This is the code of a fraud gang

[simbahebinbo]

这是一个诈骗团伙的代码。 只要运行了这个代码，用浏览器打开，就会把浏览器 metamask 中的代币盗走。

大家好，想求助各位一个关于钱包私钥被盗的严重问题。具体情况是这样的：

1. 最近我运行了一个Next.js程序，按照教程使用 npm install 安装了依赖，并启动了项目。
2. 程序启动后，我只是简单查看了界面，没有进行任何其他操作，比如没有关联或导入钱包。
3. 整个程序的运行时间大概只有几分钟，然后我关闭了它。
4. 但大约一个小时后，我突然发现我metamask钱包里的所有资金都被迅速转移走了。

当时的钱包交易记录: https://debank.com/profile/0x2fe023204958fc4c44f639ce72d3bdc0f025adfe/history
初步分析黑客地址是0x1ee5F410b001E45cb863B952259700eD41fAADEc，并且跟rivoxyz.eth有关联。

我现在很困惑，不知道哪里出了问题，也不清楚是不是程序中存在安全隐患导致了私钥泄露。

如果有兴趣想要帮忙分析的话这里可以提供源码。

目前，我不知道该怎么做来追踪资金或保护其他资产。希望有经验的朋友能够帮忙解答，或者给一些建议，看看是否有任何办法可以挽回损失。

我发现一个骗局。有人通过我的 github 知道我的邮箱，然后跟我说我很合适他们的项目。让我加他电报。在电报里，报一个很高的工资。让我下载他们的项目 demo 代码并运行。同时让我下载远程控制软件，说是面试。不是会议软件，而是远程控制软件。 他们想控制我的电脑，并通过他们的代码窃取我电脑里面的 web3 资产。我最近遇到 4、5 起了。我怀疑是同一个团伙。套路一模一样。千万别上当。

一开始我还以为是真的。直到他让我下载一个远程控制软件 anydesk 并把号码告诉他。我立马反应过来。
因为真的面试，会用会议软件，而不是桌面控制软件。

他们也不停地让我运行并查看界面。

Hello,
I came across your Github profile and thought you'd be perfect for a project we are going to develop .
I am Paul and I am working as project manager, We are aiming to develop a new multify platform within a blockchain environment.
Contract period is 6-8months. we will pay you enough salary.

if you are interested in our business, you can contact with follows address.

My address:
Discord: ambition099
Telegram: ambition_group

please send me message " I am finding Paul" in Discord or Telegram, I will discover you and reply instantly.
I will wait your reply.
Have a good day.

Nice to meet you.

I checked your GitHub work and it looks like proper our project.
We are gonna develop the blockchain game project.
For it, We need developer who have familiar with both of blockchain and backend.
Can you available for our development?

If yes, Let's discuss more details at telegram.
Telegram id of this is "@smart_devgroup".

Call me 'Hi, Dalton.' at first.

https://github.com/SabeloMkhwanzi/Multify-Analytics-Dashboard

https://github.com/attlassian/crypto-gun

注意：不要运行他们给你的程序，也不用安装他们给你的软件。

https://github.com/attlassian/crypto-gun/blob/main/tailwind.config.js#L711
711 行代码做了混淆, 这就是盗窃代码。

引入了 
"fs": "^0.0.1-security",
"fs-extra": "^11.2.0",
用来读取本地文件

This is the code of a fraud gang. As long as you run this code and open it in a browser, the tokens in the browser metamask will be stolen.

Hello everyone, I would like to seek your help regarding the serious issue of wallet private key theft. The specific situation is as follows:
Recently, I ran a Next.js program, followed the tutorial to install dependencies using npm install, and started the project.
After the program started, I only briefly checked the interface and did not perform any other operations, such as not associating or importing the wallet.
The entire program only took a few minutes to run, and then I closed it.
But about an hour later, I suddenly realized that all the funds in my Metamask wallet had been quickly transferred.
The wallet transaction records at that time: https://debank.com/profile/0x2fe023204958fc4c44f639ce72d3bdc0f025adfe/history
Preliminary analysis shows that the hacker's address is 0x1ee5F410b001E45cb863B952259700eD41fAADEc, which is associated with rivoxyz. eth.
I am very confused now, not knowing where the problem lies, and not sure if there is a security vulnerability in the program that caused the private key to be leaked.
If you are interested in helping analyze, you can provide the source code here.
At present, I don't know what to do to track funds or protect other assets. I hope experienced friends can help answer or give some advice to see if there is any way to recover the loss.

