Web3 Developer Safety Guide: Protect Yourself from Scams
Web3 developers are being actively targeted by sophisticated attackers using fake job offers and malicious code. This guide explains a few critical Web3 safety measures that could save developers from getting scammed.
The Attack: Fake Job Offers
Attackers approach developers on LinkedIn with fake job offers, move them to Slack, then send malicious GitHub repos. When you run npm run dev, code extracts your MetaMask vault and sends it to their server (e.g., 94.131.97.195:1224).
During video calls, they ask you to “Connect Wallet”—what looks like MetaMask is actually a fake pop-up harvesting your password.
Critical Web3 Safety Tips
1. Use a New/Dedicated Device
Never run untrusted code on your main machine:
- Use a Virtual Machine (VirtualBox, VMware)
- Run in Docker containers, destroy after use [
docker run --rm -it --network none -v $(pwd):/app node:20-alpine] - Use an old laptop with no access to your keys
- Sandboxing tools: Firejail (Linux), Sandboxie (Windows)
2. Ask Lots of Questions
Make the interview an interrogation:
- “Can you verify with a company email?”
- “What is the company’s registered address?”
- “Who are the founders?”
- “Can I speak with an engineer?”
- “How did you find my profile?”
Scammers make excuses. Real recruiters answer.
3. Video Meeting Protocol
AI voice deepfakes are now being used. Beyond just demanding a call:
- Record the meeting and announce it
- Ask them to show their company ID on camera
- Callback on official number (never their number)
- Ask technical questions—scammers can’t answer
- Schedule two meetings—scammers have “conflicts”
4. Code Review Before Execution
// ALWAYS check package.json scripts:
// - Look for eval(), exec(), child_process
// - Check for fs.readFile/writeFile
// - Search for network requests
// - Verify require() statements
// Safe workflow:
1. git clone <repo>
2. cat package.json # BEFORE npm install
3. Run in VM/Container only
4. Monitor network connections5. Never Connect Wallet
- No job interview requires wallet connection
- No test task needs access to your keys
- If asked, walk away immediately
- Use a burner wallet ($0) if you must test
6. Verify Everything
| Check | How |
|---|---|
| Company legitimacy | LinkedIn, Crunchbase, SEC filings |
| Domain age | whois domain.com (new = red flag) |
| Email domain | Free email (gmail) = suspicious |
| GitHub history | Account age, contribution patterns |
7. Red Flags
| Red Flag | Action |
|---|---|
| Run npm run dev | Audit code, run in VM |
| Move to Slack/Discord | Verify on LinkedIn first |
| “Complete in 1 hour” | Slow down |
| Private repo under YOUR account | Say no |
| Connect wallet request | Walk away |
| “Don’t tell anyone” | Isolation—report and block |
If You’ve Been Targeted
- Disconnect the internet immediately
- Transfer remaining assets
- Revoke approvals on revoke.cash
- Clear browser data
- Change all passwords
- Enable 2FA everywhere
- Report: GitHub, LinkedIn, X (Twitter)
Conclusion
Web3 developers are high-value targets. Use dedicated environments, ask questions, verify everything, and never connect a wallet during interviews.
