A LinkedIn message arrives. A crypto unicorn you’ve heard of needs a senior developer. Remote. A high salary, sometimes $16,000 to $44,000 a month based on documented cases, sometimes much more in the most elaborate versions. The interview goes well. You’re clearly the right fit. Then, minutes before the final Zoom, the recruiter asks you to install a “verification tool;” just a formality, they say.
That’s the last moment before everything goes wrong.
This is the scenario blockchain advisor Anndy Lian described on X this weekend, and Binance Co-Founder Changpeng “CZ” Zhao engaged with the post and replied with a warning of his own: “you would be surprised how many people fall for ‘crypto interview hacking’ like this. Seen a few in my times already.” The thread that followed has become one of the most-shared security warnings in the crypto industry this year — because the attack it describes has just had its biggest year on record.
$17 billion stolen, and one category grew 1,400%
The Chainalysis 2026 Crypto Crime Report puts global crypto scam and fraud losses at $17 billion for 2025, a new record. Inside that number, one category stands out: impersonation-style attacks — the bucket that includes fake recruiter scams — grew 1,400% year-over-year, with the average payment per scam jumping from $782 in 2024 to $2,764 in 2025, a 253% increase.
Artificial intelligence is the multiplier. Chainalysis found that scams with demonstrable links to AI tools, such as deepfake software, face-swap technology, large language models, extract an average of $3.2 million per operation, compared to $719,000 for non-AI-enabled scams. That’s 4.5 times more revenue per attack. More striking still: 76% of AI-enabled scams fall into the highest-value loss category, per Chainalysis. The AI-enabled operations also showed a median daily intake of $4,838 versus $518 for non-AI scams, and roughly 9x the daily transaction volume.
And it’s not limited to crypto-native targets. A Norton survey of U.S. adults found that 33% of respondents have encountered a suspicious job posting or fake recruiter; nearly 1 in 4 of those (23%) became victims; 90% of victims reported losing money; the average loss was around $8,900. Gen Z respondents were more than twice as likely as Baby Boomers to encounter job scams (44% vs. 21%).
Inside the four-stage attack
The pattern is consistent across documented cases — fromMetaMask’s security advisory on crypto job scams to the near-misses crypto users have shared on X this weekend.
Stage 1 — The approach
An unsolicited DM arrives on LinkedIn, Telegram, or X from someone claiming to represent a recognized Web3 project or a newly launched protocol. The role is ideal: high salary, flexible hours, and meaningful work. The recruiter has a LinkedIn profile with a plausible career history. The company has a website, sometimes even Glassdoor-style reviews.
Stage 2 — The process
The interview proceeds professionally. Multiple rounds. A take-home task. The scammer builds rapport, mirrors your enthusiasm, and creates the impression of a busy, legitimate hiring team. Some operations spend weeks on this stage to make the final ask feel earned. The Lazarus Group‘s six-month campaign against crypto payments firm CoinsPaid in 2023 is the canonical example: months of fake recruiter exchanges, salary offers of $16,000 to $30,000 per month under the pretense of a Crypto.com hire, before the engineer was finally compromised.
Stage 3 — The pivot
Just before a final call or offer letter, the request comes: install a proprietary meeting platform, clone a GitHub repository to complete a technical test, or download a verification tool to confirm identity before onboarding. The request feels procedural — and that is exactly the point.
Stage 4 — The drain
The software executes malware — most commonly strains like Redline, Realst, Atomic/AMOS, or Stealc, according to MetaMask’s analysis. Within seconds, the malware sweeps the device for crypto wallet keys, browser sessions, stored passwords, and seed phrases. Assets move out before the victim closes the browser tab. The recruiter vanishes. The company never existed.
If you suspect you’ve installed malware during a hiring process, MetaMask’s advice is to disconnect from the internet immediately, power down the device, and use a separate clean device to move any remaining assets out of compromised wallets — highest-value assets first.
Why Web3 is the perfect hunting ground
Several features of the crypto industry create unusually fertile ground for this attack:
- Remote work is the default. A request to do everything online doesn’t raise flags.
- Compensation is high and often paid in crypto. Job seekers expect non-standard processes.
- Teams are often pseudonymous. It is normal not to know your colleagues’ real names. Verification is harder.
- Companies launch and fold quickly. A brand-new protocol with no track record is not unusual — it’s most of the market.
- The target profile is high-value. Developers and crypto-native job seekers are the most likely to have wallets, accumulated assets, and the technical context that makes a malicious repo look like a normal screening task.
That last point is not accidental. It is the target profile.
State actors are using the same playbook
The most consequential users of the fake-job attack are not opportunists. They are organized threat groups, sometimes state-backed.
In early 2025, a Russian-speaking group called “Crazy Evil” — through a subgroup dubbed “Kevland” — used a fake blockchain company called ChainSeeker.io to post premium Web3 job listings on LinkedIn, WellFound, and CryptoJobsList. Victims were directed to a “Chief Marketing Officer” on Telegram who instructed them to install a fake video-meeting app called “GrassCall” from the malicious domain grass[.]net. The app deployed AMOS (Atomic macOS Stealer) on Mac devices and Rhadamanthys RAT plus infostealers on Windows machines. Hundreds of people were affected.
