Navigating the job market in the Web3 and blockchain space has become a digital minefield. As developers increasingly search for a comprehensive list of fake recruitment agencies to protect their careers, threat actors—specifically those linked to state-sponsored groups like Lazarus—are evolving their tactics. These fraudulent entities act as front organizations to deliver devastating payloads like BeaverTail and InvisibleFerret.
Below is a curated list of fraudulent entities and “front” companies identified in recent Web3 cyber-espionage and theft campaigns.
List of Fake Recruitment Agencies & Front Companies (2026 update)
If you are contacted by individuals claiming to represent these entities, proceed with extreme caution:
- BlockNovas: Often targets Web3 developers with high-paying remote roles.
- Couch Chain: Known for distributing trojanized coding tests via GitHub.
- AppSaga: Frequently used in “Contagious Interview” campaigns.
- Dev-Tech / InnoQuest: Generic names used to mirror legitimate software houses.
- Symfa (Impersonated): Attackers often steal the identity of real Symfa executives to build trust.
- BitLink / Zentify: Fronts identified in credential exfiltration attacks targeting crypto wallets.
Found a suspicious agency or recruiter?
Don’t let them target someone else. If you’ve encountered a suspicious job offer or a company that belongs on this list, report it to our security team immediately for analysis and takedown. Need to report a scam? Click here to report to PhishFort.
The Anatomy of a High-Stakes Social Engineering Attack
A great example of how these “agencies” operate is the story of David Dodda, a developer who narrowly escaped a machine compromise after being targeted by a highly polished, yet entirely fake, recruitment setup.
In October 2025, software developer David Dodda shared a chilling account of how a seemingly legitimate job opportunity on LinkedIn nearly resulted in his machine being compromised by sophisticated malware. This incident highlights a growing trend in targeted attacks against developers, particularly those in blockchain and cryptocurrency spaces.
How the Scam Unfolded
Dodda was contacted via LinkedIn by an individual posing as Mykola Yanchii, “Chief Blockchain Officer” at Symfa—a company with a professional-looking profile and website. The offer was for a part-time role contributing to BestCity, described as a real estate workflow platform. By using a polished LinkedIn profile and a mirrored corporate website, the attackers bypassed initial skepticism.
This is a hallmark of many entities on the unofficial list of fake recruitment agencies: they don’t just create fake names; they steal the identities of real executives to build instant rapport. After initial discussions and a scheduled interview call, the recruiter sent a “test project”: a React/Node.js codebase hosted on Bitbucket. The repository appeared polished, complete with a detailed README and documentation, encouraging the candidate to review, fix bugs, and prepare for discussion.
Technical Breakdown: The “UserControl” Malware
Pressed for time with only 30 minutes before the call, Dodda began examining the code locally without isolating it in a sandbox. Before executing npm start, he decided to leverage AI for a quick review, prompting it with:
“Before I run this application, can you see if there is any suspicious code in this codebase? Like reading files, it shouldn’t be reading, accessing crypto wallets, etc.”
The AI quickly flagged obfuscated code in server/controllers/userController.js.
Decoding the byte array revealed a URL (https://api.npoint.io/2c458612399c3b2031fb9) that fetched and executed a remote payload via new Function. Analysis on VirusTotal confirmed that the payload was designed to steal cryptocurrency wallets, sensitive files, and passwords, and to establish persistent access.
The malware relied on multi-layer obfuscation—byte arrays, async IIFE, and dynamic remote loading—to evade initial detection. It was implemented in server-side code with full Node.js privileges, poised to activate when certain routes were accessed.
Dodda was seconds away from running the application when the AI alert stopped him. The remote URL was active briefly before being taken down.
The attack utilized a multi-layer obfuscation technique:
- Byte Array Obfuscation: The malicious URL was hidden as a series of integers.
- Dynamic Remote Loading: Using axios and a new Function, the code fetched a remote payload that never touched the local disk until execution.
- Privilege Escalation: Running npm start would have granted the Node.js process full access to the developer’s filesystem.
According to research by BleepingComputer, these payloads are often designed specifically to exfiltrate browser credentials and private keys from browser-based crypto wallets.
Broader Threat Landscape
This attack aligns with ongoing campaigns attributed to North Korean state-sponsored groups (e.g., Lazarus subgroups like Contagious Interview). These actors frequently impersonate recruiters for blockchain roles, using platforms like LinkedIn, Upwork, and CryptoJobsList to deliver trojanized “coding tests” on GitHub, GitLab, or Bitbucket.
Similar incidents reported in 2025 include:
- Fake companies (e.g., BlockNovas, Couch Chain) are luring developers with web3 opportunities.
- Malware variants like BeaverTail, InvisibleFerret, and others are stealing credentials and crypto assets.
- Exploitation of job market pressures to rush candidates into executing unvetted code.
Developers are prime targets: their machines often hold production credentials, SSH keys, and crypto wallets—”keys to the kingdom.”
The 2023 CoinsPaid incident—where a fake interview tricked an employee into installing malware, leading to a $37 million theft—served as an early blueprint for these evolving tactics. Developers remain high-value targets due to their access to sensitive credentials, SSH keys, and cryptocurrency wallets.
How to Build Your Own “Safe List” of Recruitment Entities
While a static list of fake recruitment agencies is a vital starting point, attackers rotate domains daily. You must supplement the list with operational pattern recognition.
Red Flags of a Fraudulent Agency:
- Domain Discrepancies: They use email addresses like hr-department@company-jobs.com instead of the official @company.com.
- Urgency Tactics: If a recruiter pressures you to run a “coding test” within 30 minutes of the first contact.
- Platform Hopping: Moving the conversation from LinkedIn or Upwork to Telegram or WhatsApp is a major warning sign.
- Unvetted Codebases: Any recruitment process that requires running a full Node.js or Python environment locally without a verifiable GitHub history of the organization.
FAQs
How can I find a list of fake recruitment agencies in crypto? While there is no single government database, security communities on X (formerly Twitter) and platforms like ScamAdviser frequently update lists of known fraudulent domains. Always cross-reference the recruiter’s name with the official company website.
Is LinkedIn safe from fake recruitment agencies? No. Threat actors frequently create high-quality fake profiles or hack legitimate ones to launch impersonation attacks. Always verify a recruiter’s identity through a second, independent channel before downloading any attachments.
Staying Ahead with Phishfort
At Phishfort, we understand that your brand’s reputation is only as secure as your team’s digital perimeter. Threat actors are no longer just attacking servers; they are attacking your people through executive impersonation and sophisticated social engineering.
Our Web Threat Defense services provide real-time monitoring of phishing domains and impersonation attempts. By neutralizing these scams at the source, we ensure that your developers and executives stay focused on building, not defending against Lazarus-grade threats.
Protect your assets and your identity. Report suspicious activity to Phishfort and stay vigilant against the next generation of Web3 threats.
Table of Contents