I found a scam. Someone found out my email through my GitHub and told me that I am suitable for their project. Let me add him a telegram. In the telegram, report a high salary. Let me download their project demo code and run it. At the same time, let me download the remote control software and say it's for an interview. It's not a conference software, but a remote control software. They want to control my computer and steal web3 assets from my computer through their code. I have encountered 4 or 5 cases recently. I suspect it's the same gang. The routine is the same. Don't be fooled.
At first, I thought it was true. Until he asked me to download a remote control software Anydesk and tell him the number. I immediately realized.
Because for a real interview, I will use conference software instead of desktop control software.
They also kept asking me to run and view the interface.

Hello,
I came across your Github profile and thought you'd be perfect for a project we are going to develop .
I am Paul and I am working as project manager, We are aiming to develop a new multify platform within a blockchain environment.
Contract period is 6-8months. we will pay you enough salary.

if you are interested in our business, you can contact with follows address.

My address:
Discord: ambition099
Telegram: ambition_group

please send me message " I am finding Paul" in Discord or Telegram, I will discover you and reply instantly.
I will wait your reply.
Have a good day.

Nice to meet you.

I checked your GitHub work and it looks like proper our project.
We are gonna develop the blockchain game project.
For it, We need developer who have familiar with both of blockchain and backend.
Can you available for our development?

If yes, Let's discuss more details at telegram.
Telegram id of this is "@smart_devgroup".

Call me 'Hi, Dalton.' at first.

https://github.com/SabeloMkhwanzi/Multify-Analytics-Dashboard

https://github.com/attlassian/crypto-gun

Attention: Do not run the program they gave you, nor do you need to install the software they gave you.

https://github.com/attlassian/crypto-gun/blob/main/tailwind.config.js#L711
711 lines of code have been obfuscated, which is theft code.
Introduced
"fs": "^0.0.1-security",
"fs-extra": "^11.2.0",
Used to read local files

[attlassian]

I will report you.

On Mon, Sep 23, 2024 at 11:25 PM simbahebinbo @.***> wrote:

这是一个诈骗团伙的代码。 只要运行了这个代码，用浏览器打开，就会把浏览器 metamask 中的代币盗走。

大家好，想求助各位一个关于钱包私钥被盗的严重问题。具体情况是这样的：

1. 最近我运行了一个Next.js程序，按照教程使用 npm install 安装了依赖，并启动了项目。
2. 程序启动后，我只是简单查看了界面，没有进行任何其他操作，比如没有关联或导入钱包。
3. 整个程序的运行时间大概只有几分钟，然后我关闭了它。
4. 但大约一个小时后，我突然发现我metamask钱包里的所有资金都被迅速转移走了。

当时的钱包交易记录: https://debank.com/profile/0x2fe023204958fc4c44f639ce72d3bdc0f025adfe/history 初步分析黑客地址是0x1ee5F410b001E45cb863B952259700eD41fAADEc，并且跟rivoxyz.eth有关联。

我现在很困惑，不知道哪里出了问题，也不清楚是不是程序中存在安全隐患导致了私钥泄露。

如果有兴趣想要帮忙分析的话这里可以提供源码。

目前，我不知道该怎么做来追踪资金或保护其他资产。希望有经验的朋友能够帮忙解答，或者给一些建议，看看是否有任何办法可以挽回损失。

我发现一个骗局。有人通过我的 github 知道我的邮箱，然后跟我说我很合适他们的项目。让我加他电报。在电报里，报一个很高的工资。让我下载他们的项目 demo 代码并运行。同时让我下载远程控制软件，说是面试。不是会议软件，而是远程控制软件。 他们想控制我的电脑，并通过他们的代码窃取我电脑里面的 web3 资产。我最近遇到 4、5 起了。我怀疑是同一个团伙。套路一模一样。千万别上当。

一开始我还以为是真的。直到他让我下载一个远程控制软件 anydesk 并把号码告诉他。我立马反应过来。 因为真的面试，会用会议软件，而不是桌面控制软件。

他们也不停地让我运行并查看界面。

Hello, I came across your Github profile and thought you'd be perfect for a project we are going to develop . I am Paul and I am working as project manager, We are aiming to develop a new multify platform within a blockchain environment. Contract period is 6-8months. we will pay you enough salary.

if you are interested in our business, you can contact with follows address.

