🚨 LinkedIn → GitHub → Web3: How a “Senior Fullstack” Offer Turned Into a Crypto Scam Template 25/02/2026 ~ Views: 446
Today, I was contacted on LinkedIn by Angel Diaz Gutierrez, presenting himself as:
Abogado mercantilista y penalista en rama económica – Socio en Asesores Diaz & Diaz
Valencia, Spain
He reached out with what looked like a legitimate opportunity:
A Senior Fullstack Developer role focused on blockchain and Web3.
A Senior Fullstack Developer role focused on blockchain and Web3.
What followed is a textbook example of how modern crypto scams are evolving — not through malware, but through social engineering + rug-pull smart contracts.
This post is a technical breakdown so other developers don’t fall into the same trap.
📩 Step 1: The LinkedIn Approach
The message was polished and professional:
- Remote role
- Web3 platform called “Purrtal”
- MVP completed
- Access to GitHub repository as part of the next stage
Everything sounded structured and corporate.
But here’s the first red flag:
The LinkedIn profile claims he is a lawyer, not a tech founder.
That alone doesn’t prove anything — but it’s unusual.
Then came the GitHub invite.
🔗 Step 2: The GitHub Repository
He invited me to this repository:
https://github.com/cookellieayh1833/purrtal
I created a public mirror for transparency and analysis:
https://github.com/nezirz/purrtal
At first glance, the project looks like a standard Web3 stack:
- React / Next frontend
- Backend (Node)
- Smart contracts (Solidity)
- Wallet integration
- Swap UI
- Foundry config
But once analyzed deeply, the structure reveals something else.
🧨 The Core Problem: A Rug-Pull Smart Contract
Inside:
src/contracts/Memecoin.sol
There are two critical functions:
function withdrawETH(address payable to, uint256 amount) external onlyOwner function withdrawTokens(address to, uint256 amount) external onlyOwner
Translation:
The owner can drain:
- ALL ETH
- ALL tokens
At any time.
There is also:
function setTokensPerEth(...)
The owner can arbitrarily change token pricing.
That combination = classic rug-pull mechanics.
This is not a decentralized exchange.
This is a centrally controlled token trap.
🎯 Why This Is Dangerous
There is no obvious malware.
No keylogger.
No OS-level exploit.
No keylogger.
No OS-level exploit.
This is worse.
This is financially engineered fraud.
The likely flow:
- Developer is asked to “review” the MVP.
- They’re encouraged to deploy or test the contract.
- They may be asked to buy tokens “to test swap.”
- ETH goes into contract.
- Owner drains funds.
End of story.
🧠 Additional Red Flags Found in Code Review
After scanning the repository using Gemini Pro and reviewing manually:
1️⃣ Owner-Controlled Admin Endpoint
Backend includes an admin endpoint that:
- Uses a server-side private key
- Can mutate on-chain token pricing
This centralizes full control in the hands of whoever owns the backend key.
Legitimate DeFi projects do NOT operate like this.
2️⃣ Wallet Signing Flow Can Be Abused
Frontend signs arbitrary backend-provided messages:
wallet.ts
If backend asks for malicious signatures, users can unknowingly:
- Approve transactions
- Authorize contract calls
Even if not currently weaponized, the architecture allows it.
3️⃣ Broken Authentication Flow
Frontend calls:
/auth/wallet/message
But backend does NOT define that endpoint.
This suggests:
- Copy-paste template
- Incomplete build
- Or intentionally sloppy scam shell
Scam repos often don’t need to be functional — they just need to look convincing enough.
4️⃣ Suspicious / Outdated Dependencies
- Deprecated request
- Old axios
Low-effort assembly is common in scam templates.
❌ What I Did NOT Find
To be fair and objective:
- No exec, spawn, eval
- No OS-level backdoors
- No .env file exfiltration
- No private key scraping from local machine
This is NOT malware.
This is a financial trap disguised as a Web3 job interview.
🧩 The Psychological Vector
This is the clever part.
Instead of:
“Invest in my token”
They use:
“We are hiring Senior Fullstack Developer.”
Developers are naturally curious.
They want to review architecture.
They want to test the contract.
They may deploy it.
They want to review architecture.
They want to test the contract.
They may deploy it.
And the moment you interact financially — you're inside the trap.
This method bypasses skepticism because it hides behind professional language.
