Last week, my team and I embarked on an endeavor to seek out new opportunities in Web 3.0. We discovered its darker side as we drove deeper into this promising frontier. To our dismay, we were entangled not once, not twice, but eight times by the cleverly disguised traps of deceitful scammers. We faced this unfortunate reality because of our drive to explore Web 3.0 projects, a dimension many believe will mold the future of the internet.
Such is the irony of our story that we found ourselves targeted by these scam artists in the quest to contribute to a more transparent and decentralized future. We quickly realized that the hype around Web 3.0 was serving as a double-edged sword, exciting on the one hand while inviting malicious elements on the other.
This experience, frustrating as it was, inspired us to share our insights and provide guidance to others venturing into the world of Web 3.0. We hope to offer a comprehensive guide to identify potential scams and avoid the pitfalls we encountered.
This article serves not just as a cautionary tale but also as a roadmap to navigate the labyrinth of Web 3.0, helping you to decipher between genuine opportunities and clever ruses. Read on to learn how to protect yourself and prosper in this burgeoning landscape without falling victim to its hidden perils.
In a typical Web3 job interview, you may be asked to work on an example project. This might seem like a common practice to assess your skills, but it could also be a trap. The project you're given might contain hidden malicious code. For example, check this project's publications on the platform Upwork.
At the same time, you can use the AI tools available these days, such as GPT; for example, we go through a project with the chat and get this interesting analysis.
✦ The code is quite complicated and appears to be part of some sort of malware. Here's a general overview of what it does:
✦ It defines a set of functions and constants that work with string type objects and buffers.
✦ It seems to primarily work with file and directory manipulation, using Node.js's fs module. The operations include reading files, writing files, checking for the existence of files, and handling directories.
✦ It uses the request module to make HTTP requests, possibly to send or receive information. It uses the crypto module for data encryption and decryption.
✦ Some constants and functions work with strings in base64 format, which are decoded into UTF-8 text.
✦ There's a function that seems to be related to extracting locally stored passwords from various browsers, such as Google Chrome, Brave, and Opera. This is done by accessing the local configuration files of the browser and extracting the information.
✦ There's also code related to manipulating SQLite databases. Finally, it appears that this code connects with some kind of remote server, possibly to send collected information or receive instructions.
✦ Given this analysis, it seems that this code is part of a type of malware known as "info-stealer", which collects information from the infected system and sends it to an attacker. If you've found this code on your system, I would recommend that you perform a malware check and change all your passwords as soon as possible."
The interviewer might use a chat platform to send this example project without arousing suspicion. Let's not forget that even if the communication is happening through a reputable platform, the intentions behind it might be malicious.
The code requires various permissions as you work on this 'test' project. This might include access to your wallets, transactions, keychain, or other sensitive information. Such requests should raise alarm bells. No legitimate interviewer would need to gain access to such details.
Once you grant these permissions, it is assumed the malicious code in the project could access your keychain. The keychain, a password management system, contains all your passwords and cryptographic keys. In the wrong hands, this information can lead to catastrophic results, including losing access to your accounts or having your funds siphoned off.
Remember, vigilance is your best ally. Pay close attention to the following red flags:
Remember, it's always better to be safe than sorry. Don't hesitate to step back and reassess if something feels off during the interview or assessment process. Stay vigilant, stay safe, and let's continue to build a trustworthy and transparent Web3 environment.
Following are some best practices to protect yourself from falling victim to such scams:
If you suspect you're dealing with a scam, take the following steps:
In the following Github repositories, you will find some of the many cases we have experienced recently:
(we removed the direct links so our site is not flagged for phising, these repositories are hosted on github.com/)
As a result of these cases, we have come to the conclusion that the most effective way to contribute to the community is by raising awareness among other businesses and professionals. It is crucial for them to remain vigilant against these attacks.
Remember that internet safety guidelines still hold in the fascinating world of Web3. Always be wary of claims that seem too good to be true, and never divulge sensitive information without first researching. We hope this guide will enable you to travel the Web3 career path safely. Stay safe and prosper in the decentralized future!
If you find this topic interesting, below you can find other related and engaging articles to continue learning.