crypto wallets got drained by a fake coding interview

[Emjay24]

Hello folks, saw this while scrolling on LinkedIn and it made sense to share as an awareness to web3 developers in the forum. It is a story of someone whose wallets got drained having attended an interview of which he was given a take home for a smart contract engineering role.
Although actually the guy in question would've avoided his wallet drained if he used a separate device to hold his coins or used hardware wallet, but there could be more exploits that would be achieved with these kind of injections, including data vulnerability, so I brought it here for devs to learn from his experience.

Another takeaway from this is to treat any interview file as Hostile until proved otherwise, scammers are now seriously posing as genuine recruiters to steal from skilled techies.

The bait

In April 2026, a "recruiter" sent me a take-home for a smart-contract engineer role. The repo was a Truffle project — a port of the real Ethex Lottery contracts, complete with a polished README, a license, a VERSIONING.md, plausible Instructions.md, and a candidate brief: "Implement dynamic house edge in EthexLoto, make the candidate tests pass." It even said "Keep Solidity version 0.5.10" — the kind of detail a real assessment would specify.

get the full story here

[Hatchy]

It's a good lesson for many people to learn from. Not just the idea of inputting unknown data or files to your devices, but the main lesson here is to avoid using your storage devices for your regular activities. I kind of notice that the web3 folks are more careless with how they store their coins. You should always keep your coins offline and avoid exposing them to the internet or any devices that you connect regularly to the internet. I've seen alot of similar stories and it's usually same thing every time. I wonder why they never learn. Even if we know that no one is above mistakes, but these are little things that could be avoided if you just do what is right. You should always see that your coins are stored offline..

[Charles-Tim]

Is it online? If it is online interview, the attack is no more new. K hope people can read this and know that not all job offer online and recruitment are true. They person that you think wants to give your a job or work may be a very bad actor. This scam has been common since 2024 or maybe before that time. It may not necessarily be a malware, they might tell you to pay them money instead. Someone has tried the later one with me before through a call, but he failed.

[Catenaccio]

Hello folks, saw this while scrolling on LinkedIn and it made sense to share as an awareness to web3 developers in the forum. It is a story of someone whose wallets got drained having attended an interview of which he was given a take home for a smart contract engineering role.
Although actually the guy in question would've avoided his wallet drained if he used a separate device to hold his coins or used hardware wallet, but there could be more exploits that would be achieved with these kind of injections, including data vulnerability, so I brought it here for devs to learn from his experience.

Wallets must be separated as hot wallets and cold wallets. Hot wallets can be stored in your phones, desktop computers or laptops and funds in hot wallets should be your small funds only.

The advice is storing your main funds in cold wallets, in either hardware wallets or air gapped devices, so there will be no online threats to hack your wallets and get your main funds there.

Not only this, there are more scam types and people need to learn for avoiding other scams.
The cryptocurrency scambook.
Cryptocurrency security checklist.

[planingkoala]

That’s exactly why I now treat interview repos as if they were someone else’s USB sticks. So definitely don’t open them on your main device – certainly not with an open wallet alongside them – and keep your private keys well out of reach. The coding test project is harmless right now – until it isn’t.

[PrivacyG]

One of the first rules of keeping your computer safe from malware is never opening unknown files.  Another rule is that you never keep sensitive information on the same device you would open unknown files on.

It is pretty much basic security advice.  They did not follow any.  Go with a chunky wallet on you in the middle of the worst ghettos in the World and be shocked when it gets stolen.  It sounds stupid.

[Pablo-wood]

I have learnt something unique today. Never trust recruitment companies with interviews tasks completely. It's even more weird to discover the hid the malware in a file that won't seem suspicious. Naming it helpers/MineHelper.js file won't attract suspicions at all until one becomes a complete victim.

[promise444c5]

Not limited to only web3 developers.. It cut across all sectors now, if they are not after your wallet , they are after your important files on your device, if not that then they are also after monitoring some/entire activities on your device. The hunt is getting really scary but still , the rules to stay clean still works and can save you from losing so much beyond just money.

Hence, don’t assume your device are fine, always run thorough check and don’t ever trust it to be clean when you do all sorts.. on it .

I have a lot of web3 friends, they all act dumb when it comes to security despite being smart .. they prefer the convenient route until it turns to a disaster..

[PostQuantumBTC]

One of the first rules of keeping your computer safe from malware is never opening unknown files.  Another rule is that you never keep sensitive information on the same device you would open unknown files on.

This is a very good rule that many people do not know, all they know is that they are using devices to go online. They download any files and they do not know anything until their devices are hacked. You know they will think they have seen an opportunity, not knowing it is a trap.

