It Started With a "Professional" LinkedIn Message
I'm a full-stack developer. I get LinkedIn connection requests regularly — recruiters, founders, fellow developers. So when someone connected and said they were building a blockchain gaming platform called PSPN and needed a developer, it didn't seem unusual.
They seemed legitimate. Professional profile. A company called ParaLead. They scheduled a proper 30-minute Google Meet call via Calendly — one day after connecting. Everything looked real.
The meeting invite came from cboy88755@gmail.com — a random Gmail, not a company domain. Legitimate companies use their own email. I didn't notice.
After the call, one day later, they invited me to collaborate on their GitHub MVP repository:
Tirios2036/pspn_mvp. I accepted, cloned the project to my MacBook, ran
npm install, and started the project. Normal developer workflow. Or so I thought.
What the Project Actually Did
The repository wasn't a real project. Hidden inside — likely in install scripts or a malicious dependency — was a Node.js malware payload.
The moment I ran the project, it silently installed itself as a persistent background process on my Mac. Here is exactly what it planted:
This abused macOS LaunchAgents — a system feature for background services — to run invisibly with no warning to the user whatsoever.
That night, while I was sleeping, the script accessed my Phantom wallet, extracted my credentials, and initiated the transfers. By morning, the funds were gone.
My Friends Warned Me. I Chose to Sleep.
When I noticed the LinkedIn profile had suddenly disappeared, something felt wrong. I told my friends. They said immediately — "Take your money out of Phantom right now. Don't wait."
The funds were still there. I had the chance. But I convinced myself I was overthinking it.
By the time I woke up, everything was gone. My friends were right. In crypto security, if something feels wrong — act immediately, not in the morning. Move your funds first. Investigate later. You can always move them back. You cannot reverse a blockchain transaction.
The Blockchain Trail They Left Behind
Unlike traditional theft, crypto theft is permanently recorded on-chain. Every transaction is public and verifiable. Here is exactly what happened:
300.338147 USDC transferred from my wallet to attacker's wallet (6dyWYQ...mKwJfR)
1.362934205 SOL transferred to the same attacker wallet
Attacker bridged 399.373 USDC from Solana → BNB Smart Chain to make tracing and freezing harder
LinkedIn account deleted. GitHub repository removed. The scammer vanished without a trace.
Red Flags Every Developer Must Know
- 🚩Unsolicited LinkedIn job offers for blockchain/Web3 projects from people you don't know personally — especially if they move fast and seem very eager.
- 🚩Contact via personal Gmail for a "company" project. Real companies communicate from company email domains, not Gmail or Hotmail.
- 🚩GitHub collaboration invite from a stranger. Never clone
and run an unknown repo without reading every line of
package.json— especiallypreinstall,postinstall, andpreparescripts. - 🚩The project owner disappears. LinkedIn deleted, GitHub repo removed within hours of the theft. That's the signature of a professional scammer.
- 🚩Rushing you to "just run it." Scammers want you to execute the malicious code before you think too hard about it.
What Apple, Phantom & LinkedIn Need to Fix
macOS allowed a third-party script to install a LaunchAgent — a persistent background
process that runs on every login — with zero notification. No alert. No permission dialog.
Apple's Gatekeeper protects against unsigned apps but does not warn users when code installs background
persistence during npm install. A permission prompt must be shown when any unknown
process attempts to register a LaunchAgent.
Once a device is compromised, Phantom offers zero second line of defence. No 2FA. No transaction alerts. No confirmation on a secondary device. A single stolen seed phrase = total, instant, irreversible loss. Phantom must add 2FA for outgoing transactions, spending limits, and real-time alerts. One security layer in 2026 is not enough.
These scammers create professional profiles, target developers with fake job offers, complete the theft — then delete their account within hours. LinkedIn has the tools to detect newly-created accounts immediately sending collaboration requests at scale, and to preserve deleted account data for law enforcement. They choose not to act proactively. Public pressure is the only way to change this.
What Every Developer Should Do Right Now
Before npm install on any cloned repo, read the scripts
section. Check preinstall, postinstall, prepare. These run
automatically and silently.
Run all unknown projects inside a virtual machine or Docker container. Malware inside a VM cannot touch your host system, wallet, or browser data.
Use a Ledger or Trezor for any meaningful crypto. Software wallets on your laptop are one compromised repo away from total loss.
On Mac, run ls ~/Library/LaunchAgents/ regularly. Any file you don't
recognise is a red flag. Check after running any new project.
Before working with anyone from LinkedIn, verify them on Twitter, GitHub history, and company website. Fake profiles rarely have consistent presence across platforms.
If something feels wrong — move your crypto first, sleep later. You can always move funds back. You cannot undo a blockchain transaction.