Date:: February 21, 2024 – February 28, 2024
Tags: 🎙️ Contagious Interview
- I was registered on Braintrust as a freelancer and received a job invitation for part-time work.
- The person who invited me used the name “Bill Tinys” and provided me with the job requirements. He also asked me to check out the codebase and try to reproduce the issue that he was facing locally:
- FreeBling online site: https://app.freebling.io/
- The codebase - bitbucket.org/juandsuareza/main/src/main/
- 0xc2f103ce223dae119d04892d412d3484f8dcec1f - Braintrust I: Victim
- 0x8d5a2684330a6b7f791ce6acb5d4a09f53cb5f67 - Braintrust I: Theft
- 0xb3c9effe909a737621b929600c6bd1e5a62f43c5 - Braintrust I: Theft
- 0x8baa40851c5c3a822e9c881103573f5246ead710 - Braintrust I: Defiway, BSC, via Stargate
- 0x77b737bb6c6eb4c717228aa653da2a4f994040a9 - Braintrust I: Sends to 0x8baa40851c5c3a822e9c881103573f5246ead710
- 0xbe1566497c7f581258c14bf297a8f4e747ddf013 - Braintrust I: April 2024 Dust Collector
- I do freelance software development work through the company Braintrust (www.usebraintrust.com).
- Braintrust is a legitimate service that connects clients with freelance software developers and handles communication, contracts, and payments/billing.
- I have worked successfully for clients before on Braintrust. I received an invite to apply for a job offer through Braintrust (note, I actively received the invite to apply from Braintrust via email - I was the 'passive party' and did not go searching for this job).
- I completed the job application and communicated with the client over the Braintrust platform.
- As part of the job application process I downloaded the code they shared to my laptop to see what I would be working on.
- This code was actually hidden obfuscated malware and infected my laptop.
- I deleted everything I could find and quarantined the laptop by turning off the internet connection, unfortunately it was too late.
- All my crypto funds in my crypto wallet have been drained to the attacker by their malware as it has found and transmitted my private keys/seed phrase.
- I don't know how they found it I am always very tight on digital hygiene and the only private key in plaintext was in .env files for my separate dev wallet that only contained $14 of gas tokens.
- In the current market this stolen crypto is worth roughly $12,600
- https://chainabuse.com/report/dc05e046-8da8-43ca-ab2c-df47b05681ba
- 0xa9c81d278e1342edc4a73bad65ae80ca04242d6b - Braintrust II: Victim
- 0xd82012324c8a3c2d5721b2444b7ee3d989e65589 - Braintrust II: Victim
- 0x9a4d77a4567706e5ca12ed5ce7020e4a961937d5 - Braintrust II: Victim
- 0xdd39c04f784506b718f4f8e4ba7f4b8d3deafb68 - Braintrust II: Theft
- 0xb3c9effe909a737621b929600c6bd1e5a62f43c5 - Braintrust II: Theft
- 0xbe1566497c7f581258c14bf297a8f4e747ddf013 - Braintrust II: April 2024 Dust Collector
this is so true, I received this one, and almost did it, they claimed that they had urgent issues to fix, and gave me a code with NDA, and I found something weird, this is their site https://app.freebling.io, and when I mention why is she put child_process on the package, she
- https://linkedin.com/pulse/i-got-hacked-what-did-do-after-lokicheck-zuzkc/
- https://bitbucket.org/juandsuareza/main/src/main/pages/redirect.tsx
-
Recently, I received an invitation for interview on Upwork regarding a job post: https://upwork.com/jobs/~01fb0cb0025d35d158
-
As mentioned in the job post, it's an ongoing project. So, as usual, the client sent me the repo of the project: https://bitbucket.org/juandsuareza/main/src/main/
-
And, sent me a screen-recording (https://drive.google.com/file/d/1uLLOF56mFkVf-GZbTxKXZlHXNAFUkgGy/view?usp=sharing) pointing-out to the bug/issue in the existing project, and asked me whether I'm also facing the same after running the project locally.
-
As, you can see, the repo doesn't look suspicious at all (especially in the eyes of regular devs). So, I cloned the repo and started executing it locally. Once, it started running on localhost, it was opening like a normal Next.js app on browser. Trust me, everything was completely unsuspicious.
-
However, here comes the twist, all of a sudden, it started asking for permissions of accessing browser cache, notes, reminders and what not. And to be very honest, i denied all of them as it started looking a lot suspicious all of a sudden. And I closed and deleted the project completely. Suddenly checked my bank accounts and all using my phone via dedicated banking apps (as I never access any of my bank account via browser or laptop).
-
But then, when I checked my Metamask, all of my funds on all the mainnet accounts were gone. Luckily, I was/am not holding any crypto for investment purposes or so, whatever was there of around $60 was for various testing purposes, mainly in Polygon MATIC. These were the transactions that happened:
-
https://polygonscan.com/tx/0xf0b72d445105d9c4d4d9c47c77f6869130b87c748d61e9de3874a8925cc2cc6f
-
https://etherscan.io/tx/0x44ce9e9a00d802c85875e5a76a65b14236d1e744f9d60ad1a1008ebe7e5dc134
-
Funny enough, in the second transaction, you guys can see the scammer has spent around $4 in transaction fees to transfer $1 worth of Ethereum. Clearly, not an expert scammer for sure!
-
Source: https://x.com/syedasadkazmii/status/1769710505953026109?s=20
- 0xd0315144eb80eb3e2d51792c8caaff21df2747f7 - Theft Address (ETH)
- 0x0cae12f056775cbdd68a3e07e98d2e97baf22234 - Theft / Laundry (ETH), also CloudAI Team Thefts
- 0xf318d71541a072583ee2f3720b757afb604b4eca - Theft / Laundry (ETH), receives from Blockbusters Tech thefts
- 0xd0315144eb80eb3e2d51792c8caaff21df2747f7 - Theft Address (MATIC)
- 0xb49fa6ec7a7c1f7f19c05640cf9f129c142f96ae - Theft / Laundry (MATIC), also receives from Lucid Chess Malware
- 0xbe1566497c7f581258c14bf297a8f4e747ddf013 - Dust Collector (MATIC)