← All posts
Security

Alert: Web3 Job Offers Disguised as Opportunities

April 3, 2025·5 min

TL;DR:

Stay vigilant: some Web3 job 'opportunities' are actually crypto scams in disguise.

A recruiter contacted me with a promising Web3 role, asking me to test their code locally. Warning: this malicious code could compromise your machine and steal crypto wallet access.

I want to share a detailed analysis of a supposed job opportunity — presented as a groundbreaking SocialFi & Web3 venture with attractive pay — that turned out to be a potentially dangerous scam. Here is my experience analyzing the code and interacting with the alleged recruiter.

1. Background and sequence of events

Initially, the recruiter presented the project with a seemingly legitimate Figma preview, so I confidently continued the conversation.

However, in their second message, they invited me to clone their GitHub repository and run the code to verify it worked on my machine.

Having already been alerted to this type of scam by the community (thanks @Patrick Collins for the heads-up!), I was immediately on guard.

An unusual detail confirmed my suspicions: their README.md instructed running the code with the `--force` flag via npm — a questionable practice often used to mask problematic dependencies.

Technical evidence

Here's technical evidence confirming the malicious nature of the code:

Suspicious npm force flagThe README instructs using '--force' with npm install — a red flagThreatLabz evidenceThreatLabz research linking this project to known malware ('contagiousinterview')Suspicious repositoryThe repo was created recently and is suspiciously private

Project file analysis:

  • I started by examining package.json for any suspicious dependencies.
  • Finding nothing obviously wrong, I proceeded with a detailed file-by-file review.
  • While reading the code I found names like GG Lab Poker and Vintage Poker. A quick search revealed the project reused a 5-year-old open-source project, and the name appeared in a Threat Labs repository named 'Contagious Interview'.

I then asked ChatGPT to analyze index.js — it describes standard logic for managing tables and players in an online poker game using Express and Socket.io.

The obfuscated, suspicious code:

A significant portion of the code is heavily obscured using advanced obfuscation techniques. A representative snippet:

2. Technical analysis of the malicious code

a. Initial obfuscation block

This block uses an infinite loop and complex arithmetic to shuffle an array of strings:

javascript
const aR = F;(function(aD, aE) {
  const aQ = F, aF = aD();
  while(!![]) {
    try {
      const aG = parseInt(aQ(0xd0)) / 0x1 + -parseInt(aQ(0xd2)) / 0x2 + ...; // Simplified
      if(aG === aE) break;
      else aF['push'](aF['shift']());
    } catch(aH) {
      aF['push'](aF['shift']());
    }
  }
}(D, 0xac73e));

This mechanism obscures the code's true functionality, making it extremely hard to read.

b. Dynamic decoding and module loading

The code transforms Base64-encoded strings to dynamically load core system modules:

javascript
const H = 'base64', I = aR(0xdf), K = require('fs'), O = require('os'),
      P = aD => (s1 = aD[aR(0xb3)](0x1), Buffer.from(s1, H)[aR(0xd5)](I));
rq = require(P(aR(0xbf)+'A')), // require('os') - obfuscated
pt = require(P('zcGF0aA')),    // require('path') - obfuscated
...

This makes manual analysis very challenging and can hide critical, potentially malicious system calls such as data exfiltration.

c. Function redefinition

The code also features a function that redefines itself — a common trick to hide internal logic:

javascript
function F(a, b) {
  const c = D();               // D() returns the shuffled array
  return F = function(d, e) {  // Function redefines itself
    d = d - 0xb2;              // Index calculation
    let f = c[d];              // Accesses element from shuffled array
    return f;
  }, F(a, b);
}

These techniques are typical in malware to evade detection and complicate reverse engineering.

Note: these functions sit after module.exports in index.js, and are not initially visible when viewing the code on GitHub.

Crypto wallet access attempt

The scammer eventually asked me to connect an Ethereum wallet and sign a message, which could have compromised my crypto assets:

Wallet connection requestAsking to connect an Ethereum wallet and sign a messageUrgency tacticsCreating urgency to pressure immediate action

Conversation screenshots

Here are screenshots of my conversation with the alleged recruiter:

Initial contact messageInitial contact claiming to be from a Web3 startupJob descriptionDescription of the supposed job opportunityProject detailsProject details with unrealistic budget claimsSalary informationSuspiciously high salary offers to attract victimsFigma linkSharing a Figma link to appear legitimateCTO messageClaiming the CTO is impressed and wants a callGitHub repository linkSharing a repo with potentially malicious codeRequest to run codeAsking to run the code and report backTest instructionsInstructions for a 'test' that would execute malicious codeWallet connection requestAsking to connect a crypto wallet and sign a messageUrgency tacticsCreating urgency to pressure the victim

3. Recommendations

  • Never run code like this on your primary or work machine.
  • Always use an isolated environment (VM, sandbox, Docker container) for analyzing or testing untrusted code.
  • Be extremely wary of opportunities that seem too good to be true. Always verify the company and the source of any code.

I'm sharing these findings in the spirit of transparency, to help protect the Web3 ecosystem and encourage stronger security practices. Feel free to share your own experiences!