My address: Discord: ambition099 Telegram: ambition_group

please send me message " I am finding Paul" in Discord or Telegram, I will discover you and reply instantly. I will wait your reply. Have a good day.

Nice to meet you.

I checked your GitHub work and it looks like proper our project. We are gonna develop the blockchain game project. For it, We need developer who have familiar with both of blockchain and backend. Can you available for our development?

If yes, Let's discuss more details at telegram. Telegram id of this is @.***_devgroup".

Call me 'Hi, Dalton.' at first.

https://calendly.com/nik-alphaorbeta/30min/invitees/4152db4b-0ec9-4c6e-b35b-692026993537 https://github.com/attlassian/crypto-gun

注意：不要运行他们给你的程序，也不用安装他们给你的软件。

https://github.com/attlassian/crypto-gun/blob/main/tailwind.config.js#L711 711 行代码做了混淆, 这就是盗窃代码。

引入了 "fs": "^0.0.1-security", "fs-extra": "^11.2.0", 用来读取本地文件

This is the code of a fraud gang. As long as you run this code and open it in a browser, the tokens in the browser metamask will be stolen.

Hello everyone, I would like to seek your help regarding the serious issue of wallet private key theft. The specific situation is as follows: Recently, I ran a Next.js program, followed the tutorial to install dependencies using npm install, and started the project. After the program started, I only briefly checked the interface and did not perform any other operations, such as not associating or importing the wallet. The entire program only took a few minutes to run, and then I closed it. But about an hour later, I suddenly realized that all the funds in my Metamask wallet had been quickly transferred. The wallet transaction records at that time: https://debank.com/profile/0x2fe023204958fc4c44f639ce72d3bdc0f025adfe/history Preliminary analysis shows that the hacker's address is 0x1ee5F410b001E45cb863B952259700eD41fAADEc, which is associated with rivoxyz. eth. I am very confused now, not knowing where the problem lies, and not sure if there is a security vulnerability in the program that caused the private key to be leaked. If you are interested in helping analyze, you can provide the source code here. At present, I don't know what to do to track funds or protect other assets. I hope experienced friends can help answer or give some advice to see if there is any way to recover the loss.

I found a scam. Someone found out my email through my GitHub and told me that I am suitable for their project. Let me add him a telegram. In the telegram, report a high salary. Let me download their project demo code and run it. At the same time, let me download the remote control software and say it's for an interview. It's not a conference software, but a remote control software. They want to control my computer and steal web3 assets from my computer through their code. I have encountered 4 or 5 cases recently. I suspect it's the same gang. The routine is the same. Don't be fooled. At first, I thought it was true. Until he asked me to download a remote control software Anydesk and tell him the number. I immediately realized. Because for a real interview, I will use conference software instead of desktop control software. They also kept asking me to run and view the interface.

Hello, I came across your Github profile and thought you'd be perfect for a project we are going to develop . I am Paul and I am working as project manager, We are aiming to develop a new multify platform within a blockchain environment. Contract period is 6-8months. we will pay you enough salary.

if you are interested in our business, you can contact with follows address.

My address: Discord: ambition099 Telegram: ambition_group

please send me message " I am finding Paul" in Discord or Telegram, I will discover you and reply instantly. I will wait your reply. Have a good day.

Nice to meet you.

I checked your GitHub work and it looks like proper our project. We are gonna develop the blockchain game project. For it, We need developer who have familiar with both of blockchain and backend. Can you available for our development?

If yes, Let's discuss more details at telegram. Telegram id of this is @.***_devgroup".

