- A developer has shared his experience of losing funds from his Metamask wallet after a fake job interview orchestrated through a LinkedIn recruitment scam
- The incident bears resemblance to the Ronin hack, where a similar LinkedIn recruitment trap led to a mass security breach
- So far, no attack vector has been identified
A Turkish developer has revealed how his Metamask wallet was emptied following a fake job interview. Antalya-based blockchain and web developer Murat Çeliktepe shared his cautionary tale with Bleeping Computer, where he described falling victim to the theft after he was approached by a “recruiter” on LinkedIn who posted a seemingly legitimate job opportunity on Upwork. The incident has echoes of the Ronin hack, which also started with an employee being duped in a LinkedIn recruitment trap.
Did Downloaded Code Lead to Loss?
Çeliktepe says that he was intrigued by a job listing offering $15-$20 per hour fixing bugs and enhancing website responsiveness and offered his services. The recruiter instructed him to download and debug code from two npm packages hosted on a GitHub repository as part of the supposed technical interview. As part of the assignment, Çeliktepe cloned the repositories and began debugging, a process not uncommon in legitimate tech interviews involving coding exercises or proof-of-concept assignments.
Following the technical task, Çeliktepe participated in a Google Meet session with the recruiter from LinkedIn, explaining his solution. However, a few hours later, he discovered that his MetaMask wallet had been drained, losing over $500 in the process.
Method of Attack Remains a Mystery
Çeliktepe took to social media to share his experience, expressing bewilderment at the exact mechanics of the attack and seeking community assistance to comprehend the situation. Despite the community’s response, including insights from concerned members and opportunistic crypto bots offering bogus MetaMask support, Çeliktepe told Beeping Computer that he is still no closer to finding out how the hack was carried out, given that he did not store the MetaMask secret recovery phrase on his computer.
This revelation makes it all the more shocking that the attackers managed to breach his wallet even with access to his machine. One theory suggests that the npm projects effectively provided a means for attackers to deploy a reverse shell, potentially gaining access to Çeliktepe’s machine. The backend app “web3_nextjs_backend” did contain code supporting this theory, although independent confirmation of the attack vector is pending.
Echoes of $540 Million Ronin Hack
The incident is not isolated, with Bleeping Computer revealing that other developers have encountered similar incidents on the platform LinkedIn. Perhaps the most famous example came in early 2022 when a Sky Mavis engineer received a LinkedIn message from a recruiter regarding a potential employee for the company.
This led to a CV being sent over, but the file contained a Trojan Horse which, once opened, granted the sender unauthorized access to the engineer’s computer…which led to $540 million being stolen from the Ronin bridge that March.
The ‘recruiter’ was in fact a hacker for North Korean state-sponsored hacking group Lazarus, and the compromised connection allowed the hackers to breach Sky Mavis’s systems, leading to the monstrous theft.