Fake Crypto Job Scams
Fraudulent job offers in the crypto industry that steal funds, harvest credentials, or install malware through the hiring process.
Last reviewed: 1 June 2026
What this scam is
Fake crypto job scams use fraudulent employment opportunities in the cryptocurrency and Web3 sector to steal money, credentials, or install malware on victims' devices. The crypto industry's rapid growth, high advertised salaries, and remote-first culture make it a compelling context for job fraud, and the technical complexity of the sector gives scammers opportunities to introduce malicious steps into an apparently normal hiring process.
These scams take several distinct forms. In the pay-to-work variant, victims are told they must purchase equipment, software, or cryptocurrency as part of onboarding — money that is simply taken. In the credential-harvest variant, a convincing hiring process collects sensitive personal and financial information that is used for identity theft or account takeovers. In the malware delivery variant — increasingly common — the 'job' involves a technical task that requires downloading software, which is actually a trojan or remote access tool giving the attacker control of the victim's device.
The malware variant is particularly targeted at software developers, content creators, and security researchers who would plausibly download and run code or software as part of a job interview or assignment. A coding test, a video call application, a 'custom collaboration tool', or a project repository can all serve as delivery vectors. Once the malware is installed, it can harvest wallet credentials, extract browser-stored passwords, and give the attacker persistent access to the victim's device.
Some fake job scams are linked to broader organised fraud operations that use employed 'workers' as intermediaries in money laundering or as recruiters for pig-butchering schemes — a situation where the 'employee' may themselves become a victim of wage theft, coercion, or legal jeopardy.
How it works
A job offer arrives via LinkedIn, a job board, a freelance platform, or direct message. The role is typically well-paid, remote, and in a plausible position: developer, community manager, content creator, marketing lead, or security researcher. The posting may use real company names and branding, or the names of known projects.
An initial screening process builds credibility — there may be email exchanges, a written application, or a call with someone playing the role of a recruiter. The process is designed to feel legitimate enough that the candidate invests time and develops a sense of commitment.
At a key stage, the malicious element is introduced. In the equipment or software purchase variant, the candidate is told to buy hardware or software from a specific vendor, sometimes with a promise of reimbursement that never comes. In the credential-harvest variant, tax and banking forms or 'security verification' asks for sensitive personal information.
In the malware variant — particularly targeting developers — the candidate is asked to complete a coding test by cloning a repository, run a custom tool for a video interview, install a proprietary collaboration environment, or review a project's codebase. The repository or installer contains obfuscated malicious code. Once executed, the malware deploys silently.
For non-technical roles, a 'training portal' or 'onboarding app' may serve the same purpose.
Why this scam works
Job seekers are motivated to complete tasks and demonstrate competence. The hiring context normalises a degree of compliance — following instructions, installing required software, completing assignments — that would be questioned in other contexts. Crypto roles in particular often involve technical tooling that candidates accept without scrutiny.
The prospect of a well-paying remote role creates emotional investment that reduces scepticism. A candidate who has spent two hours on an interview process is less likely to pause at a final instruction that would have seemed suspicious at the start.
The technical complexity of the crypto sector means that requests involving unusual tools, blockchain connections, or token-related tasks can seem plausible to outsiders unfamiliar with what is genuinely standard.
A typical pattern
A developer receives a LinkedIn message from a recruiter at what appears to be a known blockchain protocol. After a brief exchange, they are asked to complete a technical assessment by cloning a GitHub repository and running a setup script. The script executes without obvious errors and the task completes. Several days later they notice unfamiliar transactions in their connected wallets and their saved browser passwords have been used to access accounts. Investigation reveals the repository's setup script contained obfuscated code that installed an infostealer on their machine. The recruiter's profile was fake.
Common red flags
- Job offer arrives via unsolicited DM rather than an application you initiated
- Employer asks you to purchase equipment, software, or cryptocurrency as part of onboarding
- Technical task requires running code or installing software you cannot independently verify
- Company cannot be verified through official channels outside the offer itself
- Recruiter profile created recently or with inconsistencies in work history
- Salary or opportunity seems unusually high for the described role
- Onboarding involves providing sensitive financial or identity documents early in the process
- Video interview requires installing a custom application
- Request to keep the role confidential before signing
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Hi, I came across your profile and think you'd be a great fit for our [role] position at [company]. DM me to learn more.
We're hiring remote [role] at [amount]/month. No experience needed, full training provided. Apply: [fake link]
Congratulations — you've been selected for our developer trial. Clone this repo and run the setup to complete your assessment: [fake link]
To complete onboarding, please purchase the required [software/hardware] from our certified vendor: [fake link]. You will be reimbursed on your first paycheck.
