Scam Email points to this repository

[saadahmsiddiqui]

Hi, I received this email today and I'd request to stop trying to scam people :)

---

Hello, Saad I'm writing in regards to your github profile. Fluence Network have been awarding their tokens to developers who have made commits to open source web3 repositories in 2023. According to my research, your GitHub profile is eligible to claim 2500 FLT tokens due to your web3 contributions.

As of the current market value, these tokens are approximately worth $625. Please, note that you can exchange them for Ethereum or USD in two months after claiming them. These tokens can be exchanged on any exchange platform.

For verification and to claim your tokens, you can visit Fluence's official Twitter profile: https://x.com/fluence_project/status/1775354001955151999 where they have posted the official claim link. Also you can find some instructions on their GitHub repo: fluencelabs/dev-rewards

If you do collect your tokens, it would be appreciated if you could share a percentage with me as a finder's fee. My Eth wallet address: 0x660330efbec5f00c3338692a2290c25cabd57ed9

Feel free to reach out to me on my social networks - telegram: @oxktk, twitter: @amawxz, primary email address: diletimaa@gmail.com

best regards Nicholas

rastijosephg@gmail.com

[jac18281828]

👀

[tdbe]

Definitely looks like a scam, wouldn't touch:

• why don't they use oauth? Running their scripts with my key and sending the result? Yeah that's a good smart legit project fam! Secure #web3!
• why would any sane airdropper write multiple sentences (any sentences) about "current market value" and how you can "sell your airdrop for Ethereum or USD on any exchange platform"? But ok maybe the emailer is not fluencelabs.
• on the fluencelabs website they write: "Developers can claim $FLT within the next 12 months, but the available allocation halves every three months. Rewards are on a first come, first serve basis until the allocation has been exhausted." ^ halves? makes no sense, why the hell would they create first come first serve airdrop fomo, reducing number of contributors, if they want to attract contributors?? And right after they said the contradicting: "the Fluence DAO allocated 5% of $FLT supply to web3 developers. We have included over 110,000 GitHub accounts of contributors to over 800,000 web3 repositories to the list" -- but you only distribute to the fomo first come guys? (also 110k/800k is mega sus)

[ikkerens]

Interestingly, I got the same email from a different email address. Definitely something shady going on with this guy.

[zacck]

got the same email as well, don't even know about this programme

[BenWiederhake]

Also got the same spam e-mail:

Hello, Ben
I'm writing in regards to your github profile.
Fluence Network have been awarding their tokens to developers who have made commits to open source web3 repositories in 2023.
According to my research, your GitHub profile is eligible to claim 2500 FLT tokens due to your web3 contributions.

As of the current market value, these tokens are approximately worth $625. Please, note that you can exchange them for Ethereum or USD in two months after claiming them. These tokens can
be exchanged on any exchange platform.

For verification and to claim your tokens, you can visit Fluence's official Twitter profile:
https://x.com/fluence_project/status/1775354001955151999 
where they have posted the official claim link. Also you can find some instructions on their GitHub repo: fluencelabs/dev-rewards

If you do collect your tokens, it would be appreciated if you could share a percentage with me as a finder's fee.
My Eth wallet address:
0x660330efbec5f00c3338692a2290c25cabd57ed9

Feel free to reach out to me on my social networks -  telegram: @oxktk, twitter: @amawxz, primary email address: [diletimaa@gmail.com](mailto:diletimaa@gmail.com)

best regards
Nicholas

[aphyr]

Ditto, identical spam here.

[atkirtland]

I received this too. Is this likely a scheme to harvest ssh keys then? Given that the Readme has options with Docker, I guess it's not likely to be more than that, right?

[juliamendesc]

+1 for scam email

[DocteurPing]

You guys are right, pretty sure it's a scam since the domain authentication failed for the email i got the mail from. What a weird target for a scam though, don't think much web3 dev will fall in the trap.

[tdbe]

Assuming the code is just an isolated docker and doesn't access the rest of your machine, then it probably is "just" harvesting your ssh keys, or signing something with your ssh keys. Not worth the time to study the repo..

You could (don't!) risk it and get/save your ssh key from 2023, revoke/change it now, then use the old now revoked key on this repo (if you trust running their code at all / in a gapped machine), but 1). they can still use expired ssh keys for pretending something happened / you signed something bad retroactively, and 2). if some people put in valid ssh keys it's enough for the hackers.

Either way this can't be a legit project, as any 12 year old could have implemented this via oauth2 and avoided getting their precious would-be contributors to download a repo and running convoluted mystery first-come-first-serve airdrop code.

[saadahmsiddiqui]

@tdbe from the looks of it yes, I believe its trying to compromise the ssh keys

[efstajas]

I received the same email. Almost deleted it immediately, but ended up getting curious and followed the instructions. I skimmed through the code for a while and eventually decided to run it (in an isolated environment, as recommended). The step asking me for my SSH key made me feel extremely uneasy again so I decided to pause and look deeper into it.

