Target: Blockchain Developer

This is a Resonance Security sponsored article looking at the ongoing hacker attacks against blockchain and Web3 developers. In it I explain what the attacks are and how they work, how to spot them, and how I expect them to evolve over time.

Introduction

Back in the good old days when Linux was a fringe activity, everyone involved was nice. Well, not nice?—?there were a lot of argumentative people with strong opinions on everything, but they weren’t malicious. And everyone was very enthusiastic about open source software.

Then Linux went mainstream. The open source model continued to work and expand in scope, and you could trust pretty much everything you wanted to download and run, because Linux developers didn’t have anything with a dollar value on their machines. Hackers preferred to go after Windows machines and IoT devices to build botnets.

That has all changed with the advent of Bitcoin and cryptocurrency. As a blockchain developer you probably have private keys on your computer that control digital assets that can be stolen, laundered, and sold.

Blockchain developers have become juicy targets for criminal gangs and rogue state-sponsored hacking teams.

And open source software is making it easy for them.

What are they?after?

Hackers are finding new things to target all the time. Here are a couple of approaches I have seen in the wild:

1. Developers often use?.env files to store blockchain wallet private keys when writing and testing code. Good coding practice means not putting private keys that control digital assets with real value in such environment variable files, but it’s easy to slip up. For example, at a later date you may forget that the public key is sitting there in ASCII format in a file and move assets with real value to the corresponding blockchain address. If the hacker can get access to your hard drive, they can scan for?.env files and upload them to their server, then use the private keys to steal any digital assets or crypto they can find.
2. Blockchain wallet extensions store seed phrases in your browser storage area (for example in /home/username/.config/google-chrome/Default/Local Extension Settings), and although the seed phrase is encrypted with a password, there are tools out there that can be used to brute-force poor password choices offline given enough time. If the wallet is for test purposes, the password choice is often weak. With access to your machine the hacker can zip up the extension files and upload the zip file to their own server, to crack it at their leisure.

Fake job?offers

LinkedIn provides the hackers with a convenient list of candidates to approach?—?a simple search for profiles featuring keywords like “blockchain”, “developer”, “web3” and so on turns up thousands of people that might be exploitable.

The gangs then approach these people asking them if they could help with the development effort for Web3 project, usually at a rate of $50 to $75 an hour. I don’t know why they’ve picked that sum.

Very quickly the conversation turns to a request that you download a Github repository, which they either claim contains a coding test before you are hired, or that is supposed to be the project code for you to work on.

This repository contains malware, and if you clone and run it, you are compromised.

Detecting fake and compromised LinkedIn?profiles

The criminals try to cover their tracks by using fake LinkedIn profiles. Either they create a new profile, or they hack into an existing one that has a weak password and no two-factor authentication.

A fake profile can usually be spotted by the fact that the profile has no followers or connections (or only a few), no posting history, and is generally rather sparse on personal details.

A compromised profile reveals itself by making no sense in the context of the work offered. Why would a middle-aged HR officer in a car dealership chain in Texas or a carpenter from Minnesota be approaching you to write blockchain code for a decentralized casino or a decentralized autonomous organization?

Other clues include language used in the direct messages?—?the profile is for an English native speaker, but the messages contain bad grammar and unusual spelling mistakes, or it is an account for someone who is clearly GenX but they’re using acronyms such as ‘idkwym’ and sprinkling emojis around like they’re GenZ. I even had one person sign off with “whomp whomp” when I called them out for being a hacker.

The scammer will not question your rate if you ask for more pay per hour, explain that what they want doesn’t really fall in your area of expertise, or if you tell them that you only have one day a week or evening to work on the project. Obviously, because they don’t care. There is no project.

Their main aim is to quickly move the conversation on to getting you to look at the Github repository.

How to spot a malicious repository

The main “tell” that a Github repository you have been asked to download contains malicious code consists is when the repo consists of one single commit.

Other clues include:

• the title of the repository doesn’t match what they were describing in the direct messages. For example, they were talking about a decentralized exchange, but the repository claims to be a blockchain gambling game.
• the README.md uses a different name for the project than the repository name.
• The Github profile that created the repository has no prior history of commits on Github, or just a couple of other singe-commit repositories.
• Searching Github for sentences in the README.md returns other similar repositories. If one of those similar repos looks like a genuine project, for example, because it has many commits over weeks or months, you can sometimes perform a diff against it to pinpoint where the malware has been added.

Here is an example of some React code that includes a bunch of whitespace after the last line, followed by some minified and obfuscated JavaScript that does all sorts of nasty stuff.

A few months ago a clear tell was the presence of child-process 1.0.2 in the package.json file, but NPM has finally removed that bit of malware from their registry site.

They took their time though.

How to protect?yourself

If you are in blockchain, these days you can’t just download a repository onto your main computer on your home or work network and run it. The risks are simply too high, even if you are careful with your private keys and have a strong password for your blockchain wallet.

Personally, I have a laptop with its own dedicated 4G modem, and a bunch of network sniffing software and logging software installed on it. I run Kali Linux on a virtual machine on the laptop, and I only download the repositories the hackers are trying to foist on me for research purposes.

You probably don’t want to dedicate time and resources to a setup like that, but at least you can use the above pointers to detect the scams and refuse to download and run the repositories.

What does the future?hold?

The above may seem sophisticated, but I predict much worse is coming. Dealing with computer criminals is an ongoing game of whack-a-mole, and the hackers are always concentrating on improving their game.

Here are my predictions:

• The hackers are busy crafting LinkedIn accounts with a real history, by gathering connections and followers over time, and posting cut-and-paste copies of other people’s material, or at least re-posting posts on a regular basis.
• They are also putting together better repositories with more consistent stories so the initial approach and the project match. ChatGPT or other generative AIs will help them draft README.md content quickly. And someone will write a script so the repository is generated over a period of time through multiple commits.
• And of course the included malware will continue to evolve over time, becoming smaller and more innocuous, and hidden more carefully.

What can we?do?

At the moment the best defense is to be aware how the scammers operate. It’s hard, especially if you’re out of work, and someone approaches you with what looks like an easy job with good money. Unfortunately, we now live in times where you have to be suspicious of everything?—?make sure you build up a relationship with potential employers or clients before you take on work.

What is urgently required, is for the companies out there running the platforms to improve their reporting mechanisms, so we can flag miscreants and get them blocked before they can cause more damage, and more scanning tools and security engineers to detect and shut down repositories containing malware.

The two platforms I’ve mentioned?—?LinkedIn and Github, are both run by Microsoft, which brought in almost a quarter of a trillion dollars in revenue over the last twelve months. But until they’re held responsible for the losses incurred by blockchain developers who are scammed, there is not much of a financial incentive for them to make reporting scams easier or to be prompt in scanning repositories for malicious code.

As is usual in crypto?—?you’re on your own.