Crypto Times Logo Black
Google News Follow Banner
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • DeFi News
    • Blockchain News
    • Industry
  • Exclusive
    ExclusiveShow More
    The Wall Around Mint Street: How the RBI Spent a Year Shutting Crypto Out of Indian Banking
    The Wall Around Mint Street: How the RBI Spent a Year Shutting Crypto Out of Indian Banking
    Michael Saylor’s Strategy
    Why Michael Saylor’s Strategy Is Selling Bitcoin After Years of Buying
    Anthropic’s Claude Fable 5 Crypto Hacks
    Anthropic’s Claude Fable 5: The AI That Could Supercharge Crypto Hacks and Defenses
    CLARITY Act Stalls Why Senate's August Recess Puts US Crypto Rules at Risk
    CLARITY Act Stalls: Why Senate’s August Recess Puts US Crypto Rules at Risk
    Three Stories, One Pattern Why Binance Is Having Its Worst Week Since the Pardon
    Three Stories, One Pattern: Why Binance Is Having Its Worst Week Since the Pardon
  • Opinion
    OpinionShow More
    The Bitcoin Treasury Blueprint What Stress Testing on Strategy Inc.’s MSTR-STRC Reveals
    The Bitcoin Treasury Blueprint: What Stress Testing on Strategy Inc.’s MSTR-STRC Reveals
    Why Wall Street is Divided Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    Why Wall Street is Divided: Michael Saylor’s Scarcity vs. Tom Lee’s Staking Empire
    The Arthur Hayes Paradox Macro Prophet or Market Opportunist
    The Arthur Hayes Paradox: Macro Prophet or Market Opportunist?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India's Digital Rupee Push?
    RBI Denies Gold Sale Amid Oil Crisis: Could It Speed Up India’s Digital Rupee Push?
    The CLARITY Act War Starts Jamie Dimon Vs Armstrong
    The CLARITY Act War Starts: Jamie Dimon Vs Armstrong
  • Learn
    • Explained
    • How To
    • Insights
  • Videos
  • More
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
The Crypto TimesThe Crypto Times
  • All News
  • Market
  • Bitcoin
  • Ethereum
  • Altcoins
  • Regulations & Policies
  • Blockchain
  • DeFi
  • Industry
  • Exclusive
  • Opinion
Search
  • News
    • Market
    • Bitcoin
    • Ethereum
    • Altcoins
    • Regulations & Policies
    • Blockchain
    • DeFi
    • Industry
    • Exclusive
    • Opinion
  • Learn
    • Explained
    • How To
    • Insights
  • Quick Links
    • About Us
    • Our Authors
    • Contact Us
    • Editorial Policy
    • AI Policy
    • Sponsored & Advertorial Policy
  • Videos
  • Glossary
Follow US
© 2026 By Crypto Times. All Rights Reserved.
Exclusive

The Web3 Job Scam Draining Crypto Wallets Worldwide

Scammers pose as Web3 recruiters offering high-paying remote roles. One install can drain a wallet in minutes. Even Binance’s CZ says he has watched it work.

Written By Divya Mistry
Published 2026-05-26·Updated 2 months ago
Make The Crypto Times preferred on GoogleGoogle
Share
The Web3 Job Scam Draining Crypto Wallets Worldwide
Show AI Summary
A crypto job offer leads to a scam via a LinkedIn message and fake interview process.
The scam unfolds rapidly, with a recruiter asking the victim to install a verification tool just before the final interview.
The scam’s timeline ends with significant financial loss, part of a record $17 billion in global crypto scam and fraud losses in 2025.

A LinkedIn message arrives. A crypto unicorn you’ve heard of needs a senior developer. Remote. A high salary, sometimes $16,000 to $44,000 a month based on documented cases, sometimes much more in the most elaborate versions. The interview goes well. You’re clearly the right fit. Then, minutes before the final Zoom, the recruiter asks you to install a “verification tool;” just a formality, they say.

That’s the last moment before everything goes wrong.

This is the scenario blockchain advisor Anndy Lian described on X this weekend, and Binance Co-Founder Changpeng “CZ” Zhao engaged with the post and replied with a warning of his own: “you would be surprised how many people fall for ‘crypto interview hacking’ like this. Seen a few in my times already.” The thread that followed has become one of the most-shared security warnings in the crypto industry this year — because the attack it describes has just had its biggest year on record.

