I encountered a job scam! Analyzing from the victim's perspective how to identify Web3 social engineering attacks.

Recently, I received a strange message asking if I was interested in a job vacancy at a certain company. The other party initially pretended to be the HR of a Hong Kong digital bank, but was vague about the job description. Subsequently, the other party added me to a group and tried various ways to impersonate a real person to gain trust. In the end, they provided a KakaoVoice meeting link instead of the commonly used Zoom or Google Meet, which confirmed to me that this was a social engineering attack. The following will break down the events and suspicious aspects from my first-person perspective.

Strange private message seeking cooperation

Everything started on July 11, when I received a private message from the Twitter account @chuiso_eth. Although it was unexpected, I broke my original principle of only collaborating through introductions from acquaintances because I was already involved in content creation and this account had many mutual followers. However, I still double-checked with my friends, and they also thought there were many mutual followers, so I had a preliminary trust in this person.

He stated that he is recruiting for a project and attached a Linkedin link. The link he provided is for a company called WeLab, which preliminary investigations show is a digital bank in Hong Kong, but I only see banking and lending matching services. For a compliant company in Hong Kong, they should be more cautious if they are involved in the Crypto field. At the same time, I searched for the HR's name Bon Hwa SW, and there is no information on the entire Linkedin, which is my first point of suspicion.

Job description is vague.

He explained that their company is engaged in early-stage startup research and investment, which is why they offered me a part-time position as a researcher and content creator. He stated that the responsibilities of the position are: "To seek out new technologies that may link to new ecosystems and protocols to improve projects. You will report on a specific technology and will liaise with the development team for suggestions." At that moment, I thought this description was too vague, so I further requested the JD (Job Description).

Later, I asked Scott, the founder of Hong Kong media MonsterBlock, and he said he had never heard of this company, but he knows someone on LinkedIn who follows the company.

After establishing trust, initiate a meeting using unfamiliar software.

He did not give me the JD and asked me to join a Telegram group to communicate further with his colleagues. There are six people in this group, and an account named Olivia even sent a video of a plane about to take off, which made me trust that they are real people. Then, a customer support manager named Jessica Krian briefly outlined the working hours and benefits and asked me to provide my CV. I pressed them on how they found me, and they just replied that a MOD found me and recommended me to him, and he then forwarded it to HR, and there was no further response.

Later, we scheduled an online meeting. Just as the appointed time was approaching, I took the initiative to ask which software we would be using for the meeting. Then they provided the meeting link for KakaoVoice, and at that moment, alarm bells went off in my mind. I straightforwardly expressed my concerns and suggested that I initiate the meeting. Afterwards, the five others were surprisingly unresponsive to the messages, and it was clear that I had encountered a social engineering attack.

The scary thing is that afterwards I looked for similar attack cases in previous posts by the founder of Slow Mist team, Yu Xian, where he suggested using Virus Total to check web pages. I pasted the link from the other party for inspection, but surprisingly, it didn't show any issues.

English speakers create in Simplified Chinese? The methods of committing the crime are full of loopholes.

Next, we will review the information of each person in this group one by one. I believe there are quite a few flaws in them.

An HR named Bon Hwa SW left a Linktree on their Telegram, which contains personal information such as Twitter and Telegram, as well as links to an exchange called HOP, a WeLab company's Linktree, and a project called Boundless. I initially assumed that WeLab might have invested in Boundless, so I am actually working for Boundless.

The group creator Diddler Shwaz's homepage states that his X account is shwaz_eth, and that account's Linktree corresponds with his Telegram account, so it is basically confirmed to be him. His X indicates that he is active in California and Hong Kong ( corresponding to WeLab headquarters ), which adds to the credibility. However, a month ago, someone left a negative review about him on ethos, claiming that this person is a scammer. I just found out that in June, someone accused them of using the same tactic, pretending to be a company called Hop Protocol and sending links.

A woman named Olivia is Caucasian, and she claims to be primarily based in Vietnam. This is understandable, as many people are digitally nomadic in Vietnam. Her Linktree also has a link to the project Boundless. What is more suspicious is that the Twitter account @Olivia_lens is entirely in Simplified Chinese, which could also be interpreted as an English native speaker trying to engage with Chinese fans. Oh, and she also has a Twitter channel called Olivia Cooking.

Jessica Krian no longer has Linktree, but her Telegram self-introduction is surprisingly written in Simplified Chinese: Every day is a new opportunity.

The last person is also the main speaker of the group, Coinacci, whose Linktree also has links to Boundless and WeLab. However, the Twitter link points to an account named @Coinacci, which claims to be @0xCoinacci and reposts all his posts. After I messaged @0xCoinacci, he indicated that the account in the group was impersonating him.

( The Web3 anti-phishing platform Unphishable will launch in July! Developed by Slow Mist, DeFiHack, and Scam Sniffer )

This article I encountered a job scam! Analyzing from the victim's perspective how to identify Web3 social engineering attacks first appeared on Link News ABMedia.