As a Blockchain Engineer and Chainlink Developer Expert with over five years of experience in Web3 development, my journey into smart contract security research began with a simple realization i.e. in this rapidly evolving space, being able to build securely is just as important as being able to build at all.
My background spans work across multiple blockchain ecosystems including Ethereum, Hedera, Rootstock, and various EVM chains augmented by the Chainlink oracle network. Throughout my career, I’ve developed complex systems from satellite broadband service marketplaces using dynamic NFTs to renewable energy protocols with tokenized rewards. But as my experience in the space grew, so did my awareness of its vulnerabilities.
This is why I joined Cyfrin Updraft’s program in November 2023. As a Blockchain Engineer and Full Stack Developer, I recognized the critical need to spot scammers and bad actors in the Web3 domain. This space, still in its infancy, is unfortunately plagued with malicious entities looking to exploit unsuspecting developers and users alike.
The Reality of Web3 Security Threats
The Web3 ecosystem, despite its promises of decentralization and transparency, remains a fertile ground for scammers. My security journey has been motivated by witnessing countless projects fall victim to exploits, hacks, and fraudulent schemes. From reentrancy vulnerabilities to flash loan attacks, the technical attack vectors are numerous. But beyond the code-level threats, there’s a more insidious danger i.e. social engineering targeted at developers themselves.
Scammer Alert: A Recent Encounter
Just recently, I was approached by scammers via LinkedIn, a common hunting ground for predators looking for technical talent. They presented themselves as legitimate business professionals seeking collaboration on a project. Let me share this experience as a cautionary tale for all Web3 developers.
A person calling himself “Joe,” claiming to be the CEO of a company called MindGeek Labs (with a website at mindgeeklabs.com), reached out regarding a supposed project. They had a GitHub repository (github.com/mindgeek-pm) and claimed they needed help taking their platform to “the next level” i.e. a platform supposedly designed to empower users with tools for cryptocurrency trading and investment.
Here’s their initial message:
Hi Edwin,
I hope this message finds you well.
We are in the process of expanding our EVM chain platform, and we are seeking highly skilled software developers to help us scale and enhance the platform. I'd like to explore the potential for collaboration with you on this initiative.
👉 Here are the key details:
1️⃣ Team: 6-8 members
2️⃣ Rate: $80-150/hr (depending on role and experience)
3️⃣ Project Timeline: 3-6 months
4️⃣ Estimated Budget: $700K–$800K (for 6 months)
5️⃣ Work Setup: Fully remote with flexible hours (Part-time opportunities available)
6️⃣ Payment: Crypto preferred (USDT, USDC, ETH)
If this opportunity aligns with your interests and availability, I would be happy to discuss the specifics further and explore how we can work together.
Looking forward to your response.
Best regards, Joe
The bait was attractive with high hourly rates, a substantial budget, remote work, and crypto payments. But something felt off, so I decided to play along to understand their methods and expose their operation.
They followed up with more details about their supposed project:
Okay, first of all, let me briefly share some details about our project.
Our platform encompasses key functionalities such as pooling, liquidity provision, staking (farming), and trading. We are in the process of developing a decentralized exchange (DEX) platform for traders within the EVM network, with plans to integrate an Automated Market Maker (AMM) mechanism.
Initially, we hired a team to help with our project, but unfortunately, their coding skills didn't meet our expectations. As a result, we are seeking a more experienced team to take over and lead the development of this project. Here's a brief overview of our requirements
https://docs.google.com/document/d/1Ttr9CdQvSetonrumBKR2jiUIrIwezunmyKU0o9Q7Wvw/edit
We also need to implement the mobile design.
There are several modifications required to align the platform with our evolving vision. An important aspect to consider is the animation on the landing page. This is crucial because the landing page is the first thing users see when they visit the site. While there is currently an animation, feedback from visual experts and developers suggests that it would be better to remove it. The animation is too tiring on the eyes, and removing it could improve the overall user experience by creating a cleaner design.
I'm excited about the direction we're heading, and I believe this project has potential.
Our project is being developed using React, TypeScript, Node.js, and Web3.
Given your expertise, I believe you would be an excellent fit for the lead role.
Would you be available for a meeting with our CTO next week to discuss the project in more detail? Let me share his calendar link with you, Does that work for you?
They even shared a Google Doc with elaborate requirements for what seemed like a legitimate DEX platform enhancement project:
DEX Platform Enhancement Project: Comprehensive Task List (4-Month Contract)
1. Expand Connected Chain List
Integrate additional blockchain networks into the existing connected chain list to enhance interoperability and functionality.
