Decoding the Deceit: A Firsthand Account of Navigating Web3 Scams
reading time
4
min
Jun 10, 2023
Last week, my team and I embarked on an endeavor to seek out new opportunities in Web 3.0. We discovered its darker side as we drove deeper into this promising frontier. To our dismay, we were entangled not once, not twice, but eight times by the cleverly disguised traps of deceitful scammers. We faced this unfortunate reality because of our drive to explore Web 3.0 projects, a dimension many believe will mold the future of the internet.
Such is the irony of our story that we found ourselves targeted by these scam artists in the quest to contribute to a more transparent and decentralized future. We quickly realized that the hype around Web 3.0 was serving as a double-edged sword, exciting on the one hand while inviting malicious elements on the other.
This experience, frustrating as it was, inspired us to share our insights and provide guidance to others venturing into the world of Web 3.0. We hope to offer a comprehensive guide to identify potential scams and avoid the pitfalls we encountered.
This article serves not just as a cautionary tale but also as a roadmap to navigate the labyrinth of Web 3.0, helping you to decipher between genuine opportunities and clever ruses. Read on to learn how to protect yourself and prosper in this burgeoning landscape without falling victim to its hidden perils.
Step 1: The Deceptive Test Project
In a typical Web3 job interview, you may be asked to work on an example project. This might seem like a common practice to assess your skills, but it could also be a trap. The project you're given might contain hidden malicious code. For example, check this project's publications on the platform Upwork.
At the same time, you can use the AI tools available these days, such as GPT; for example, we go through a project with the chat and get this interesting analysis.
✦ The code is quite complicated and appears to be part of some sort of malware. Here's a general overview of what it does:
✦ It defines a set of functions and constants that work with string type objects and buffers.
✦ It seems to primarily work with file and directory manipulation, using Node.js's fs module. The operations include reading files, writing files, checking for the existence of files, and handling directories.
✦ It uses the request module to make HTTP requests, possibly to send or receive information. It uses the crypto module for data encryption and decryption.
✦ Some constants and functions work with strings in base64 format, which are decoded into UTF-8 text.
✦ There's a function that seems to be related to extracting locally stored passwords from various browsers, such as Google Chrome, Brave, and Opera. This is done by accessing the local configuration files of the browser and extracting the information.
✦ There's also code related to manipulating SQLite databases. Finally, it appears that this code connects with some kind of remote server, possibly to send collected information or receive instructions.
✦ Given this analysis, it seems that this code is part of a type of malware known as "info-stealer", which collects information from the infected system and sends it to an attacker. If you've found this code on your system, I would recommend that you perform a malware check and change all your passwords as soon as possible."
Step 2: The Crafty Communication
The interviewer might use a chat platform to send this example project without arousing suspicion. Let's not forget that even if the communication is happening through a reputable platform, the intentions behind it might be malicious.
Step 3: The Permission Trap
The code requires various permissions as you work on this 'test' project. This might include access to your wallets, transactions, keychain, or other sensitive information. Such requests should raise alarm bells. No legitimate interviewer would need to gain access to such details.
Step 4: The Keychain Heist
Once you grant these permissions, it is assumed the malicious code in the project could access your keychain. The keychain, a password management system, contains all your passwords and cryptographic keys. In the wrong hands, this information can lead to catastrophic results, including losing access to your accounts or having your funds siphoned off.
Step 5: Identifying Red Flags
Remember, vigilance is your best ally. Pay close attention to the following red flags:
Background noise: Hearing people in the background during a call with the interviewer could be a sign of a scamming call center.
GitHub Profile: A genuine professional in the Web3 space would likely have a GitHub profile with a rich history of repositories, contributions, and activity. A blank or bare profile should be concerning.
No Reviews: Check for reviews if you connected through a freelancing platform. A profile without reviews, testimonials, or work history is a red flag.
Remember, it's always better to be safe than sorry. Don't hesitate to step back and reassess if something feels off during the interview or assessment process. Stay vigilant, stay safe, and let's continue to build a trustworthy and transparent Web3 environment.
Step 6: Protecting Yourself
Following are some best practices to protect yourself from falling victim to such scams:
Double Check the Source: Be sure the person or entity contacting you is who they claim to be. Verify their email addresses, check their social media profiles, and do a quick online search about them. If possible, ask for a face-to-face video interview to establish their identity.
Never Share Sensitive Information: Do not share sensitive personal information or cryptographic keys during an interview. Legitimate companies will never ask for such details, especially not during an initial conversation.
Use a Fresh Environment: If asked to test or run code from an untrusted source, consider using a virtual machine or a separate device with no sensitive information.
Step 7: Dealing with Suspicious Activity
If you suspect you're dealing with a scam, take the following steps:
Report to the Platform: If the job was listed on a job board or freelance platform, report the suspicious activity to them. They might be able to take action and prevent others from falling into the same trap.
Contact Local Authorities: If you've shared sensitive information or suffered a loss, report the scam to your local law enforcement agency.
Change Passwords and Secure Accounts: If you fear your data may have been compromised, immediately change your passwords and secure your accounts.
Awareness: Share your experience within your networks. The more people know these scamming tactics, the fewer victims will be.
Technical details:
In the following Github repositories, you will find some of the many cases we have experienced recently:
(we removed the direct links so our site is not flagged for phising, these repositories are hosted on github.com/)
/MitchellHaynes/Web3-test-project
/Deaunte0514/Hiring-Assesment/tree/master
/CirJose/RedGiantStaking
/CryoportFinance/MintNFT
As a result of these cases, we have come to the conclusion that the most effective way to contribute to the community is by raising awareness among other businesses and professionals. It is crucial for them to remain vigilant against these attacks.
Remember that internet safety guidelines still hold in the fascinating world of Web3. Always be wary of claims that seem too good to be true, and never divulge sensitive information without first researching. We hope this guide will enable you to travel the Web3 career path safely. Stay safe and prosper in the decentralized future!
References:
If you find this topic interesting, below you can find other related and engaging articles to continue learning.