Hello everyone, recently they tried to hack me, and I hope they were unsuccessful at doing so, but I'd like to share the scheme so that if you encounter a similar thing, you'll know what's going on. Follow me step by step and you'll see how some bad actors on a famous freelancing platform are trying to #hack #web3 #blockchain developers.
First things, they'll send an invite, looking for a blockchain developer. Everything seems quite normal and professional.
Then they'll send a github repo, or a project via google drive or whatsoever. The project seems legit at first glance.
They then ask you to open the project via npm start. But in order to do so, you'll have to solve a bug. One time it was a collision between package-lock.json and yarn.lock files and I was able to open the app by deleting the yarn.lock file. Still, do this point, I think everything seems to be kinda okay.
Then, they want you to send them a screenshot showing that you've opened the app. Now this is fishy, but still, I have to admit that I've done this 3 times lol.
Then they stop responding.
At the first 2 times, I just moved on thinking they've found another developer. But then, the 3rd one made a weird comment. They said, "just keep the app open and we'll discuss". Now, it was already the third time I was seeing a similar behavior so I thought okay this is weird, closed the app, and started doing the thing I should've done in the first place: Checking every single file in the project's repository.
After a brief investigation, I've found a weirdly looking file. That had a harmless name like utils.js or error.js or setup.js that had a quite unreadable code in it.
I will even go ahead and share the latest one I've been sent, just to name and shame, ATTENTION, DO NOT CLONE OR RUN THIS REPOSITORY, this is the malicious code => https://github.com/liamprodev/Hiring-Assessment/blob/main/helpers/error.js
As you can see, it is in helpers directory and is named error.js, but has nothing to do with error handling. It's quite difficult to read too. If you use https://beautifier.io/ or some other code formatter, you'll see something like this
It is ugly isn't it? Do you see how they even use base64 decoding to obfuscate the code. so instead of writing r=c(child_processes) they encode it and write r = c("Y2hpbGRfcHJvY2Vzcw"), making it harder to read. I've analyzed some other parts of it too, it's like, instead of returning x, they turn x into y+z*uu-15t or some other weird equation like that. It's quite difficult to follow what's going on there, but with the help of gpt4, I've managed to understand that it's an #expressjs #server that runs through file directory, creates files, and somehow looks for chrome wallet extensions. One of them was trying to get solana wallet, others, I'm still not sure. I think they're trying to drain the funds in the wallet.
Well, jokes on them because I only keep test coin in my #metamask wallet lol.
Now, when you read this article, maybe the github repo will be already deleted, because they do so. Even this one I've shared was in a different repo from the same account.
Now, what I think now, is that these are sold somewhere, possibly on the deep web (because why not?), and many scammers are trying to use the almost-alike hacking scripts to drain funds.
I was not careful, but lucky I guess. So, please be careful and do not trust anyone, gosh, #web3 is wilder than the old west.
Top comments (3)
I received one of these attacks too. I deobfuscated the code and I found that it's downloading malicious Python files too and running them.
After I deobfuscate the Python code and analyzed I found that it makes a connection between your device and the scammer server. and this connection has access to all your files.
I know these scammers may not make use of victim files, but I think they just make mining throw your device as I found one of the scam codes allows open the GPU.
Here is one of the scam js codes I received.
github.com/Al-Qa-qa/scamming-js-co...
Man I actually fell for this 2 times with different scammers. All of them disappeared from my messages. Im actually using Ubuntu windows subsystem in my dev environment, so not sure if I should be worried, or should I? Can they take over my PC?
It connects your PC with a remote server to get all PC data.
The main thing it does is read the browser data, and if you have a wallet as an extension on Chrome for example, then grab the private key of it, if you unlocked it with the password.
So if there was sensitive info in the device (passwords or another thing) you need to change it to be sure.
But the main purpose is to grab the Private key of your browser wallets