2. Integrate Wallets into Connect Wallet Page
Objective: Enhance user experience by allowing users to connect multiple wallets seamlessly.
Wallets to Add:
* MetaMask
* Trust Wallet
* Coinbase Wallet
* Phantom Wallet
* OKX Wallet
* Binance Wallet
* Coin98
* MathWallet
* SafePal
* TokenPocket
3. Update Trading Page Functionality
* Crypto Token List Enhancement: Update the list of available cryptocurrencies to ensure it includes all current tokens.
* Add 24-Hour Trading Volume: Implement a section displaying the 24-hour trading volume for each token.
* Trading View Graph Updates: Enhance trading view graph features to provide real-time data visualization.
* Order List Table Integration: Develop an order list table that displays active orders with real-time updates.
* Token Icons in Dropdown: Incorporate brand icons for each token in the dropdown menu of the swap section for improved visual recognition.
* Secure Links Section: Ensure all links in the "Useful Links" section are updated and functional, pointing to relevant resources.
4. Revamp Dashboard Page
* Theme Update: Redesign the dashboard theme to prominently display key metrics such as 24-Hour Trading Volume, Open Interest, Long Positions, and Short Positions.
* UPL Index Composition Table: Update and optimize the UPL Index Composition table for better clarity and data presentation.
5. Overhaul Earn/Buy Page
* Token and Modal Links: Revise all token links and associated modal functionality to ensure accuracy and up-to-date information.
* Decentralized/Centralized Services Links: Update links to both decentralized and centralized services to enhance the platform's service offerings.
* Farm Section Addition: Design and add a new section or page dedicated to farming opportunities, providing users with insights and options.
6. Clean Up Testnet Integrations
* Objective: Remove all U2U testnet settings, configurations, and integrations to streamline the platform and avoid confusion for end-users.
Red Flags and the Reveal
The setup was elaborate, but several red flags emerged:
-
The detailed requirements document that lacked specific technical details about their existing codebase shared from a google drive rather than their own official website.
-
The vague explanations about their previous development team.
-
For such a large project, their Github Repository was just created in March 2025 with no active contributors.
-
Their code base was mainly HTML, CSS, and JavaScript with no smart contracts or backend code.
-
The purpose of the call is to discuss the project in more detail and to see if you have cloned their repository and test it on your local machine.
As a security researcher, I continued engaging with them, eventually setting up a meeting with their supposed CTO. During this meeting, I confronted them about being scammers. The moment they realized I was onto them, they vanished from LinkedIn without a trace. However, I still have our conversation on LinkedIn, their Calendly link and Google Drive document as evidence of their attempted scam.
The Typical Scam Playbook
Based on my security research and this encounter, here’s how these scams typically progress:
- Initial Contact: Scammers approach developers on professional platforms like LinkedIn with lucrative offers
- Elaborate Setup: They create fake companies, websites, and GitHub repositories to appear legitimate
- Documentation: They share detailed requirements to give an impression of a real project
- The Hook: They schedule a meeting with a “technical team member” to discuss project details
- The Attack: During technical discussions, they eventually guide the victim toward:
-
Cloning and installing their repository, which will contain malware
-
Convincing you to run their code to test some of the functionality
-
Gaining access to your crypto wallets
-
Stealing all your funds
-
Once they gain access to wallets or install malware, they can steal funds or compromise accounts for further attacks.
Protecting Yourself as a Web3 Developer
My journey as a Smart Contract Security Researcher at Cyfrin Updraft has equipped me with knowledge that every Web3 developer should have:
- Verify Thoroughly: Research companies, individuals, and projects extensively before engaging
- Code Analysis Skills: Learn to audit smart contracts and identify vulnerable patterns
- Security First Mindset: Approach every project and interaction with security as the priority
- Never Share Private Keys: Under no circumstances should you share private keys or seed phrases
- Use Test Environments: For any new project, use dedicated test wallets and environments
- Trust Your Instincts: If something feels off, it probably is
The Future of Web3 Security
My experience as both a blockchain developer and security researcher has shown me that the Web3 space needs more security conscious professionals. As I continue my journey as a Smart Contract Security Researcher specializing in fuzzing, invariant testing, and formal verification to identify bugs and protect Web3 protocols, I’m committed to sharing knowledge that helps make this space safer.
The sophistication of attacks, both technical and social, will continue to evolve with time. But through education, vigilance, and a community focused approach to security, we can build a more resilient ecosystem.
If you’re a Web3 developer, I encourage you to invest time in security research and training. The skills to build securely are just as important as the ability to innovate. Remember, in the decentralized world, you are often your own security team.
Let’s Go!