Not limited to only web3 developers..

This is an old scam that has been existing even before the existence of the web3.

[salad daging]

Is it online? If it is online interview, the attack is no more new. K hope people can read this and know that not all job offer online and recruitment are true. They person that you think wants to give your a job or work may be a very bad actor. This scam has been common since 2024 or maybe before that time. It may not necessarily be a malware, they might tell you to pay them money instead. Someone has tried the later one with me before through a call, but he failed.

Possibly online, because most cases like this interview via google zoom with zoom links are sometimes infected leading to malware.

Now, the recruiters always look professional in carrying out their duties, so it's like it's real and not just a scam, so many believe that online recruitment offers are often tempting to accept.

I often find offers like this mostly on Telegram, and ignore more than respond because I don't know them at all.

[sunsilk]

There are many scams interview everywhere. So just be careful and always verify the companies if they're legit or the interview and the process is part of the official company.

They'll make you sign those forms online that shall get some of the details and when on the next process of being technical, they'll want you to download some software.

And that's already a red flag if you see one and that's important to always verify.

[rat03gopoh]

This is yet another hacking story for advanced users. I wonder why even back-end developers, who should have realized from the start that their jobs involve running and testing foreign code on their devices, don't create isolated wallets? Is practicing crypto security standards really that complicated?

[KingsDen]

It doesn't cost much to have a backup device or a few of it. One specifically for joining and hosting meetings, scrolling social media and more. While the other will be for work and important files , possibly another device for crypto related stuffs.

I will actually not be comfortable granting camera, microphone and other permissions in a system that is holding my bitcoin. So, this is a great lesson than encourages separation of devices.

Scammers are becoming very smart. As we keep mastering their antics, they keep deploying new tactics even with the help of AI.

[Karl_3000]

It doesn't cost much to have a backup device or a few of it. One specifically for joining and hosting meetings, scrolling social media and more. While the other will be for work and important files , possibly another device for crypto related stuffs.

I will actually not be comfortable granting camera, microphone and other permissions in a system that is holding my bitcoin. So, this is a great lesson than encourages separation of devices.

Scammers are becoming very smart. As we keep mastering their antics, they keep deploying new tactics even with the help of AI.

This is not that scammers are becoming smart, they are smart but I mean that this is not a scam that is new but people are the ones that do not want to read about avoiding scammers and hackers which is the reason they are becoming victims. It is also very simple to know that people should have at least two devices. Cold wallet is very important if you are hodling high amount of bitcoin.

[bitbollo]

This is also a good reason to keep work and device physically separeted and to use some solutions like sandbox or VM for testing any suspicious activity.-
I have seen the similar issue also with others "interviews" not only related experts with coding
Personally I am just avoiding to download/click any link provided by a third party not trusted or just unknown.
As pharmaceutical expert I have never deal with this kind of issues, it is evident there is a specific target in people dealing with crypto.

[joniboini]

that do not want to read about avoiding scammers and hackers which is the reason they are becoming victims.

I honestly find it hard to believe that someone who knows about solidity and whatnot doesn't know that crypto developers, or developers in general, are being targeted with malware attacks through fake interviews and whatnot. I guess if you never participate in any form of social media or forums like this one then the news won't actively comes to you, but if your social media has info about your connections I'd assume the algorithm will at least show you the biggest news related to the industry. I don't know, I left most social media long ago.

[DubemIfedigbo001]

Not limited to only web3 developers..

This is an old scam that has been existing even before the existence of the web3.

I can agree that the pattern is old, but this current attack is modernised just like scammers do, update their techniques. What I used to know of is taking over your computer during those live interviews, but hiding the exploit in one of the dependent files for a take home you cloned from Github and trigger when you launch the project locally is really something new and upgraded, so this injections doesn't need you to be online before self-executing, it can get triggered even when you're offline and long as the project is running and take over your PC silently.

I think Copilot can be of great help here in this case, I've been using it but I think I just learned a new use case for it today, scan the whole project environment for malicious codes even before trying to run the project on your device.

[tech30338]

When you are going to do things that is unsure always use a clean devices, if you really want to study it, clean i mean things that will not affect your software or application, when im going to test something i always do it on a fresh install V-machine, because when i was young i always make my computer infected with virus, when i started to learn, i realized there is another way so i did and never experience it again, but even though what you are doing never get too confident, because just like everyone said, this attacks are always upgrading, or being updated so that it will fit to the current systems, or can do bypass things.

[NotATether]

Who is even using LinkedIn anymore?

I'm surprised it hasn't been killed by ChatGPT yet.