Our video interview platform requires a quick install — download it here before our call: [fake link]
Before we can proceed, please complete identity verification through our portal: [fake link]
Common variations
- Pay-to-work scam — onboarding requires upfront equipment or software purchase
- Malware interview task — coding test or assessment delivers an infostealer
- Custom video call app — fake collaboration tool installs remote access malware
- Credential harvesting — fake onboarding forms collect banking and identity documents
- Money mule recruitment — victim is unwittingly used to receive and forward stolen funds
- Fake freelance project — short-term task on a freelance platform with same malware delivery method
How to verify before you act
Verify any job offer by searching for the company independently through official channels — not the link in the offer. Check whether the company has a real, established web presence, verifiable staff on professional networks, and genuine job listings on their official site.
Be sceptical of any job that requires upfront payment, equipment purchase, or cryptocurrency deposit as part of onboarding. Legitimate employers pay for required tools; they do not ask candidates to fund them.
Never run code, install software, or execute scripts from a job application unless you have independently verified the employer's identity and the code's contents. For developer roles, review any repository carefully before running it — ideally in an isolated or sandboxed environment.
Be cautious of roles found via direct message or unsolicited outreach from someone you have not previously engaged with.
Payment methods used
- Upfront equipment or software purchase (cash, card, or crypto)
- Crypto wallet drain via installed malware
- Credential theft enabling account takeovers
Who is usually targeted
- Software developers with crypto or blockchain experience
- Crypto community managers and content creators
- Security researchers
- Job seekers with self-custody crypto holdings
- People seeking remote work in the Web3 industry
What to do immediately
- If you ran code from the job application, assume your device may be compromised — run a full antivirus scan immediately
- Move funds from any wallets accessible from the potentially compromised device to new addresses on a clean device
- Change passwords for any accounts whose credentials were stored on the affected device
- Revoke any API keys or wallet approvals that may have been captured
- Report the fraudulent job posting to the platform it appeared on
- Report to your national fraud authority with all communications and links as evidence
- If the fake employer used a real company's name and branding, notify that company directly
How to prevent it
- Verify any employer independently via official channels before proceeding with any application steps
- Never purchase equipment, software, or cryptocurrency as a condition of employment
- Run any provided code or repositories in an isolated, sandboxed environment — never on a primary device
- Be cautious of any technical task that requires installing software you cannot independently review
- Treat unsolicited job outreach via DM with extra scrutiny — verify the recruiter's profile and company independently
- Never provide sensitive financial documents or identity information early in a hiring process before verifying the employer
- Keep wallets and important accounts on a device separate from the one used for job searching and application tasks
Evidence to preserve
- All communications from the recruiter and links provided
- The job posting URL and screenshots
- The repository URL or installer link
- Transaction hashes for any funds moved from affected wallets
- Antivirus scan results identifying any installed malware
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
Can a job scam really install malware just from running a coding test?
Yes. A code repository can contain scripts that execute malicious code during setup or build steps. This is a documented attack vector targeting developers — the technical framing makes the action seem legitimate. Always review code carefully and run unknown repositories in an isolated environment.
Is it normal to be asked to buy equipment for a remote job?
Legitimate employers generally provide or directly pay for required equipment. A request for you to purchase equipment from a specific vendor, with reimbursement promised later, is a recognised scam pattern. Do not pay.
How can I verify a crypto company is real before interviewing?
Search for the company name in independent sources — industry publications, blockchain project directories, professional networks. Check whether they have a verifiable website, known team members, and a history of genuine activity. If you can only find the company through the recruiter's own links, that is a warning sign.
I accepted a job and was asked to receive and send on crypto payments — is this legitimate?
Extremely unlikely. This is a money mule recruitment pattern. Receiving and forwarding funds on behalf of an employer — especially via cryptocurrency — is a common method for moving stolen money. Participating can expose you to criminal liability regardless of whether you knew the funds were stolen. Stop immediately and seek legal advice.
Are on-chain transactions made by malware on my device reversible?
No. Blockchain transactions are irreversible. If malware uses credentials from your device to initiate transactions, those transfers are final. Act immediately to secure remaining assets on clean devices, but do not expect to recover what has been taken.
Should I trust a job offer that came through LinkedIn or a major platform?
Major platforms reduce but do not eliminate risk — scammer profiles exist on all of them. Verify the employer independently of the platform. Check whether the company is real, has a genuine web presence, and that the recruiter's profile is consistent with the company's actual team.
What is an infostealer and why is it dangerous?
An infostealer is malware that harvests credentials, cookies, and wallet data from your device — including saved browser passwords, exchange session cookies, and wallet application files. With this data, attackers can access your accounts and drain wallets without needing your seed phrase directly. It is one of the most common malware types delivered through fake job tasks.
Is a recovery service able to get back funds stolen via a job scam?
No. Recovery services targeting people who have lost funds to scams are themselves scams. Blockchain transactions are irreversible, and no service can change that. Report to authorities and document everything, but do not pay anyone claiming to recover funds.