Murat Can YükselHello everyone, recently they tried to hack me, and I hope they were unsuccessful at doing so, but I'd like to share the scheme so that if you encounter a similar thing, you'll know what's going on. Follow me step by step and you'll see how some bad actors on a famous freelancing platform are trying to #hack #web3 #blockchain developers.
First things, they'll send an invite, looking for a blockchain developer. Everything seems quite normal and professional.
Then they'll send a github repo, or a project via google drive or whatsoever. The project seems legit at first glance.
They then ask you to open the project via npm start. But in order to do so, you'll have to solve a bug. One time it was a collision between package-lock.json and yarn.lock files and I was able to open the app by deleting the yarn.lock file. Still, do this point, I think everything seems to be kinda okay.
Then, they want you to send them a screenshot showing that you've opened the app. Now this is fishy, but still, I have to admit that I've done this 3 times lol.
Then they stop responding.
At the first 2 times, I just moved on thinking they've found another developer. But then, the 3rd one made a weird comment. They said, "just keep the app open and we'll discuss". Now, it was already the third time I was seeing a similar behavior so I thought okay this is weird, closed the app, and started doing the thing I should've done in the first place: Checking every single file in the project's repository.
After a brief investigation, I've found a weirdly looking file. That had a harmless name like utils.js or error.js or setup.js that had a quite unreadable code in it.
I will even go ahead and share the latest one I've been sent, just to name and shame, ATTENTION, DO NOT CLONE OR RUN THIS REPOSITORY, this is the malicious code => https://github.com/liamprodev/Hiring-Assessment/blob/main/helpers/error.js
As you can see, it is in helpers directory and is named error.js, but has nothing to do with error handling. It's quite difficult to read too. If you use https://beautifier.io/ or some other code formatter, you'll see something like this
It is ugly isn't it? Do you see how they even use base64 decoding to obfuscate the code. so instead of writing r=c(child_processes) they encode it and write r = c("Y2hpbGRfcHJvY2Vzcw"), making it harder to read. I've analyzed some other parts of it too, it's like, instead of returning x, they turn x into y+z*uu-15t or some other weird equation like that. It's quite difficult to follow what's going on there, but with the help of gpt4, I've managed to understand that it's an #expressjs #server that runs through file directory, creates files, and somehow looks for chrome wallet extensions. One of them was trying to get solana wallet, others, I'm still not sure. I think they're trying to drain the funds in the wallet.
Well, jokes on them because I only keep test coin in my #metamask wallet lol.
Now, when you read this article, maybe the github repo will be already deleted, because they do so. Even this one I've shared was in a different repo from the same account.
Now, what I think now, is that these are sold somewhere, possibly on the deep web (because why not?), and many scammers are trying to use the almost-alike hacking scripts to drain funds.
I was not careful, but lucky I guess. So, please be careful and do not trust anyone, gosh, #web3 is wilder than the old west.