$17 billion stolen, and one category grew 1,400%

The Chainalysis 2026 Crypto Crime Report puts global crypto scam and fraud losses at $17 billion for 2025, a new record. Inside that number, one category stands out: impersonation-style attacks — the bucket that includes fake recruiter scams — grew 1,400% year-over-year, with the average payment per scam jumping from $782 in 2024 to $2,764 in 2025, a 253% increase.

Impersonation-style crypto scam growth

Artificial intelligence is the multiplier. Chainalysis found that scams with demonstrable links to AI tools, such as deepfake software, face-swap technology, large language models, extract an average of $3.2 million per operation, compared to $719,000 for non-AI-enabled scams. That’s 4.5 times more revenue per attack. More striking still: 76% of AI-enabled scams fall into the highest-value loss category, per Chainalysis. The AI-enabled operations also showed a median daily intake of $4,838 versus $518 for non-AI scams, and roughly 9x the daily transaction volume.

And it’s not limited to crypto-native targets. A Norton survey of U.S. adults found that 33% of respondents have encountered a suspicious job posting or fake recruiter; nearly 1 in 4 of those (23%) became victims; 90% of victims reported losing money; the average loss was around $8,900. Gen Z respondents were more than twice as likely as Baby Boomers to encounter job scams (44% vs. 21%).

Inside the four-stage attack

The pattern is consistent across documented cases — from MetaMask‘s security advisory on crypto job scams to the near-misses crypto users have shared on X this weekend.

Stage 1 — The approach

An unsolicited DM arrives on LinkedIn, Telegram, or X from someone claiming to represent a recognized Web3 project or a newly launched protocol. The role is ideal: high salary, flexible hours, and meaningful work. The recruiter has a LinkedIn profile with a plausible career history. The company has a website, sometimes even Glassdoor-style reviews.

Stage 2 — The process

The interview proceeds professionally. Multiple rounds. A take-home task. The scammer builds rapport, mirrors your enthusiasm, and creates the impression of a busy, legitimate hiring team. Some operations spend weeks on this stage to make the final ask feel earned. The Lazarus Group‘s six-month campaign against crypto payments firm CoinsPaid in 2023 is the canonical example: months of fake recruiter exchanges, salary offers of $16,000 to $30,000 per month under the pretense of a Crypto.com hire, before the engineer was finally compromised.

Stage 3 — The pivot

Just before a final call or offer letter, the request comes: install a proprietary meeting platform, clone a GitHub repository to complete a technical test, or download a verification tool to confirm identity before onboarding. The request feels procedural — and that is exactly the point.

Stage 4 — The drain

The software executes malware — most commonly strains like Redline, Realst, Atomic/AMOS, or Stealc, according to MetaMask’s analysis. Within seconds, the malware sweeps the device for crypto wallet keys, browser sessions, stored passwords, and seed phrases. Assets move out before the victim closes the browser tab. The recruiter vanishes. The company never existed.

If you suspect you’ve installed malware during a hiring process, MetaMask’s advice is to disconnect from the internet immediately, power down the device, and use a separate clean device to move any remaining assets out of compromised wallets — highest-value assets first.

Why Web3 is the perfect hunting ground

Several features of the crypto industry create unusually fertile ground for this attack:

  • Remote work is the default. A request to do everything online doesn’t raise flags.
  • Compensation is high and often paid in crypto. Job seekers expect non-standard processes.
  • Teams are often pseudonymous. It is normal not to know your colleagues’ real names. Verification is harder.
  • Companies launch and fold quickly. A brand-new protocol with no track record is not unusual — it’s most of the market.
  • The target profile is high-value. Developers and crypto-native job seekers are the most likely to have wallets, accumulated assets, and the technical context that makes a malicious repo look like a normal screening task.

That last point is not accidental. It is the target profile.

State actors are using the same playbook

The most consequential users of the fake-job attack are not opportunists. They are organized threat groups, sometimes state-backed.

