I continued by explaining that a Ledger hardware wallet stores keys cryptographically but when the Ledger Nano X is plugged into a device it is connected to the internet, the Ledger Nano X is vulnerable. I continued to explain that if the seed phrase or private keys are compromised then the Ledger Nano X cannot prevent assets being transferred from the addresses stored within the USB device. An attacker only needs to import the compromised seed phrase or private keys into another software wallet to sign transactions. There have been recent concerns surrounding Ledger Live and the potential vulnerabilities in recent firmware releases.
All I knew at this point was that the crypto assets stored in addresses on the Ledger Nano X had been transferred without the knowledge of the owner. Using blockchain analysis tools I identified the assets as being stolen and continued to monitor those crypto assets by setting up alerts to notify me of any activity involving the addresses that received the stolen funds. After looking at some system log files and processes running on the victim’s device using a secure meeting with screen share it was clear there was malware running on the device. This malware was persistent and undetected by anti-virus software used by the victim, including using Windows Defender Offline scan which is designed for malicious software that can be particularly difficult to remove from your device.
CryptJobs.com with the links to a Google form and the website that deploys the malware. The code to input into the website to automatically download and run a file labeled EcoLand.exe that executed the malware on a device.
In this case the source of the malware was a job advertised on CryptoJobs.com by a company called Eco Land. Now you would have thought there would be some kind of due diligence process to be followed and certain parameters met before a job listing was approved for listing on the CryptoJobs.com website. After looking at the job listing, I was shocked to see three red flags that should have been looked at and reviewed before the listing went live on the website. The first red flag was a link to a Google forms page asking for personal information including names, email addresses and blockchain addresses as well as other input fields. The second red flag was a link to the website hosting the malware and the third was a code to input into the website to automatically download and run a file labeled EcoLand.exe that executed the malware on a device.
Showing the redirect to DropBox.com to download the EcoLand.exe file that executes the malware on a device. Another company listing with the same malware link is Eco Meta.
If this was an isolated incident and not a recurring event you would think that the problem was resolved promptly and Cryptojobs.com user's best interests in mind. But the same link to the Google form has been used on multiple company accounts Eco Land, Eco Verse and Eco Meta. These are the ones I have proof of but there have been reports of other names being used. The number of victims could be high due to the amount of time this has been allowed to continue by Cryptojobs.com. It has been happening for ten days before CryptoJobs.com suspended new company registrations claiming “registrations have been paused temporarily due to maintenance” with no mention of links to malware or warnings to users of any kind.
Showing the comments in the website code, used to infect job hunters devices. A conversation with “Bob” after being offered the job on telegram to get the code to input into the website to download the malware.
What has to be the biggest factor showing CryptoJobs.com's lack of review on companies and job listings is the comments in the website code, used to infect job hunters devices. This is viewable with developer tools, “<!-- THIS IS A HACK AND A HALF but I don't care -->”. This is visible before entering any code and infecting a device. The website only targets Windows and Mac users. I have not used a Mac and only have the Windows version of the malware to analyze, a copy has been uploaded to VirusTotal.com. The malicious file is downloaded from a DropBox.com account after entering a code given by “Bob” on telegram.
In conclusion this is a lesson for the entire blockchain industry. The victim put their trust into Ledger, CryptoJobs.com and the Eco Land company that are all registered businesses, this trust led to malware being installed on their device resulting in the loss of crypto assets.
Could there have been a flaw in Legers firmware? Possibly.
Could CryptoJobs.com have done more to protect its users? Yes.
Could Eco Land have morals and consideration for other human beings? No, they are criminals and have no consideration for the devastation they leave behind!
Never trust anyone or any business entity with your asset security, only you can ensure that crypto assets are secure. Always verify the source of any information presented to you. Don’t rush to be the first to apply for a job that requires you to complete any tasks to apply for a position on a third-party website, always use the platform where the job is listed. With this attack being very profitable for the criminals behind the scam, I expect this to become an increasing trend in the blockchain space. Be extra vigilant in your job search and always scan files received with an anti-virus tool.
Here are some other articles you might find interesting.
The shift away from traditional physical cash and coin payments in the UK has accelerated in recent years...
On the 14th of September, we attended an inaugural South West Regional Cyber Crime Unit Leaders Conference
Blockchain security is constantly evolving with regulations, be sure to stay informed.