By mid-year, North Korean operators had moved to Python-based malware (PylangGhost) hidden inside fake job applications, specifically targeting India-based blockchain developers through fake skill-testing websites mimicking legitimate company assessment platforms.
Per security researchers, North Korean groups including Lazarus have used fake job offers and fictitious LinkedIn personas as the entry point for some of the largest crypto thefts ever recorded:
- The Ronin Bridge hack (March 2022, ~$620 million) — a senior engineer at Sky Mavis (the developer of Axie Infinity) was duped into applying for a fake job at a company that did not exist. The Lazarus operation used malware-laden documents during the interview process to compromise his system and ultimately access enough validator keys to drain the bridge.
- The CoinsPaid hack (July 2023, $37 million) — a six-month campaign of fake job offers targeting CoinsPaid engineers, with the successful compromise based on a fake Crypto.com recruitment process.
- The Drift Protocol hack (early 2026, ~$286 million) — per April 2026 retrospectives, the Lazarus Group spent six months infiltrating Drift, including in-person conference meetings across multiple countries and a $1 million deposit of real capital to build trust, before draining $286 million in a 12-minute operation. This is the most recent large-scale case of the fake-job-to-protocol-drain pattern.
Cumulative Lazarus Group crypto thefts now exceed $3.4 billion since 2007, with the February 2025 Bybit hack ($1.5 billion) and the Drift drain among the largest single-incident totals.
The job offer is rarely the prize. It is the foot in the door.
How to protect yourself
The community consensus, amplified by CZ’s comments and the wave of responses on X this weekend, points to a small number of rules. None of them are technical.
Treat these as immediate red flags:
- An unsolicited DM with a high salary offer for a remote Web3 role
- Any request to install software, clone a repo, or run code as part of an interview
- A recruiter who creates time pressure: “final call in 30 minutes,” “start date is Monday”
- A company profile with little verifiable online history
- Communication shifting from official channels to Telegram or Discord DMs early in the process
- The conversation ending abruptly when you ask to verify the company through official channels
Treat these as your defensive baseline:
- Pursue opportunities only through official channels. Verified job boards, official company career pages, recruiters whose identity you can confirm independently.
- Never install software or run code provided by a recruiter. This is the single most important rule. No legitimate company will require this during interviews.
- Use a clean device or sandboxed environment for any technical task you cannot otherwise avoid. Hardware wallets should be on a different device entirely.
- Verify the recruiter on multiple channels. LinkedIn alone is not enough. Confirm their identity against the company’s website, team page, and at least one independent source.
- Treat urgency as a red flag, not a feature. Real companies move at company speed. Scams move at scam speed.
The bigger picture
What’s happening in Web3 hiring is not isolated. It is a targeted evolution of the broader social engineering economy that Chainalysis describes as increasingly industrialized — with phishing-as-a-service infrastructure, AI-generated deepfakes, and professional money-laundering networks all integrated into a supply chain.
The irony is that the people most likely to be targeted — ambitious developers, crypto-native builders, eager job seekers trying to break into Web3 — are also the people with the most to lose. They have wallets. They have assets. They have enough trust in the industry to give repository access to a stranger.
That’s not a coincidence. That’s the target profile.
CZ’s warning this weekend is useful for one reason: it confirms that even the most experienced people in the industry are regularly surprised by how effective these attacks remain. The defense is still the same boring procedure; slow down, verify independently, never install what you didn’t ask for.
The job might be fake. The malware is real.
Frequently asked questions
How do I know if a Web3 job offer is real?
Verify the company through its official website, confirm the recruiter’s identity on at least one independent channel (the company’s team page or a known LinkedIn connection), and check that the role is also listed on the company’s official careers page. If the only contact is a single DM and the recruiter resists verification, treat it as a scam.
What should I do if I think I clicked a malicious link or installed scam software?
Disconnect the affected device from the internet immediately. Power it down. Move any remaining assets out of potentially compromised wallets using a separate clean device, starting with the highest-value holdings. Reset all passwords from the clean device. Treat the compromised device as untrusted until it has been fully wiped and reinstalled.
Are LinkedIn job offers safe?
LinkedIn itself is not the problem — the platform is the delivery channel for many of these attacks because it appears legitimate. Treat any unsolicited LinkedIn DM about a remote Web3 role as unverified until you have confirmed the company and the recruiter through independent channels.
Which malware do these scams typically use?
According to MetaMask’s documentation, the most common families are Redline, Realst, Atomic (AMOS), and Stealc: info-stealers designed to harvest crypto wallet keys, browser session tokens, stored passwords, and seed phrases within seconds of execution.
How big is the crypto job scam problem?
Chainalysis reports that impersonation-style crypto scams, the category that includes fake recruiter attacks, grew 1,400% year-over-year in 2025, as part of a broader $17 billion in crypto scam losses globally. Norton’s separate survey of U.S. adults found that 1 in 4 people who encountered a suspicious job posting became victims, with average losses around $8,900.