In early 2025, a Russian-speaking group called “Crazy Evil” — through a subgroup dubbed “Kevland” — used a fake blockchain company called ChainSeeker.io to post premium Web3 job listings on LinkedIn, WellFound, and CryptoJobsList. Victims were directed to a “Chief Marketing Officer” on Telegram who instructed them to install a fake video-meeting app called “GrassCall” from the malicious domain grass[.]net. The app deployed AMOS (Atomic macOS Stealer) on Mac devices and Rhadamanthys RAT plus infostealers on Windows machines. Hundreds of people were affected. 

By mid-year, North Korean operators had moved to Python-based malware (PylangGhost) hidden inside fake job applications, specifically targeting India-based blockchain developers through fake skill-testing websites mimicking legitimate company assessment platforms.

Per security researchers, North Korean groups including Lazarus have used fake job offers and fictitious LinkedIn personas as the entry point for some of the largest crypto thefts ever recorded:

  • The Ronin Bridge hack (March 2022, ~$620 million) — a senior engineer at Sky Mavis (the developer of Axie Infinity) was duped into applying for a fake job at a company that did not exist. The Lazarus operation used malware-laden documents during the interview process to compromise his system and ultimately access enough validator keys to drain the bridge.
  • The CoinsPaid hack (July 2023, $37 million) — a six-month campaign of fake job offers targeting CoinsPaid engineers, with the successful compromise based on a fake Crypto.com recruitment process.
  • The Drift Protocol hack (early 2026, ~$286 million) — per April 2026 retrospectives, the Lazarus Group spent six months infiltrating Drift, including in-person conference meetings across multiple countries and a $1 million deposit of real capital to build trust, before draining $286 million in a 12-minute operation. This is the most recent large-scale case of the fake-job-to-protocol-drain pattern.

Cumulative Lazarus Group crypto thefts now exceed $3.4 billion since 2007, with the February 2025 Bybit hack ($1.5 billion) and the Drift drain among the largest single-incident totals.

The job offer is rarely the prize. It is the foot in the door.

How to protect yourself

The community consensus, amplified by CZ’s comments and the wave of responses on X this weekend, points to a small number of rules. None of them are technical.

Treat these as immediate red flags:

  • An unsolicited DM with a high salary offer for a remote Web3 role
  • Any request to install software, clone a repo, or run code as part of an interview
  • A recruiter who creates time pressure: “final call in 30 minutes,” “start date is Monday”
  • A company profile with little verifiable online history
  • Communication shifting from official channels to Telegram or Discord DMs early in the process
  • The conversation ending abruptly when you ask to verify the company through official channels

Treat these as your defensive baseline:

  • Pursue opportunities only through official channels. Verified job boards, official company career pages, recruiters whose identity you can confirm independently.
  • Never install software or run code provided by a recruiter. This is the single most important rule. No legitimate company will require this during interviews.
  • Use a clean device or sandboxed environment for any technical task you cannot otherwise avoid. Hardware wallets should be on a different device entirely.
  • Verify the recruiter on multiple channels. LinkedIn alone is not enough. Confirm their identity against the company’s website, team page, and at least one independent source.
  • Treat urgency as a red flag, not a feature. Real companies move at company speed. Scams move at scam speed.

The bigger picture

What’s happening in Web3 hiring is not isolated. It is a targeted evolution of the broader social engineering economy that Chainalysis describes as increasingly industrialized — with phishing-as-a-service infrastructure, AI-generated deepfakes, and professional money-laundering networks all integrated into a supply chain.

The irony is that the people most likely to be targeted — ambitious developers, crypto-native builders, eager job seekers trying to break into Web3 — are also the people with the most to lose. They have wallets. They have assets. They have enough trust in the industry to give repository access to a stranger.

That’s not a coincidence. That’s the target profile.

CZ’s warning this weekend is useful for one reason: it confirms that even the most experienced people in the industry are regularly surprised by how effective these attacks remain. The defense is still the same boring procedure; slow down, verify independently, never install what you didn’t ask for.

The job might be fake. The malware is real.

Frequently asked questions

How do I know if a Web3 job offer is real?

Verify the company through its official website, confirm the recruiter’s identity on at least one independent channel (the company’s team page or a known LinkedIn connection), and check that the role is also listed on the company’s official careers page. If the only contact is a single DM and the recruiter resists verification, treat it as a scam.