Call me 'Hi, Dalton.' at first.

https://calendly.com/nik-alphaorbeta/30min/invitees/4152db4b-0ec9-4c6e-b35b-692026993537 https://github.com/attlassian/crypto-gun

Attention: Do not run the program they gave you, nor do you need to install the software they gave you.

https://github.com/attlassian/crypto-gun/blob/main/tailwind.config.js#L711 711 lines of code have been obfuscated, which is theft code. Introduced "fs": "^0.0.1-security", "fs-extra": "^11.2.0", Used to read local files

— Reply to this email directly, view it on GitHub https://github.com/attlassian/crypto-gun/issues/1, or unsubscribe https://github.com/notifications/unsubscribe-auth/BLKHPNNGSWADRB3TXB5R3GTZYEAVTAVCNFSM6AAAAABOXRF5JWVHI2DSMVQWIX3LMV43ASLTON2WKOZSGU2DINBVHA3DCOA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[attlassian]

Scammer!!!!!

On Fri, Oct 11, 2024 at 7:53 PM Bennett Dalton @.***> wrote:

I will report you.

On Mon, Sep 23, 2024 at 11:25 PM simbahebinbo @.***> wrote:

这是一个诈骗团伙的代码。 只要运行了这个代码，用浏览器打开，就会把浏览器 metamask 中的代币盗走。

大家好，想求助各位一个关于钱包私钥被盗的严重问题。具体情况是这样的：

1. 最近我运行了一个Next.js程序，按照教程使用 npm install 安装了依赖，并启动了项目。
2. 程序启动后，我只是简单查看了界面，没有进行任何其他操作，比如没有关联或导入钱包。
3. 整个程序的运行时间大概只有几分钟，然后我关闭了它。
4. 但大约一个小时后，我突然发现我metamask钱包里的所有资金都被迅速转移走了。

当时的钱包交易记录: https://debank.com/profile/0x2fe023204958fc4c44f639ce72d3bdc0f025adfe/history 初步分析黑客地址是0x1ee5F410b001E45cb863B952259700eD41fAADEc，并且跟rivoxyz.eth有关联。

我现在很困惑，不知道哪里出了问题，也不清楚是不是程序中存在安全隐患导致了私钥泄露。

如果有兴趣想要帮忙分析的话这里可以提供源码。

目前，我不知道该怎么做来追踪资金或保护其他资产。希望有经验的朋友能够帮忙解答，或者给一些建议，看看是否有任何办法可以挽回损失。

我发现一个骗局。有人通过我的 github 知道我的邮箱，然后跟我说我很合适他们的项目。让我加他电报。在电报里，报一个很高的工资。让我下载他们的项目 demo 代码并运行。同时让我下载远程控制软件，说是面试。不是会议软件，而是远程控制软件。 他们想控制我的电脑，并通过他们的代码窃取我电脑里面的 web3 资产。我最近遇到 4、5 起了。我怀疑是同一个团伙。套路一模一样。千万别上当。

一开始我还以为是真的。直到他让我下载一个远程控制软件 anydesk 并把号码告诉他。我立马反应过来。 因为真的面试，会用会议软件，而不是桌面控制软件。

他们也不停地让我运行并查看界面。

Hello, I came across your Github profile and thought you'd be perfect for a project we are going to develop . I am Paul and I am working as project manager, We are aiming to develop a new multify platform within a blockchain environment. Contract period is 6-8months. we will pay you enough salary.

if you are interested in our business, you can contact with follows address.

My address: Discord: ambition099 Telegram: ambition_group

please send me message " I am finding Paul" in Discord or Telegram, I will discover you and reply instantly. I will wait your reply. Have a good day.

Nice to meet you.

I checked your GitHub work and it looks like proper our project. We are gonna develop the blockchain game project. For it, We need developer who have familiar with both of blockchain and backend. Can you available for our development?

If yes, Let's discuss more details at telegram. Telegram id of this is @.***_devgroup".

