardware wallet to manage and store your crypto assets.
- Use separate devices for day-to-day browsing, job hunting, gaming, and/or recklessly downloading things from strangers.
- Stay skeptical! High paying / low effort jobs are more likely a lure to scam you than a legitimate opportunity.
- Search Twitter, Google, Reddit for the name of the game, social media handle of the person you're DMing, URL, or unique words used by the scammer, along with the word "scam." For example, there are countless reports if you search "discord ambassador crypto game scam" words that were used in the first cold DM from the scammer.
Fake Recruiters, Skills Tests, and Requests for Help
This scam as it suggests uses social engineering like false personas, assessments and help requests to prey on employees at targeted companies.
North Korean hacker groups like Lazarus have long been the most prevalent threat actor targeting the cryptocurrency industry, stealing well over $3 billion dollars worth of cryptocurrency over the past 7 years. But their huge hacks begin with a small toehold, often gained by social engineering an individual employee at the target company.
These social engineering efforts include fake job offers and fictitious Linkedin personas that ultimately deliver an ever-growing array of sneaky malware and deadly RATs. These malicious job offers have previously resulted in the $600m Ronin Bridge Heist, the 3CX double supply-chain attack, the $37m Coinspaid Heist, and countless more.
This malicious scheme involves targeting already-hired people at a crypto company. Fake recruiters contact employees via LinkedIn, offering job “tests” for a prospective job, or asking for help with debugging code. Running the code compromises the employee’s computer, giving hackers access to both personal and company data. They then leverage this to eventually gain critical entry into the companies’ AWS servers, where they are ultimately able to steal millions of dollars worth of cryptocurrency.
This has happened before and is still ongoing. Read this real-life interaction in this thread to understand the persistent severity and to avoid similar situations that could happen to you:
How you can protect yourself and your company from scams:
- Stay skeptical, don't judge, and don't assume you're above falling for any scam.
- Don't run or build code from strangers.
- Use different devices for work and personal activities.
- Use hardware wallets/ hardware MFA.
- Learn from others' mistakes and educate colleagues and others around you.
Freelance Job Sites and Malicious Job Offers
This scam involves malicious actors targeting freelancers, especially developers, on freelance job platforms. Freelancers or development teams are typically approached with job offers that seem authentic, often involving tasks like job interviews, skills tests, or finishing a project.
Scammers share detailed instructions through Google Docs and links to code hosted on repositories such as GitHub or Bitbucket, or via zip files on Google Drive.
The danger lies in the code itself. Once devs run or interact with the provided code, malicious scripts compromise their devices, draining any cryptocurrency wallets or private keys stored in their browser extensions or desktop wallets. The assets are stolen almost immediately, and in some cases, the scammers use the compromised keys to further exploit smart contracts or protocols.
For example, attackers may contact a developer or a dev shop asking for help to complete a project. They then grant access to a private (malicious) repository. When the tech lead runs the repo to assess the work needed, their device is compromised. This can lead to the immediate theft of any active wallet assets or sensitive data stored on their machine, potentially putting their own projects or previous clients at risk.
Watch out for:
- Job offers requiring you to interact with code provided through unofficial sources or hosted on third-party platforms.
- Requests to download and run unfamiliar code or zip files, particularly those involving npm install/run/build.
- Requests to run scripts, install video call software, or perform tasks on untrusted devices.
- Clients that seem polished like game studios or blockchain orgs but come with unverified code or vague details.
How to protect yourself from malicious job offers:
- Verify the identity of the person you're speaking to through multiple means.
- Do not download or install video call software or run a provided script just because someone promised you a job via DM.
- Avoid clicking on unsolicited links or downloading attachments from unknown sources.
- Use separate devices for day-to-day browsing, job hunting, gaming, and/or recklessly downloading things from strangers.
- Never access or store critical systems, sensitive information, or your crypto wallets on this device.
- Utilize multisigs / hardware wallets
Scammers that get hired
This scam involves companies unknowingly hiring malicious employees, particularly from North Korea. These threat actors use fake identities and forged documents to land remote IT jobs, exploiting their positions to deploy malware, compromise private keys, or deploy smart contracts with back doors.
A report by Zero Day details how North Korean workers tricked companies by using fake names and scripts. Reuters also reported on North Koreans landing remote IT work under false pretenses, which they use to funnel money back to the regime.
Pseudonymous development is commonplace in this industry, but it also creates unique risks to accountability, contractual enforcement, and engendering trust in and among stakeholders in a blockchain product. Malicious actors can exploit a lack of identity verification and background checks to interfere with a product’s development, steal funds, or cause other serious harm, and institutions will have no or limited means to punish them. In recent years, North Korean hackers have applied to real positions using fake Linkedin accounts and impersonated companies to offer fraudulent positions. These practices have directly led to severe hacks, including Axie Infinity’s $540 million loss.
As a result, companies must know the identities of and perform background checks on all of their employees, including those who use public pseudonyms. Companies must also reach additional maturity in their access controls and monitoring; for example, they should make prudent decisions surrounding operational security based on an employee’s role, background, and the territory they reside in (i.e., considering local laws and jurisdiction).
How companies can protect themselves
- Conduct background checks on all potential hires. Use reputable third-party verification services and obtain actual documents.
- Be cautious of applicants with suspiciously stellar qualifications that seem too good to be true.
- Have multiple people interview the candidate over multiple days—take notes and compare notes especially about where they say they are from, currently living, where they went to school, etc.
- Make interviewees be on camera. Ask them where they are, why they choose to be there, etc. It's good small talk to get to know someone. Also hard to answer if you're in a call center type place with 30 people around you.
- For extra security, consider requiring employees to use hardware authentication keys, such as Yubikeys.
- Check to make sure you're not paying 2 separate employees to the same on-chain address. Similarly, your devs should interact with each other in chats and on calls. If you've never seen 2 of your devs in the same place at the same time, you have a problem.
- Check their IP/geolocation against where they say they are from.
- Don't give any employees or devs full, unfettered access to critical systems—especially deployer/admin keys! Use multisigs!
- Get references and actually check those references.
Final thoughts
Web3 offers immense opportunities but it also attracts a ton of scammers looking to exploit innocent individuals through job-related means. By understanding the diverse attack vectors —from task scams and fake recruiters to malicious employees and malware-laden job offers—you can better protect yourself and your assets, as you now know what to look out for.
Always verify the legitimacy of job offers, recruiters, and companies. Use hardware wallets and require MFA and multitudes for any access to critical systems, including your protocol’s smart contracts.
Stay skeptical, stay vigilant and continue to share information about the attackers and their tricks with your friends and colleagues. Together we can improve this ecosystem’s defenses against these ever-evolving threats.