A new scam is gaining momentum in March 2025, and blockchain developers and project founders are especially at risk. With social engineering tactics becoming increasingly sophisticated, it's important to stay ahead of potential threats. This article outlines some of the most advanced and deceptive scams, particularly those targeting job seekers in Web3, and provides actionable steps to protect yourself. especially at risk 1. Job Offer Scams and Fake Recruiters 1. Job Offer Scams and Fake Recruiters Scammers impersonate recruiters or employees of well-known Web3 companies. They approach blockchain developers on LinkedIn or Telegram with flattering messages and high-paying job offers. The victim is invited to an "interview," but the scammers claim they use a "secure, in-house video conferencing tool" instead of Zoom or Google Meet. "secure, in-house video conferencing tool" Once the victim installs the software and joins the interview, their system is compromised, leading to the theft of wallet funds. The attack works by detecting and sweeping funds from hot wallets like MetaMask or Phantom. Once the victim installs the software and joins the interview, their system is compromised, leading to the theft of wallet funds. How to Protect Yourself: How to Protect Yourself: Never install software from an unknown source, even if it appears to come from a reputable company.
Verify recruiters by checking mutual connections, their work history, and whether they have genuine endorsements.
Use a separate, clean device for work-related communications, especially if you're dealing with crypto assets.
Keep your development machine air-gapped from any wallets holding significant funds. Never install software from an unknown source, even if it appears to come from a reputable company. Verify recruiters by checking mutual connections, their work history, and whether they have genuine endorsements. Use a separate, clean device for work-related communications, especially if you're dealing with crypto assets. Keep your development machine air-gapped from any wallets holding significant funds. 2. Fake GitHub Repositories and UI Scams 2. Fake GitHub Repositories and UI Scams A scammer contacts you with a request to audit or test a GitHub repository. They send a Bitbucket or GitHub link, claiming it's a work-related test or a proof of concept. Sounds legit, and many will not notice anything suspicious. And that would be a fatal mistake. Bitbucket or GitHub link The repository contains malicious code designed to extract private keys, inject malware, or execute wallet-draining scripts. contains malicious code designed to extract private keys The victim runs the provided script or opens a compromised user interface (UI) that requests private key access. How to Protect Yourself: How to Protect Yourself: Always inspect repositories thoroughly before running any code, especially scripts requiring execution privileges.
Use a sandboxed virtual machine or an isolated environment (e.g., Tails OS) when testing unverified code.
Check commit history and contributors — if a repo has no meaningful history or appears AI-generated, it's a red flag.
Never enter your private key or seed phrase into any website or application outside of a trusted wallet provider. Always inspect repositories thoroughly before running any code, especially scripts requiring execution privileges. Use a sandboxed virtual machine or an isolated environment (e.g., Tails OS) when testing unverified code. Check commit history and contributors — if a repo has no meaningful history or appears AI-generated, it's a red flag. Never enter your private key or seed phrase into any website or application outside of a trusted wallet provider. 3. Overpaid Job Offers with Unrealistic Salaries 3. Overpaid Job Offers with Unrealistic Salaries Scammers offer extremely high salaries (e.g., $150+ per hour or $250K+ yearly) for simple blockchain-related work. Bu there is a “small nuance”. They ask for personal information, including GitHub, CV, and even direct access to test repositories. direct access to test repositories Eventually, they request that you install their software, test a smart contract, or deploy a script — one that compromises your system. Eventually, they request that you install their software, test a smart contract, or deploy a script — one that compromises your system. How to Protect Yourself: How to Protect Yourself: Be skeptical of job offers with excessive salaries that seem too good to be true.
Validate companies by researching them on official sites, checking real employees, and cross-referencing with known Web3 security experts.
