Fake Web3 Recruiters Hide Malware in Interview Code

Get the Finance newsletter
Daily finance — markets, central banks, M&A, the prints that move money. Free.
- SlowMist reported that attackers are impersonating Web3 recruiters on LinkedIn to contact blockchain developers, then sending fake GitHub repositories disguised as minimum viable product 'test projects' for a technical interview.
- The malicious repositories mimic a legitimate developer hiring workflow — pulling code, installing dependencies, and launching a project — which makes the attack difficult for victims to notice, according to SlowMist.
- The malware deploys a full remote access trojan (RAT) that steals project keys, cloud credentials, and wallet extension data from compromised developer machines.
- SlowMist warned the campaign is "not an isolated case," noting attackers increasingly exploit recruitment, code reviews, and project collaborations to trick developers into actively running malicious repositories.
- The report followed a separate SlowMist warning issued the day before about a macOS malware campaign that steals credentials, hijacks Telegram sessions, and ultimately phishes wallet recovery phrases through fake websites.
- The article's lead image, labeled "Original OkoBot infection chain, Source: Kaspersky," references a parallel malware framework targeting crypto users identified by Kaspersky.
Why it matters: Web3 developers who clone and run unfamiliar code as part of job interviews now risk handing attackers their project keys, cloud credentials, and wallet data. Two separate SlowMist reports in one week — including a macOS credential-stealer that hijacks Telegram and phishes wallet seed phrases — show crypto-targeted malware is expanding from phishing into developer tooling and trusted platforms, raising the stakes for anyone building or holding digital assets.