The email reads to me just like some (indirect) airdrop farmer looking for tips, likely not connected with Fluence directly. About the airdrop itself though…

Despite how strange this verification method seems at first, after some research I don't think it's a scam. Fluence looks like a legit-enough project in itself, and it seems to me that the ssh key-based proof method is an attempt at awarding the airdrop fully on-chain without requiring some kind of oracle that would come with trust assumptions. I definitely still didn't fully understand the proof mechanic, but decided to go ahead anyway after removing my SSH key from my GitHub account completely.

It generated the proof, I pasted it into the site, and I was sent FLT-DROP tokens as promised, which it says I can exchange for FLT after a 2-month lockup. I quickly verified the on-chain logic for the transfer lock, and it LGTM. FLT can currently be exchanged for USDC on Uniswap, and it has good enough liquidity. Who knows how the value will develop over the next 2 months.

So ya... make of that what you will.

In retrospect, I wonder whether this pretty complicated and scary claim process ends up alienating more devs than it attracts. There should at least be a very clear explanation of the proof mechanism upfront, with some background on why it was designed the way it is (vs e.g. an oauth-based process).

[dmitryn]

You can also generate proof using this page https://github.com/fluencelabs/dev-rewards/blob/main/web/index.html Looking at the JS code there I don't see anything suspicious.

It only asks you to run this command to generate proof:

echo "LS0tLS1CRUdJTiBBR0UgRU5...LQo=" | base64 --decode | age --decrypt --identity /path/to/ssh-key

which doesn't seem dangerous.

[rekire]

Count me in got the same scam.

Hello, RenГ© I'm writing in regards to your github profile. Fluence Network have been awarding their tokens to developers who have made commits to open source web3 repositories in 2023. According to my research, your GitHub profile is eligible to claim 2500 FLT tokens due to your web3 contributions.

As of the current market value, these tokens are approximately worth $625. Please, note that you can exchange them for Ethereum or USD in two months after claiming them. These tokens can be exchanged on any exchange platform.

For verification and to claim your tokens, you can visit Fluence's official Twitter profile: https://x.com/fluence_project/status/1775354001955151999 where they have posted the official claim link. Also you can find some instructions on their GitHub repo: fluencelabs/dev-rewards

If you do collect your tokens, it would be appreciated if you could share a percentage with me as a finder's fee. My Eth wallet address: 0x660330efbec5f00c3338692a2290c25cabd57ed9

Feel free to reach out to me on my social networks -  telegram: @oxktk, twitter: @amawxz, primary email address: diletimaa@gmail.com

best regards Nicholas

However I'm still confused about this repo what does it do? It downloads files and want that I give access to my ssh keys? WTF?

[mmiranda]

However I'm still confused about this repo what does it do? It downloads files and want that I give access to my ssh keys? WTF?

whole new level of scam: OSS (Open Source Scam)... "I'll hijack your private key, but don't worry about it..."

[blechschmidt]

As the guy who implemented the claim website in PR #79, I can vouch for that method being safe. Your key will be used for a decryption operation using age only and the shell command is easily auditable. Other than that, opening a website can be assumed to be safe under the Web Security Model (not taking into account browser exploits, obviously). When implementing that site, I did not find any indicator of this repository engaging in malicious activity.

it seems to me that the ssh key-based proof method is an attempt at awarding the airdrop fully on-chain without requiring some kind of oracle that would come with trust assumptions.

I would agree to some extent. The repository is still on GitHub, which is pretty centralized. While it seems fishy at first, the reason is likely a mix of technical playfulness and the will to award curiosity and skills to audit the code.

Regarding the marketing, I guess these emails are at least accounted for by the Fluence team, because such an airdrop is obviously only effective if the recipients become aware of it. However, I can verify that you will receive the tokens as advertised.

Disclaimer: I am not affiliated with Fluence. I just got curious enough to immerse myself in how this airdrop works when I received a similar email a few weeks ago.

[GildedHonour]

Disclaimer: I am not affiliated with Fluence. I just got curious enough to immerse myself in how this airdrop works when I received a similar email a few weeks ago.

You inserted the word "disclaimer" but didn't you insert the words "inroduction", "explanation" and "conclusion" earlier then? How will one know which part is what?

[tdbe]

I no longer believe this is a scam, could be some kind of awkward "programmer creativity" to be "clever" on purpose (including the weird tokenomics halving fomo) and then keep quiet, like BlechSchmidt said. Or maybe they're afraid the US SEC would classify OpenSSL or OAuth2 as a broker-dealer 😂. Or just emergent project chaos.