Avoid sending personal data or connecting wallets to unknown platforms before verifying legitimacy. Be skeptical of job offers with excessive salaries that seem too good to be true. Validate companies by researching them on official sites, checking real employees, and cross-referencing with known Web3 security experts. Avoid sending personal data or connecting wallets to unknown platforms before verifying legitimacy. 4. Fake Zoom, Google Meet, and Chat Applications 4. Fake Zoom, Google Meet, and Chat Applications Scammers claim that for "security reasons," they use a proprietary meeting tool instead of known platforms. They send a link that looks like Zoom, Google Meet, or Telegram but is actually a phishing site. link that looks like Zoom, Google Meet, or Telegram When opened, the malicious site installs a script that either extracts browser-stored private keys or deploys clipboard hijackers. the malicious site installs a script that either extracts browser-stored private keys or deploys clipboard hijackers. How to Protect Yourself: How to Protect Yourself: Always check URLs carefully — phishing domains often contain small typos or extra characters.
Use browser security extensions that detect fake domains.
Run crypto-related communications in a separate, hardened browser profile (e.g., Brave with strict security settings).
Never download standalone meeting software unless it’s from a verified, official source. Always check URLs carefully — phishing domains often contain small typos or extra characters. Use browser security extensions that detect fake domains. Run crypto-related communications in a separate, hardened browser profile (e.g., Brave with strict security settings). Never download standalone meeting software unless it’s from a verified, official source. 5. Social Engineering and Psychological Manipulation 5. Social Engineering and Psychological Manipulation Attackers build "legit-looking" LinkedIn profiles with fake endorsements and AI-generated backgrounds. They engage in friendly, long-term social engineering before making their move. "legit-looking" LinkedIn profiles If a victim refuses one scam, they may attempt a different angle — fake token sales, job offers, or investment opportunities. fake token sales, job offers, or investment opportunities. How to Protect Yourself: How to Protect Yourself: Cross-check profiles using multiple sources. If someone’s work history lacks depth, it's likely fake.
Be cautious of unsolicited offers and overly eager recruiters.
Never let social pressure rush you into downloading files or clicking on unknown links. Cross-check profiles using multiple sources. If someone’s work history lacks depth, it's likely fake. Be cautious of unsolicited offers and overly eager recruiters. Never let social pressure rush you into downloading files or clicking on unknown links. Final Thoughts: Stay Vigilant, Stay Secure Final Thoughts: Stay Vigilant, Stay Secure As blockchain developers and founders, you're a prime target for scammers due to the nature of your work and access to valuable assets. Implementing strict security measures — such as hardware wallets, separate work environments, and in-depth verification processes — will drastically reduce your risk of falling victim to these scams. Key Takeaways: Key Takeaways: Always verify recruiters and job offers before engaging.
Use sandboxed environments for testing third-party code.
Never install unknown meeting software or click suspicious links.
Keep personal and professional crypto wallets separate.
Treat unsolicited, high-paying offers with extreme skepticism. Always verify recruiters and job offers before engaging. Use sandboxed environments for testing third-party code. Never install unknown meeting software or click suspicious links. Keep personal and professional crypto wallets separate. Treat unsolicited, high-paying offers with extreme skepticism. If you come across new scams or need further insights, share your experiences — awareness is our best defense. If you come across new scams or need further insights, share your experiences — awareness is our best defense.

GitHub

Google

Hackers and Scammers Target Blockchain Developers and Founders. How to Protect Yourself?

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Can USDT Survive EU Regulations?

10 Common DeFi Scams and How to Avoid Them

4 Common Crypto Scams and How to Detect Them

5 Ways to Protect Yourself From Getting Scammed in the Crypto World

6 Common Crypto Scams to AVOID in 2022

A Crypto Security Checklist for Every User

Can USDT Survive EU Regulations?

10 Common DeFi Scams and How to Avoid Them

4 Common Crypto Scams and How to Detect Them

5 Ways to Protect Yourself From Getting Scammed in the Crypto World

6 Common Crypto Scams to AVOID in 2022

A Crypto Security Checklist for Every User

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps