<img src="https://crypto.news/app/uploads/2023/10/crypto-news-Five-Recent-API-Hacks-in-Crypto05.webp” />
A recent revelation from a developer has shed light on a sophisticated game download scam that highlights the new tactics of scammers targeting web3 games.
The scam began with a direct message from a now-deactivated X account, @ameliachicel, proposing a job opportunity. The job involved a position at Solidity for a web3 game called MythIsland, with details hosted on a seemingly legitimate website, mythisland(.)io.
The website, with impressive graphics and functional links, showed a detailed presentation of the game, including its in-game economy and nft aspects. The team members seemed to be deluded, which lent an air of credibility to the project.
The tweet was shared by 0xMarioan independent developer who fell victim to the scam, and his post has gone viral, as several other users have reported similar scams.
The conversation moved to Telegram, where detailed discussions about the game and work followed, including introductions to other “team members.” The scam developed further when the developer was asked to download a game launcher to experience an alpha version of MythIsland.
With caution, the developer chose to run the launcher in a Windows virtual machine. The launcher looked legitimate, with professional graphics and standard UI elements. However, when trying to register, an error message appeared requesting an update to the .NET Framework.
Reporting this issue to the group posing as the team resulted in a suggestion to try another Windows machine. Following this advice, the developer encountered the same bug on an old ThinkPad, prompting the scammers to delete all chats and block the developer, presumably realizing the unlikelihood of compromising the machines used.
The developer wisely treated the old laptop as fully compromised and planned to wipe it. In particular, the scammers had meticulously crafted social media profiles on Telegram and Instagram, with one of them claiming to be a former Cosmos Network developer.
The incident underscores warnings from blockchain security companies, which recommend extreme caution when downloading files, particularly executables and scripts. Best practice is to use a virtual machine or expendable computer for such downloads or prefer secure methods such as Google Docs for document transfers.