🚩 The Pattern Matches Known Scam Structures
High-risk indicators:
- Owner-drain functions
- Owner price manipulation
- Backend-controlled private key
- Centralized admin mutation of smart contract
- Wallet signing architecture
- No real company technical footprint
- Random GitHub account name
- Lawyer persona recruiting blockchain engineers
That is not how legitimate Web3 startups operate.
🔥 The Verdict
HIGH RISK — Likely Crypto Scam Template
It may not steal your computer data.
But it is built to move user funds into a contract that the owner can drain.
🛡️ Lessons for Developers
If you’re contacted for a Web3 job:
Always:
- Audit smart contracts before testing
- Check for owner drain functions
- Check for pricing manipulation
- Verify company technical footprint
- Verify GitHub history
- Avoid using real wallets
- Never deploy unknown contracts with your funds
🚨 Final Advice
If someone:
- Contacts you via LinkedIn
- Pushes GitHub access immediately
- Avoids live technical discussion
- Skips architecture explanation
- Wants you to test token economics
Be careful.
Professional hiring does not start with smart contract deployment.
💬 Why I’m Publishing This
Because scams are evolving.
They’re targeting:
- Developers
- Crypto-native people
- Technically skilled individuals
Not just retail investors.
If this post prevents even one developer from losing funds — it was worth writing.
If you want to analyze the repository yourself:
GEMINI PRO 3 ANALYZE:
Here is a clean, professional, blog-ready formatted version:
GEMINI PRO 3 ANALYZE:
Here is a clean, professional, blog-ready formatted version:
🔍 Repository Security Analysis
Based on my detailed analysis of the repository, here are my findings.
🚨 Verdict: HIGH RISK — Likely a Scam Template
While I did not find traditional malware (such as viruses or keyloggers that infect your operating system), the repository exhibits strong signs of being a Crypto Scam Template designed to steal funds via social engineering.
⚠️ DO NOT RUN THIS CODE
⚠️ DO NOT CONNECT YOUR WALLET
🔥 Critical Findings
1️⃣ Rug Pull Smart Contract
File: Meowfi.sol
The core smart contract contains functions that allow the owner (the scammer) to withdraw all ETH and all tokens from the contract at any time:
function withdrawETH(address payable to, uint256 amount) external onlyOwner { ... }
function withdrawTokens(address to, uint256 amount) external onlyOwner { ... }
Why this is dangerous:
- If you are asked to “test” the application by buying tokens (even on a testnet), you are sending ETH directly to a contract where the owner has full control to drain it.
- The owner can also arbitrarily manipulate token pricing via:
setTokensPerEth(...)
This is a classic rug-pull mechanism.
2️⃣ Broken Authentication Flow
File: src/lib/api.ts
The frontend attempts to call:
/auth/wallet/message
However:
- ❌ This endpoint does not exist in the backend.
- The backend only defines: connect, verify, refresh, and logout.
What this suggests:
- The code appears hastily assembled.
- It may be copied from another project without understanding.
- Scammers often use incomplete or broken code because their goal is not to build a working product — but to get you to deploy contracts or send funds.
3️⃣ Suspicious / Outdated Dependencies
The project includes:
- Deprecated request library (^2.88.2)
- Very old axios version (^0.21.4)
While not inherently malicious, outdated dependencies are common in low-effort scam repositories and may contain unpatched vulnerabilities.
4️⃣ Social Engineering Context
The “job interview” approach is a classic scam vector.
The likely goals:
- Get you to “fix” the broken code.
- Get you to deploy the contract (costing you gas fees).
- Trick you into using your mainnet wallet “for testing” or “verification.”
- Build trust before introducing financial interaction.
This is not accidental. It is engineered.
✅ Safety Check Results
To remain objective, here’s what I did NOT find:
✔ No Obfuscated Executables
No hidden binaries or obfuscated JavaScript attempting to execute:
- exec
- spawn
- system-level commands
✔ No Private Key Exfiltration
No code searching for or uploading:
- id_rsa
- .env files
- local secrets
✔ Install Script Appears Legitimate
The scripts/install-foundry.sh script appears to be a standard Foundry installation script and does not contain malicious behavior.
🛑 Recommendation
-
Block the sender. Do not engage further.
-
Delete the repository.
-
Do not deploy the contract.
- Deployment may cost you gas fees.
- It may signal to the scammer that you are actively engaging.
- Deployment may cost you gas fees.
⚠ Final Conclusion
This is not a technical malware attack.