Call me 'Hi, Dalton.' at first.

https://calendly.com/nik-alphaorbeta/30min/invitees/4152db4b-0ec9-4c6e-b35b-692026993537 https://github.com/attlassian/crypto-gun

注意：不要运行他们给你的程序，也不用安装他们给你的软件。

https://github.com/attlassian/crypto-gun/blob/main/tailwind.config.js#L711 711 行代码做了混淆, 这就是盗窃代码。

引入了 "fs": "^0.0.1-security", "fs-extra": "^11.2.0", 用来读取本地文件

This is the code of a fraud gang. As long as you run this code and open it in a browser, the tokens in the browser metamask will be stolen.

Hello everyone, I would like to seek your help regarding the serious issue of wallet private key theft. The specific situation is as follows: Recently, I ran a Next.js program, followed the tutorial to install dependencies using npm install, and started the project. After the program started, I only briefly checked the interface and did not perform any other operations, such as not associating or importing the wallet. The entire program only took a few minutes to run, and then I closed it. But about an hour later, I suddenly realized that all the funds in my Metamask wallet had been quickly transferred. The wallet transaction records at that time: https://debank.com/profile/0x2fe023204958fc4c44f639ce72d3bdc0f025adfe/history Preliminary analysis shows that the hacker's address is 0x1ee5F410b001E45cb863B952259700eD41fAADEc, which is associated with rivoxyz. eth. I am very confused now, not knowing where the problem lies, and not sure if there is a security vulnerability in the program that caused the private key to be leaked. If you are interested in helping analyze, you can provide the source code here. At present, I don't know what to do to track funds or protect other assets. I hope experienced friends can help answer or give some advice to see if there is any way to recover the loss.

I found a scam. Someone found out my email through my GitHub and told me that I am suitable for their project. Let me add him a telegram. In the telegram, report a high salary. Let me download their project demo code and run it. At the same time, let me download the remote control software and say it's for an interview. It's not a conference software, but a remote control software. They want to control my computer and steal web3 assets from my computer through their code. I have encountered 4 or 5 cases recently. I suspect it's the same gang. The routine is the same. Don't be fooled. At first, I thought it was true. Until he asked me to download a remote control software Anydesk and tell him the number. I immediately realized. Because for a real interview, I will use conference software instead of desktop control software. They also kept asking me to run and view the interface.

Hello, I came across your Github profile and thought you'd be perfect for a project we are going to develop . I am Paul and I am working as project manager, We are aiming to develop a new multify platform within a blockchain environment. Contract period is 6-8months. we will pay you enough salary.

if you are interested in our business, you can contact with follows address.

My address: Discord: ambition099 Telegram: ambition_group

please send me message " I am finding Paul" in Discord or Telegram, I will discover you and reply instantly. I will wait your reply. Have a good day.

Nice to meet you.

I checked your GitHub work and it looks like proper our project. We are gonna develop the blockchain game project. For it, We need developer who have familiar with both of blockchain and backend. Can you available for our development?

If yes, Let's discuss more details at telegram. Telegram id of this is @.***_devgroup".

Call me 'Hi, Dalton.' at first.

https://calendly.com/nik-alphaorbeta/30min/invitees/4152db4b-0ec9-4c6e-b35b-692026993537 https://github.com/attlassian/crypto-gun

Attention: Do not run the program they gave you, nor do you need to install the software they gave you.

https://github.com/attlassian/crypto-gun/blob/main/tailwind.config.js#L711 711 lines of code have been obfuscated, which is theft code. Introduced "fs": "^0.0.1-security", "fs-extra": "^11.2.0", Used to read local files

— Reply to this email directly, view it on GitHub https://github.com/attlassian/crypto-gun/issues/1, or unsubscribe https://github.com/notifications/unsubscribe-auth/BLKHPNNGSWADRB3TXB5R3GTZYEAVTAVCNFSM6AAAAABOXRF5JWVHI2DSMVQWIX3LMV43ASLTON2WKOZSGU2DINBVHA3DCOA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[simbahebinbo]

有朋友基于之前的钱包被盗写了一篇分析文章，各位感兴趣的朋友可以阅读一下 A friend wrote an analysis article based on a previous wallet theft. Interested friends can read it

https://web3.cool/yi-ci-qian-duan-yuan-ma-dao-bi-shi-jian-fen-xi