How is this a scam?

Tate · November 19, 2024, 9:58am

So this just happened. Is this a scam? And if it is, then how exactly does this work?

His profe and friends seem super legit.

Earlier this year, I had a similar guy contact me. He needed help with his NFT marketplace - he wanted to add 3D model support there. So we discussed some features for 2 days, then he sent me a GitLab repo and asked me to implement a test feature (to show that I’m capable of). He didn’t even ask to commit - just record a video of it working. I checked the repo for any kind of malware very carefully, and it was clean.
So anyway, I did what he asked for, sent him the video. And that’s it. He went silent. And after a week, I noticed that the chat disappeared with all message history.

Do any of you guys have a clue what’s happening? Btw I still have that repo saved locally, should I post it?

Slate · November 19, 2024, 9:58am

The f does chess need blockchain for?

Devi · November 19, 2024, 9:58am

Slate said:
The f does chess need blockchain for?

Hint: it doesn’t.

Murphy · November 19, 2024, 9:58am

Devi said:

Slate said:
The f does chess need blockchain for?

Hint: it doesn’t.

So you can have a ledger of your moves and mint NFT from your plays. 'tis the future man.

Torrance · November 19, 2024, 9:58am

Slate said:
The f does chess need blockchain for?

For betting is all I can think of.

Weston · November 19, 2024, 9:58am

They send you a “test” repo that tries to steal your private keys from the local environment. It’s usually in the frontend part of the minified “build.” Antivirus doesn’t pick it up because you’ve allowed permissions.

Sending you a video means proof that you’ve run the repo and if there were no private keys extracted they just ghost you and move to the next.

They phish/take over legit, established accounts, so you don’t suspect anything, other than the experience of the person contacting you a bit off - they don’t look like they would run crypto projects.

Tate · November 19, 2024, 9:59am

@Weston
This.
But damn, this is so fucking scary.
They could even download my .txt file with all the passwords.

Nile · November 19, 2024, 9:59am

Tate said:
@Weston
This.
But damn, this is so fucking scary.
They could even download my .txt file with all the passwords.

But you did call it private.txt so they wouldn’t think of looking there, didn’t you?

Nasty scam.

Terry · November 19, 2024, 9:59am

@Nile
.notpasswords actually

Nile · November 19, 2024, 9:59am

Terry said:
@Nile
.notpasswords actually

Ah, that Linux experience paying off there.

Ridge · November 19, 2024, 9:59am

Tate said:
@Weston
This.
But damn, this is so fucking scary.
They could even download my .txt file with all the passwords.

Just take a screenshot of the contents and put it as a background. Much safer.

Maxwell · November 19, 2024, 9:59am

Tate said:
@Weston
This.
But damn, this is so fucking scary.
They could even download my .txt file with all the passwords.

So you ran his code??

Tate · November 19, 2024, 9:59am

Maxwell said:

Tate said:
@Weston
This.
But damn, this is so fucking scary.
They could even download my .txt file with all the passwords.

So you ran his code??

Yep. It was a React app…

But my only hope is that I was in China back then, and the Great China Firewall could block those requests that were supposed to send my keys to his server.

Finlo · November 19, 2024, 9:59am

@Jay
Well presumably OP has the source code if they ran a react app locally…

And they are a developer so can understand it.

Just read the source code and see what it’s doing - ie what happens when you npm run dev or whatever. Does it run any compiled native code?

Are there any pre-commit hooks? Etc

Jumping immediately to that is a little overboard. Sure, it’s likely but far from certain.

That is the most careful thing to do if you don’t have the ability to discern what the scope of the problem is, but OP does.

Niko · November 19, 2024, 9:59am

@Finlo
Do you have any idea how much code is there to read when installing anything in node?

Jules · November 19, 2024, 9:59am

Tate said:
@Weston
This.
But damn, this is so fucking scary.
They could even download my .txt file with all the passwords.

This is why you always do all coding in Docker, not on your physical computer. Always.

Oakley · November 19, 2024, 9:59am

@Weston
Ahhh that’s what it was! Had a person contact me on LinkedIn and make an offer. Arranged a video call with them, they asked me to take a look at their repo beforehand. They didn’t show up to the call and ceased to respond. The next morning, their LinkedIn account was deleted, along with all the correspondence between us.

Too bad for them that I don’t work for free and won’t clone or touch any of your code until we have a contract. Also, only run the code inside of isolated Docker containers.

Tate · November 19, 2024, 10:00am

@Weston
>the experience of the person contacting you a bit off - they don’t look like they would run crypto projects.

In my case, it was the opposite: The guy kept telling he doesn’t know how to code and is not familiar with all that tech stuff… But I got the vibe that he could easily build that project by himself.

Maxwell · November 19, 2024, 10:00am

@Weston
And he knows you’re into crypto so the program will likely find keys.

Phoenix · November 19, 2024, 10:00am

@Weston
Out of curiosity: how would a minified build (presumably ran in the browser) gain access to the victim’s filesystem?