back

Known Scams

Threat intelligence database. Lazarus Group / DPRK targeting developers.

17 accounts30 repos34 profiles

Scammer GitHub Accounts

0x66eth
0xtuneTF7
MetaBuilderGroup76
SuperDev313
goldencity5019
webdev771
DoNotCare745
goldy1113
sebastian4098
eduales99
vadym110
vitalii-nesenenko
Hiring-Support
momo-token
pietroETH
trevor9312
saadfrhan

Fake LinkedIn Recruiters

Identities stolen by scammers. Real people are not responsible.

Andressa SantiagoverifiedValentine GiroudeverifiedArnas GolubeckasverifiedVictoria HughesverifiedRaymundo CurielverifiedPatrick TolanverifiedElias CaballeroverifiedGabriel JaraverifiedKrunal SolankiverifiedAli MoghaddamverifiedMaksym TsilenkoverifiedFrancis JacquetverifiedRoman LiakhovychverifiedVitoria Danielle FrancaverifiedMartina Gehrken TrappeverifiedBrian PattersonverifiedJoe CarlinoverifiedMark LarisverifiedKathleen Anays Lewis BarriosverifiedAdam MajorosverifiedAlia MilanoSilas MonteiroLucas Sousa SantosBarbara Isa FerreiraJohn MeltzerJulia ValimLaura RottaDaniel Joseph HolyheadMarianne TotterdellTrevor GreerOleksandr BershedaNaeem MuntasirJerry MillerBill Tinys

Malicious Repositories

DEX-staking-project-ultrax
preserved
challenge-experiment-module
preserved
coinpool-rental-platform1.0
preserved
erc20-token-dapp
preserved
golden-city
preserved
multify_staking
preserved
munity-game
preserved
real-estate-rental-platform
preserved
real_estate
preserved
real_estate_new
preserved
sarostech-assessment
preserved
trend-dev-preproduction
preserved
web3game
preserved
Peiko-Platform-MVP
Trading_Platform_Ultrax
goldencity
gamestakeverse
UltraX-DEX
dex-staking-platform
web3_nextjs
web3_nextjs_backend
web3-coin-flip-game
fullstack-nextjs-marketplace
express-server
Defi-Exchange-Test
landing-web-app
felina
ctrading
demo_race
metaverse-contract

Fake Interview Platforms

Impersonating Willo and others to install malware as “camera drivers”.

willointerview.comwilloassess.netwilloassess.comwilloassessment.comwillohiring.comwillotalent.prowillotalents.orgwillotalantes.comwillorecruit.comwillocandidate.comwillo-interview.uswillohiringtalent.orgwtalents.uscrypto-assessment.comblockchain-assess.comhiringinterview.orghiringtalent.prointerviewnest.orgvideoscreening.orgfundcandidates.comvideohirepro.com

C2 / Exfiltration Domains

Command-and-control servers where stolen data is sent.

npoint.iopastebin.comrequestbin.netwebhook.sitepipedream.nethookbin.comw3capi.marketingmglcoin.ioflickthebean.onrender.comnvidia-release.orgnvidia-release.uscamera-drive.cloudnvidia-drive.cloudjz-aws.infochainlink-api-v3.comip-api-test.vercel.appvscode-config-settings.vercel.appvscode-load-two.vercel.appvscode-settings-bootstrap.vercel.appvscodesettingtask.vercel.appapi-web3-auth.vercel.appcoredeal2.vercel.app

How the Scam Works

1

Recruiter contacts you on LinkedIn

Fake recruiter with attractive crypto/Web3 job. Profile looks legit. Sometimes deepfake video — ask them to blink.

2

Sends a "technical assessment"

GitHub/Bitbucket repo to complete. Uses Google Docs or Notion pages to appear legitimate.

3

Victim runs npm install

Malicious preinstall/postinstall scripts, poisoned configs, or .vscode/tasks.json that auto-runs on folder open.

4

BeaverTail + InvisibleFerret

BeaverTail steals browser creds & wallets. InvisibleFerret installs persistent backdoor. Attribution: Lazarus Group / DPRK.

Attribution & Sources

Lazarus Group / BlueNoroff / APT38 (DPRK state-sponsored). Campaigns: Contagious Interview, Dangerous Password. Connected to billion-dollar crypto thefts.

rubenmarcus/malicious-repositoriestayvano/lazarus-bluenoroff-research

Report a Scam

Found a malicious repo or scammer? Contribute to the open-source database.

CONTRIBUTE