DEV Community

Cover image for So many types of social engineering hacks, targeting web3 developers 💀
Graita Sukma Febriansyah Triwildan Azmi
Graita Sukma Febriansyah Triwildan Azmi

Posted on

So many types of social engineering hacks, targeting web3 developers 💀

#security #hack

Picture this.
You’re chilling, shipping features, maybe fixing a random “gas estimation failed” bug for the 4th time this day.

Then a DM lands:

  • “Hey, we’re doing an NFT project and need someone like you to help us.”
  • “Loved your GitHub profile. I see a lot of contribution you made. Do you want to contribute in our project?”
  • “Your repo is vulnerable. Here’s a PR to fix it.”

And because you’re a builder, you do the builder thing:

You clone, run, click, and merge.

Congratulations, you just got socially engineered.

Alright, shall we begin :)

Why Web3 devs get targeted so hard

Short answer: because you don’t just have the code, you have the access!

Something like:

  • deployer keys (or the machine that touches them)
  • CI secrets (that can publish packages, push image)
  • priviledged social media like Discord/Telegram that can “announce”
  • and so on

They can just break your workflow.

In Web3, the fastest way to drain funds is not a re-entrancy bug. It’s a developer having a normal day.

The menu of attacks (Web3 dev edition)

Below are the patterns I keep seeing — different flavors, same core trick: get you to execute or approve something you normally wouldn’t.

1) Fake recruiter → “coding assignment” malware

This one is disgustingly effective because it weaponizes your ambition.

Flow:

  1. Recruiter reaches out (LinkedIn, Telegram, X, email)
  2. You get a “take-home task”
  3. Task includes repo / zip / “run this script”
  4. You run it locally
  5. Your machine leaks secrets / tokens / wallet material / browser data

Security teams have been tracking multiple waves of this style of campaign, including variants attributed to DPRK-linked activity. ReversingLabs described a “fake recruiter” branch targeting JS/Python developers with crypto-themed tasks (active since May 2025).

Google’s threat intel also described DPRK activity abusing the job interview process as the delivery mechanism.

Builder trap: “It’s just code, I can inspect it.”

Yeah… and you still ran it.

2) Fake audit / fake security firm / “critical vuln” panic

This one targets your responsibility reflex.

Common lures:

  • “We found a critical issue in your protocol”
  • “We’re a security partner of , please validate this quickly”
  • “Here’s a PoC / Foundry test / script to reproduce”

The payload is often the same: get you to run something (or open a doc) on a machine that has access to important things.

This vibe rhymes with how the Ronin/Axie compromise was reported: the initial hook wasn’t a smart contract exploit, it was a human being convinced to open something in a trusted context.

Builder trap: “If I ignore this and it’s real, I’m negligent.”

Attackers love that sentence.

3) Malicious npm/PyPI packages hiding inside “normal” dev work

If you’re a Web3 dev, you probably install random packages weekly:

  • wallet utils
  • crypto helpers
  • ABI tooling
  • build plugins
  • “quick scripts”

Attackers know this.

Recent reporting and research has highlighted campaigns planting malicious packages and abusing open-source trust — including fake recruiter flows that lead devs to install specific packages.

Builder trap: “It’s open source, and it has 200 stars.”

Stars are not a security model.

4) GitHub-native attacks: PRs, Actions, token theft, CI secret exfil

This is the grown-up version of phishing.

Instead of attacking you, they attack the system you rely on:

  • a PR that looks legit but sneaks in a postinstall / script
  • a compromised maintainer account
  • a malicious GitHub Action update
  • dependency bumps that pull in the payload

And because CI has secrets, CI is a jackpot.

There have been large-scale supply-chain incidents reported in the npm/GitHub ecosystem where malware focuses on stealing developer secrets and CI/CD credentials.

Builder trap: “CI ran green, so it’s safe.”

CI can be the victim too.

5) Discord/Telegram “verification” bots and community impersonation

Web3 teams live in chat apps. Attackers live there too.

Patterns:

  • fake “Collab Manager” accounts
  • cloned communities
  • fake “verify to enter” bots
  • fake airdrop/trading groups delivering malware

Some threat reports have noted malware distribution and scam flows increasingly happening through Telegram-style channels and “verification” mechanics rather than classic email phishing.

Builder trap: “It’s in the official group.”

Ask: official according to who?

6) Wallet drainers & signature tricks (devs are not immune)

Even if you “never share seed phrases,” you can still get wrecked by:

  • signing a malicious message
  • approving an unlimited allowance on a compromised dApp
  • signing something you didn’t simulate / understand

Drainer operations are basically a service economy now (tooling, panels, distribution playbooks).

Builder trap: “It’s just a signature, not a transaction.”

Sometimes the signature is the whole attack.

7) “Decentralized hosting” payloads (harder to takedown)

Some campaigns are experimenting with hiding malicious payload delivery in places that are annoying to block, including techniques that leverage public blockchains as part of infrastructure.

Google described DPRK-linked activity using EtherHiding to support malware delivery in a way that complicates blocking/takedown.

Builder trap: “We blocked the domain.”

Cool. The payload isn’t on a normal domain anymore.

The common mechanic: they’re not stealing your keys — they’re stealing your decisions

If you strip the details, most of these attacks are just three moves:

  1. Establish legitimacy (brand, identity, context)
  2. Apply urgency (“now”, “ASAP”, “critical”)
  3. Trigger an action (run, install, merge, sign)

So the defense is not only “better antivirus.”

It’s better decision gates.

A simple decision rule (use this daily)

When someone asks you to do something “urgent,” ask three questions:

  1. Identity: can I verify who you are out of band?
  2. Action: what exact action do you want me to take?
  3. Blast radius: what’s the worst-case if this is malicious?

If the blast radius includes:

  • “leak secrets”
  • “publish code”
  • “sign something”
  • “deploy something”

…then you don’t do it in a DM window. You move it into a controlled process.

Closing: attackers ship too

Social engineering attacks targeting Web3 developers are getting “better” for the same reason Web3 products get better:

people iterate. they learn. they optimize funnels.

So don’t just harden your contracts.

Harden your habits.

Because in 2026, the easiest exploit is still:

A developer, a deadline, and one “quick task.”

Thank you for reading this article, hope it’s helpful 📖. See you in the next article 🙌.

Top comments (0)