Key Insights
- The crypto industry remains open to all kinds of exploits, affecting companies and individuals alike.
- Most of the crypto job scams involve some kind of social engineering attack, indicating a huge security gap within the crypto space.
- Hackers pose as job seekers to attack companies, and as job providers to attack individuals.
- Companies should refrain from rushing the hiring process, and individuals must be wary of any “easy money” or unsolicited job offers.
The crypto industry is no stranger to hacks and scams. However, in the last decade, malicious actors have increasingly gone after crypto-affiliated companies.
These companies include exchanges and even staking or lending services.
One common attack method these hackers have increasingly used over the years is posing as job seekers.
They do this to infiltrate their target companies, where they then deploy social engineering tactics to gain unauthorized access and steal millions.
How the Scam Works
Imagine a crypto start-up looking for a senior developer. Soon after the position opens, a “perfect” candidate applies.
This candidate has an impeccable resume, a polished LinkedIn profile and they even ace the interview stage(s).
They appear to be exactly what the company is looking for, and are soon hired.
However, underneath it all, this “perfect” candidate is a hacker who isn’t interested in a paycheck at the end of the month.
They are instead interested in gaining unauthorized access to sensitive data and private keys.
Hackers who execute this scheme follow an almost straightforward approach, as outlined below.
1. Reconnaissance
These malicious actors start by thoroughly researching their target companies.
They use LinkedIn, Twitter and other social platforms to identify the key decision makers in the company.
They also attempt to thoroughly understand the company’s tech stack and pinpoint possible ways of attack.
2. Crafting a Convincing Persona
As soon as these hackers are confident that they know the ins and outs, they then create a fake identity with a professional online presence.
They fabricate work experience, generate realistic code samples, provide answers to questions on social forums or even contribute to GitHub repositories to appear credible.
3. Application Process
With all of this in the bag, they apply for open positions at their target company. They already possess the skills and technical knowledge needed to ace interviews, and proceed to do so.
4. Gaining Trust
Once they have been hired, the hacker doesn’t immediately get to work. They instead focus on building trust by being proactive. They volunteer for extra tasks and become a huge part of the company’s culture.
This helps them to gain deeper access to deeper internal systems.
5. Infiltration
Once they have access to the company’s infrastructure, they start to explore vulnerabilities.
This process involves installing malware and searching for private keys. Some hackers even write extra smart contracts or set up backdoors for future attacks.
6. Exfiltration and Disappearance
Once all of the above has been put in place and the desired data is in place, they simply steal millions of dollars and disappear.
By the time the company realizes that it has been hacked, it is often too late.
Real-World Examples
The interesting thing about this kind of exploit is that it seems to be highly favoured by the infamous North Korean state-sponsored Lazarus Group.
The Ronin Bridge Hack
This was one of the first examples of large-scale theft from social engineering, that the crypto industry saw.
In this case, the Lazarus Group hackers contacted a senior engineer at Sky Mavis (the company behind Axie Infinity) via LinkedIn.

Soon after gaining the victim’s trust, they used a compromised employee account that they had already procured beforehand to access the Ronin Bridge.
At the end of the day, they made off with a staggering $600 million in stolen assets
The CrowdStrike Exploit
This attack started with a simple email, which was designed to mimic real communication from a CrowdStrike recruiter.
The email was sent to job applicants and directed them to a fake website, which directly mimicked the official CrowdStrike portal.

This fake website offered downloadable applications for both Windows and macOS, which installed the XMRig miner from GitHub on the victim’s computer.
Said malware then ran in the background, allowing the hackers to use a victim’s computer to secretly mine crypto without detection.
The “Easy Money” Trap
In another example, a person named Mark was contacted via WhatsApp at random.
The message’s sender claimed to be from a London-based digital marketing firm, and offered Mark around 1,000 USDT per week for performing “simple tasks”.
To earn this money, however, Mark had to create an account on a platform provided by the recruiter.
He was then asked to deposit 500 USDT as a “security deposit” for his first task.
Mark trusted the process and deposited the funds, and ended up being blocked by the platform soon after.
On top of that, the recruiter then demanded an additional 1,000 USDT to unlock his account.
Why Crypto is a Prime Target
The crypto industry is especially open to these kinds of attacks for many reasons.
One of these is because of the high value of crypto assets. Crypto is highly valuable and can easily be transferred.
This makes it an attractive target for hackers.
In addition, the crypto space is full of start-ups, which tend to rush the hiring process to keep up with demand.
Finally, unlike traditional banks, crypto funds are a lot more untraceable, which makes it increasingly likely that the hackers get away with the stolen funds.
Overall, the increasing occurrence of job scams in the crypto space shows the value of vigilance.
Hackers are constantly refining their tactics, and social engineering remains one of the most popular means by which they scam and steal.
Because of this, companies and individuals must remain security conscious at all times.