A simple AI prompt saved a developer from this job interview scam Engineer David Dodda says he was just "30 seconds away" from running malware on his own computer after nearly falling victim to a North Korea-type job interview scam with a "legitimate" blockchain company. The fraudsters probably would've duped him and tried to steal everything on his machine, from cryptocurrency wallets to …
It could just have easily given the wrong answer or told him to do it himself.
Best stick to the sandbox, it's more deterministic.
Anything blockchain causes an instantaneous reaction : RUN !
I would not need to ask a hullacinating bullshit generator to check some code that I will NOT download, much less execute.
Brain cells work quicker than ChatGPT. If you have them.
Thank you for introducing me to Jenny and F.O.C.U.S.
It's a sign of desperation to agree to do a test. Shows just how low the industry has sunk.
If you're even thinking of doing such tests, it's time to take a sabbatical from the industry, and to do other work for a year. This has always been true, because IT is cyclical, and has been forever, same as any other industry.
“It's a sign of desperation to agree to do a test.”
O.M.G. so true! One time I let them give me a test on P.I.D. which for me usually means proportional-integral-differential feedback controller, but in this case meant process and instrumentation diagram. To My Horror: it was asking about Mass Balance, Energy Balance, valve sizing, pressure drop, orifices, mixers, I can’t even remember 1/10 of what they were asking, my only clear recollection was that even when I studied that stuff back in college I had at best a weak grasp of the concepts, and never looked at it again on the assumption that was the last I’d ever hear about it. But it was abundantly clear what was going on: plenty of incompetent applicants for a lucrative career in an extremely tedious profession. It’s just as well I failed so dismally, my gosh, I could have been stuck there for the rest of my days…
developers are the "ideal victims" because their machines "contain the keys to the kingdom: production credentials, crypto wallets, client data."
All that on the one machine and single account you use for job applications?
Having worked extensively online almost since the web went public (35 years+, ouch!), I've always kept a "dirty machine" for such tasks, with nothing but the basics on it and with a clean backup image that can be used to rebuild it from scratch if it gets contaminated.
In my infosec consulting experience, the key reason most organisations (and folks) get "hacked" is that they have no real proactive defences in place (you need more than a few appliances -- you need forethought, current information about threats and the willingness to make the necessary constant effort).
Surely if someone is applying for a job they use their personal machine which should never contain production credentials or client data. Similarly their work machine should not have access to their personal data, crypto wallets or otherwise.
Mr Dodda completely fails at basic IT security and professionalism. He'll make a great crypto "developer".
“I've always kept a "dirty machine" for such tasks, with nothing but the basics on it and with a clean backup image that can be used to rebuild it from scratch if it gets contaminated.”
Yes my comment exactly, I’ve got a whole stack of recycled laptops configured exactly this way. I’d probably be lazy anyway and simply fire up a clone VM to expose. I wonder how secure that is anymore, my strategy is to make a “burner” clone that exists for the duration of the interaction, on the assumption that they won’t be able to hijack the host O.S., or break into my router running custom firmware, etc.
Am I already a victim and just never realized it yet? Shrug!
That was mistake #1 right there. There is no such thing as a liegitimate scam company.
Chief Blockchain Officer - I'd have laughed at the title, asked if he wears a uniform and maybe if there are any adults to talk to instead. Oh wait, I wouldn't have contacted these scammers in the first place because they claim to work for a scam company.
Headline story just repeated "AI prompt saved me from disaster" a few times then stopped. What happened? What did CursorAI pick up after a code scan? How did it do it? How was this reported to the user? How can we avoid falling into similar traps?
This is the journalistic equivalent of A House of Dynamite. Great hook, repeated a few times to trigger interest, but no investment in actually - you know - finishing the story.
Come on Reg. Do better.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