What should I do if I think I clicked a malicious link or installed scam software?

Disconnect the affected device from the internet immediately. Power it down. Move any remaining assets out of potentially compromised wallets using a separate clean device, starting with the highest-value holdings. Reset all passwords from the clean device. Treat the compromised device as untrusted until it has been fully wiped and reinstalled.

Are LinkedIn job offers safe?

LinkedIn itself is not the problem — the platform is the delivery channel for many of these attacks because it appears legitimate. Treat any unsolicited LinkedIn DM about a remote Web3 role as unverified until you have confirmed the company and the recruiter through independent channels.

Which malware do these scams typically use?

According to MetaMask’s documentation, the most common families are Redline, Realst, Atomic (AMOS), and Stealc: info-stealers designed to harvest crypto wallet keys, browser session tokens, stored passwords, and seed phrases within seconds of execution.

How big is the crypto job scam problem?

Chainalysis reports that impersonation-style crypto scams, the category that includes fake recruiter attacks, grew 1,400% year-over-year in 2025, as part of a broader $17 billion in crypto scam losses globally. Norton’s separate survey of U.S. adults found that 1 in 4 people who encountered a suspicious job posting became victims, with average losses around $8,900.

Disclaimer: The information researched and reported by The Crypto Times is for informational purposes only and is not a substitute for professional financial advice. Investing in crypto assets involves significant risk due to market volatility. Always Do Your Own Research (DYOR) and consult with a qualified Financial Advisor before making any investment decisions.

Follow The Crypto Times on Google News to Stay Updated!      Google News

TAGGED:Crypto ScamWeb3
Share This Article
Whatsapp Whatsapp LinkedIn Telegram Copy Link

Latest News

Pakistan's Top Islamic Scholar Rules Bitcoin, Ethereum, and USDT Haram
Pakistan’s Top Islamic Scholar Rules Bitcoin, Ethereum, and USDT Haram
Ethereum Crosses $1,800, and Eric Trump Has Just Three Words
Ethereum Crosses $1,800, and Eric Trump Has Just Three Words
The Wall Around Mint Street: How the RBI Spent a Year Shutting Crypto Out of Indian Banking
The Wall Around Mint Street: How the RBI Spent a Year Shutting Crypto Out of Indian Banking
Hedera's Biggest DeFi Lender Bonzo Lend Hacked for $9M, $5.25M Bridged to Ethereum
Hedera’s Biggest DeFi Lender Bonzo Lend Hacked for $9M, $5.25M Bridged to Ethereum
Ethereum L1 Tops Public Networks With Over $19B in Tokenized Assets
Ethereum L1 Tops Public Networks With Over $19B in Tokenized Assets

Find Us on Socials

You may also like

Mangaluru Woman Loses ₹6.42 Lakh in Fake Crypto Investment Scam

Mangaluru Woman Loses ₹6.42 Lakh in Fake Crypto Investment Scam 

Web3 Gets Another Seat at the Table as India's Panel Reviews Corporate Laws Bill

Web3 Gets Another Seat at the Table as India’s Panel Reviews Corporate Laws Bill

Former Epoch Times CFO Pleads Guilty to $67M Crypto Laundering Scheme

Former Epoch Times CFO Pleads Guilty to $67M Crypto Laundering Scheme

On-Chain Investigator Flags BNB Chain's CodexField as a Potential $85M Rug Pull

On-Chain Investigator Flags BNB Chain’s CodexField as a Potential $85M Rug Pull

The Crypto Times Logo PNG

Providing real-time, accurate Crypto reporting. Your trusted source for Crypto News and Research.

Stay Updated

All News
Exclusive
Opinions
Learn
Videos
Glossary

Company

About Us
Our Authors
Editorial Policy
AI Policy
Advertorial Policy

Get In Touch

Contact Us
Career

Find Us on Socials

X-twitter Linkedin Telegram Youtube Instagram

© 2026 The Crypto Times | A BITROCK TECHNOLOGIES L.L.C. Company.

DMCA.com Protection Status
  • Terms and Conditions
  • Disclaimer
  • Privacy Policy
  • Cookie policy
Do Not Sell or Share My Personal Information