It is a financially engineered crypto scam.
The repository structure strongly aligns with known rug-pull templates:
- Owner-drainable smart contract
- Owner-controlled price manipulation
- Centralized backend control
- Wallet-signing flow architecture
- Broken / copy-paste authentication logic
It is dangerous — not because it infects your machine — but because it is designed to move funds into a contract that can be drained at any time.
Stay cautious.
Web3 scams are evolving — and developers are increasingly becoming targets.
Web3 scams are evolving — and developers are increasingly becoming targets.
CODEX 5.2 ANALYZE
Here is a clean, structured, blog-ready version:
🚩 High-Risk Scam Indicators
1️⃣ Owner-Drain Functions in Token Contract
File: Memecoin.sol
The contract allows the owner to withdraw all ETH and all tokens at any time.
This is implemented via owner-restricted withdrawal functions and represents a classic rug-pull pattern.
If users send ETH to this contract, the owner can drain it at will.
2️⃣ Owner-Controlled Price Manipulation
File: Memecoin.sol
The contract includes:
setTokensPerEth(...)
This allows the owner to arbitrarily change the exchange rate.
Why this matters:
- The scammer can artificially increase perceived value.
- Lure buyers into purchasing tokens.
- Then modify pricing or drain liquidity.
This is a centralization red flag in any supposed “decentralized” platform.
3️⃣ Admin Endpoint Mutating On-Chain Price
File: admin.controller.js
The backend includes an admin endpoint that:
- Uses a server-side private key
- Can modify the on-chain token exchange rate
This means:
- Smart contract pricing is controlled off-chain.
- A single backend key controls token economics.
- Full power remains centralized.
This architecture is consistent with scam behavior — not legitimate DeFi design.
🔐 Suspicious Wallet / Signing Flow
4️⃣ Arbitrary Message Signing
File: wallet.ts
The frontend signs arbitrary messages provided by the backend.
Risk:
If the backend requests malicious signatures, users may unknowingly:
- Authorize unintended contract calls
- Approve token transfers
- Sign structured data with financial consequences
Message signing systems must be extremely transparent. Here, the control remains server-side.
5️⃣ Withdraw Functions Exposed in Frontend ABI
File: contractHelper.ts
The frontend ABI explicitly exposes:
withdrawETH withdrawTokens
This is unusual for a user-facing swap UI.
A legitimate DEX interface typically does not expose owner-only drain functions in the client ABI.
This strongly suggests the contract was built with owner extraction in mind.
🧪 Backend Backdoor / Exfiltration Check
To remain objective, I also reviewed the repository for direct malicious behavior.
✔ No OS-Level Backdoors Found
- No exec
- No spawn
- No eval
- No system command execution patterns
✔ No Local Secret Exfiltration
I did not find code attempting to:
- Access .env files
- Read SSH keys (id_rsa)
- Upload developer machine secrets
✔ Backend Structure
The backend uses:
- Standard REST endpoints
- On-chain RPC calls
- Token metrics and analytics (token.controller.js)
There is no evidence of direct data theft from the developer’s machine.
⚠ Final Conclusion
This repository is highly consistent with a crypto scam template, based on:
- Owner-drainable token contract
- Admin-controlled token pricing
- Centralized private key authority
- Wallet-signing architecture that can be abused
It may not contain traditional malware.
But it is clearly structured to move user funds into a contract that the owner can drain at any time.
That makes it a financially engineered trap — not a technical exploit.
Stay cautious.
Stay sharp.
Web3 is powerful — but also full of traps.
Web3 is powerful — but also full of traps.
— Nezir Zahirović
Tags: cryptoscam, blockchainscam, web3scam, blockchaindrainscam, socialengenering, rugpullscam,
OPEN TO HIRE
Nezir Zahirovic
Ruby On Rails Full stack last 10 years.
C#, ASP.NET, JavaScript, SQL, CSS, Bootstrap 11 years.
C#, ASP.NET, JavaScript, SQL, CSS, Bootstrap 11 years.
Top articles
Best Apps for Staying in Contact With Family and Friends >>>
10 Simple Ways to Stay in Touch With Family Who Live Far ... >>>
Why Checking on Friends Regularly Is More Important Than ... >>>
Hey I Am Alive – The Easiest Way to Stay in Touch With Pe... >>>
🚨 LinkedIn → GitHub → Web3: How a “Senior Fullstack” Offe... >>>