(the following is not advice (don't just trust, learn), and don't take it as endorsement of the FLT project although it seems ok):

After some of you pointed out, I see the readme states you can actually do all this with just one index.html file (thus browser-sandboxed):

• Download only this index.html and audit it / play with it yourself. You could run all its resources locally without internet.
• The Private Key use in that file: The payload decrypt: let command = 'echo "' + encryptedBase64 + '" | base64 --decode | age --decrypt --identity <path to private key>'; result.push([publicKey, command]); This "command" var is just some text for you to copy. It's an encrypted message sent to you, encrypted with your github public key. It's asking you to decrypt it; you base64 decode in e.g. powershell or notepad++ and use your own private key decryption method on your own terms to decrypt it. They suggest to use the popular independent "age" tool: https://github.com/FiloSottile/age [...] What they did was encrypt some 0x12364 private key with your github public key. Decrypting the "command" above, results in this 0x12364 private key. They use it for an Ethereum proof: let account = web3.eth.accounts.privateKeyToAccount(privateKey); <-- the 0x12364 private key, not your ssh private key. docs: https://web3js.readthedocs.io/en/v1.2.11/web3-eth-accounts.html#privatekeytoaccount [...] let signature = web3.eth.accounts.sign(ethereumAddress, privateKey).signature; Signs your Eth public key (ethereumAddress), with the 0x12364 privateKey (the one they messaged to you encrypted with your public github SSH key). docs: https://web3js.readthedocs.io/en/v1.2.11/web3-eth-accounts.html#sign Then you feed this signed public address into their smart contract by pasting it in their live website https://claim.fluence.network/.

This is the annoying "do you know your stuff part" - They use the proof (the encrypted message which turns out is a private key of their own) to Sign in their code. They shouldn't ask people to run this as magic code locally without some clarity at least.

So, you could in theory (not advice, because don't 'just trust me') just follow the index.html steps. I'd also revoke & replace that github ssh key (because hey, it's on a list, it's in a smart contract, it's probably also lying on your desktop now etc).

[nocategory]

98 also has some great conversation on this.

I think the TL;DR of all of this is, and the reason I won't give a crap about it anymore than I already have:

• it's a legit crypto project that picked random Github users for this "reward". They will be giving tokens that can some time later be traded by USD/EUR/whatev.
• their method to verify accounts is just shadily crappy at best, but hey decentralized networks bla bla I don't get crap about crypto, nor do I want to. Don't even know how they "randomly" added me to this list
• they just want mooore people to notice them. or this dude who sent the emails does

If you received this email or whatever and don't give a single **** about this project, go waste your time on something better, because hey, our time on this planet is always counting :)

[oliver-zehentleitner]

You can also generate proof using this page https://github.com/fluencelabs/dev-rewards/blob/main/web/index.html Looking at the JS code there I don't see anything suspicious.

It only asks you to run this command to generate proof:

echo "LS0tLS1CRUdJTiBBR0UgRU5...LQo=" | base64 --decode | age --decrypt --identity /path/to/ssh-key

which doesn't seem dangerous.

Is that your gut feeling or did you read and understand the code of “age”? As well as all the dependencies? There are so many supply chain attacks lately, way too insecure the whole thing.

[tdbe]

If you don't trust age you can use OpenSSL openssl rsautl -decrypt -inkey /path/to/ssh-key after you base64 decode. It's just a private key decrypt of a message; you can do it on your own terms.

The contents of the message, once you decrypt it, is a 0x private key (not related to your SSH key) they supplied to you, to sign your public eth address with.

[oliver-zehentleitner]

@tdbe Thank you! Can you explain why GitHub´s OAUTH is not used? What is the benefit of this process here?

[tdbe]

I explained just here above how I see this index.html works.

Why not Oauth2? There's info from them here. I don't quite get it, because github is just as centralized. But I guess their current solution (at least the index.html one that I checked) is self-contained and technically doesn't need any internet connection at all (after you fetch and trust the code).

[swarupbc]

Got the same scam email.

Hello, Swarup I'm writing in regards to your github profile. Fluence Network have been awarding their tokens to developers who have made commits to open source web3 repositories in 2023. According to my research, your GitHub profile is eligible to claim 2500 FLT tokens due to your web3 contributions.

As of the current market value, these tokens are approximately worth $625. Please, note that you can exchange them for Ethereum or USD in two months after claiming them. These tokens can be exchanged on any exchange platform.

For verification and to claim your tokens, you can visit Fluence's official Twitter profile: https://x.com/fluence_project/status/1775354001955151999 where they have posted the official claim link. Also you can find some instructions on their GitHub repo: fluencelabs/dev-rewards

If you do collect your tokens, it would be appreciated if you could share a percentage with me as a finder's fee. My Eth wallet address: 0x660330efbec5f00c3338692a2290c25cabd57ed9

Feel free to reach out to me on my social networks - telegram: @oxktk, twitter: @amawxz, primary email address: diletimaa@gmail.com

best regards Nicholas

Don't fall for it, it can be much more dengarous than you can even imagine.

[bfontaine]

Please refrain from commenting if it’s just to say "I got the same email"; you’re notifying 20 people for nothing.

[mszjar]

It worked for me lol, I don't think it's an scam, but I agree it looks like one.

I claimed the tokens, with the help of AI, I analyzed the script of FLT instructions script and it's only to check that you are the owner of your github repo.

Anyway, I agree it looks like an scam.