A Fake Tech Company Scam: Here's How I Caught It in Time
A sophisticated scam where they offered a role to an experienced tech professional with the intention of stealing his crypto wallet credentials!
Intro
With the rise of AI, there are not just upsides but also downsides.
We have seen AI cheating in interviewees, where interviewees actually change their appearance with AI and respond to questions with answers generated by ChatGPT.
If you’re interested in how to design your interview process against it, check this article:
We have also seen a rise of various different scams, some including deepfakes impersonating people, enhanced cyber attacks and various automated phishing attacks.
This story that we are going to go through today is particularly relevant for all tech professionals searching for new roles. First of all, be careful and make sure to spot the red flags as soon as possible.
There are many fake companies out there with fake roles, looking to benefit from people who are eager to contribute, so make sure to be careful.
Kjartan Manvelyan was hired for a role of technical project manager, but then it turned out that everything was fake: the people, the Slack workspace, the codebase.
All with the intention for him to download the codebase so they could do harmful things. Luckily, he found out at the right time, so no harmful things have happened.
And to make it worse, all of this happened on his birthday!
To ensure that this doesn’t happen to you and that you’ll be well-prepared if something similar occurs, Kjartan has kindly shared his experience in detail with us.
Make sure to read on.
Introducing Kjartan Manvelyan
Kjartan Manvelyan is a Fractional CTO and a seasoned tech professional. He specializes in driving impactful results across technology, team leadership, and cloud automation.
Kjartan is currently in search of a new role, so make sure to contact him while he is still available. But please, no scams!
The Sophisticated Scam
As someone who has worked as a Fractional CTO and consultant with various startups and clients across Europe for the past six years, I thought I had seen it all when it came to phishing attacks disguised as real jobs.
But nothing quite prepared me for the sophisticated scam that almost caught me on what was supposed to be the start of an exciting new role — and on my birthday, no less.
As I mentioned, this wasn't my first encounter with malicious job offers. Over the years, I've been targeted by several fake interview schemes, but this one stood out for its next-level sophistication.
The scammers had clearly refined their approach over many iterations. This was not their first rodeo.
Here's my story of how it unfolded, and more importantly, how you can protect yourself from similar threats.
Initial Contact With Recruiter
The first red flag I should have caught was how the initial contact happened.
The "recruiter" presented themselves professionally, with what appeared to be a legitimate LinkedIn profile. They spoke about a freelance role as a technical project manager in a well-funded blockchain project, a role I am qualified for and which happens to be on the current list of titles in my job search.
The job description ticked many boxes; it aligned with my background in engineering leadership, offered great compensation, and seemed like a natural fit for my skill set. And it was remote.
However, looking back, there were subtle warning signs I should have picked up on earlier. The recruiter was vague about the specific company details during our initial conversations.
I checked out the company website, which seemed legit. It was a blockchain development agency based in Estonia and Ukraine, named Omisoft. I looked them up for due diligence and verified that they were the real deal.
I also performed a WHOIS lookup on their domain name to check that it hadn’t been recently registered, as well as finding out who potentially owned the domain.
One funny incident that happened during this process was when I initially entered the domain name of the company, omisoft.net. During shady encounters like this, for security reasons, I don’t click on links sent to me - but rather open them in a Tails OS virtual machine instance.
This protects me from any potential phishing attempt, and also hides my real IP, as Tails OS is a Linux distro built to be anonymous. The first time I managed to type the URL incorrectly, which took me to a site that had no https certificate.
When I asked the recruiter about this, expressing that a missing certificate was concerning to me and if they could explain it, they corrected me and gave me the link again.
This little blunder actually made me put my guard down for a moment, and worked in the scammer's favor by moving the trust between us a little bit more to the right on the scale.
In my previous encounters with fake interviews, the scammers made the mistake of moving too quickly to the technical assessment phase, often asking me to download and run code within the first or second interaction.
It could be a Bitbucket or GitHub private repository - in the most amateur cases, a Zip file. The malicious code would be obfuscated, basically, how AI slop code can look like.
Imagine strangely named variables and code that, in general, is difficult to understand at first. After a more thorough inspection, it becomes evident that the intent is malicious, and that the only thing the code does is to steal your crypto wallet credentials and saved passwords. It can also be embedded in a web application that looks real at first, or in an installation script.
This time, the scammers were more patient, building credibility through multiple touch points before moving to the next phase. Presenting themselves as a recruiter was a smart move, and definitely brings the operation to another level.
Bear in mind, during the entire process, I am still aware I am most likely dealing with a scam. I usually don’t check all links sent to me in a sandboxed Linux instance running Tor. I am paranoid, but not that paranoid. Perhaps I should be from now on, though.
