The job offer that was actually an attack

Recruitment scam attacks targeting crypto developers

Some malware does not arrive as malware. It arrives as a job offer.

Some of the most sophisticated malware aimed at crypto developers does not arrive as malware. It arrives as a job offer.

Over the past few weeks, I have been contacted by a steady stream of recruiters and Web3 startups on LinkedIn. DEX projects, RWA platforms, exchanges, a healthcare blockchain, NFT and gaming startups. At first glance, many looked completely legitimate. Real budgets, ambitious roadmaps, clean messaging.

I have spent years building wallets, bridges, and SDKs in this ecosystem, so I read these offers with interest. Then I looked closer, and the same patterns kept repeating.

Generic recruiter profiles with nothing verifiable behind them. Companies and websites created only weeks earlier. Vague descriptions that never survived a second question. Oversized budgets attached to teams nobody could find. And, almost every time, a "technical assessment" that required me to clone a private repository, install it, and run it locally.

Run their code first. Talk seriously later. That order is the tell.

In one case, I read through the repository before running anything. Inside what looked like an ordinary application service, there was JavaScript that fetched content from a remote URL at runtime, parsed and executed it dynamically, and used Function.constructor to run arbitrary code pulled from outside the project.

It was not in the README. It sat in a file made to look like normal plumbing.

If I had done what the assessment asked, npm install, npm run, that code would have run before I had any reason to trust it.

That is the point of these campaigns. They are not trying to fail you on an interview. They are trying to get a blockchain developer to run untrusted code on a trusted machine.

To be clear, not every recruiter is an attacker and not every assessment is a trap. Many are real opportunities. The problem is asymmetry: being wrong once can be total. So due diligence stops being optional.

A few things I now do, and recommend to anyone in this space: verify the company and the legal entity, not just the landing page. Verify the people; look for founders with a history you can trace. Ask for a live demo before you touch any of their code. Read the code before you execute it: network calls, dynamic evaluation, postinstall hooks. Never blindly run npm install or npm run on an unknown codebase; install scripts run the moment you install. And if you must run something unfamiliar, isolate it: a throwaway VM or container, no keys, no credentials.

None of this is paranoia. It is the same threat modeling we apply to smart contracts and bridges, pointed at our own workflow. If you build in Web3, your laptop is part of your attack surface.