Video Interview With Sam, the Hiring Manager
After the initial chat with the recruiter on LinkedIn, next up was a call with Sam, the supposed hiring manager. The recruiter gave me a Calendly link, which is also something I have never seen used by scammers before.
I scheduled a video call. It was during my holidays on an island near the Arctic Circle in Norway, with only a mobile internet connection that sometimes could be very slow. And of course, on the morning of the interview, the network was temporarily downgraded to 100kbps due to an influx of tourists on the island.
I asked to reschedule. This was not a problem, and I booked a call the next day.
After I received the calendar invitation in my inbox, I noticed the hiring manager had tied his personal Gmail account with Calendly. Another potential red flag, but to be fair, I also use my personal email for Calendly. I am sure many others do as well.
However, by now my internal alarms had already been raised multiple times, so at this point I decided to play along till the end to see where this journey would take me. This was going to be interesting.
When our call first connected, I was surprised to see “Sam” on video in front of me, looking exactly like the photo from his Gmail account. However, the video was choppy, and within a few seconds, he asked to switch to audio-only, as “there seems to be connection problems”.
Potentially believable, as I am sure most of us have experienced having to do the same on some video calls.
Sam's lips did not seem to be moving when he was talking. The person on screen was shifting about a bit in his office chair, and since the video was also lagging, it was difficult to see much. He was on video, probably for 5-7 seconds in total, before he switched to audio.
The video was probably an AI-generated video clip from the avatar used on Sam's Gmail account. Either edited to look choppy post-generation, or it is a direct output from an AI-powered video generator, like Google's Veo3 platform.
This is what makes most sense, as it’s very unlikely Sam was using some form of network speed throttling to simulate a poor connection while actually showing his real face on camera.
I proceed on to the interview, feeling excited to get the chance to talk to a scammer for a whole half hour.
Sam starts off by presenting the project. However, he is obviously reading an AI-generated text, and it sounds a bit like a school presentation in 6th grade, reading the text with a monotonous, disinterested voice.
Add a strong Russian/Ukrainian accent on top. I am sure he has done this many times, and figured I would be bored as well. At this point, I feel some empathy for the guy. Sam sounds tired.
We then move on to relevant questions about my experience with technology and leadership. Sam shows a genuine interest in finding out how technical I am.
After going through many questions and elaborating more on my resume and experience, he seems satisfied. My feeling at the end of his questions was that I had passed their requirements. They were definitely looking for someone with technical skills.
Sam informs me they are on a quick timeline and wanted to know my earliest availability. I gave him a date, my hourly rate and was told they would get back to me soon. Sam finished off by mentioning they are only doing one interview round due to time pressure. Red flag again, but not unheard of for contract work.
After a few days, they reached out with good news: they wanted to hire me. The timeline felt kind of reasonable, not rushed like in my previous experiences.
In a chat message, Sam tells me I have to sign an NDA and tells me I will be invited to their Slack workspace next. When I read the word “Slack”, I must admit I started having some doubts again. My internal trust-o-meter started shifting towards the opposite direction.
“They have a Slack workspace? What the heck.”
Phishing information for NDA
Sam proceeds to ask me for the information needed for the NDA. They want to know a lot about me - phone number, birthdate, address, citizenship, the works.
I politely reply that I will not be providing my birthdate and some other info, as this has never been necessary previously in my career after signing many NDAs.
Sam says “ok”.
Shortly after I joined the Slack workspace, Sam messaged me again. He sends me a document, which apparently is the contract and NDA combined. This is where the red flags begin multiplying.
The document looked professional at first glance, with proper formatting and legal language, but again, I was asked to fill out my birth date and other sensitive information.
There is no tax ID/organisation number listed for the company, nor is there an address either. In my time working with EU startups and companies, every single legitimate contract has included this information.
The document is signed by “Martin Humdinger, Head of Marketplace Ops”. Below is a screenshot, along with the fake address I provided.
I proceed to Google the mysterious Martin Humdinger. Nothing comes up. The name didn't match any LinkedIn profiles or other online presence associated with the company.
I decide to ask Sam a few questions about the contract. Some of my questions were:
“Who is Martin Humdinger? I would love to speak to him.”
“The contract is missing some important info. Can you send me an updated version of the contract with the tax ID/organisation number for Omisoft, as well as the company address? This is required for tax and legal compliance.”
I also added some other questions regarding the clauses covering payments, trying to show I was still under the illusion this thing was real.
While waiting for his reply, I started looking around in Slack.
The Fake Slack
 | A guest post by
|