Context and why it matters for fintech in the Baltics and EU
Fintech teams compete hard for senior engineers. That urgency is being abused by threat actors who pose as legitimate crypto firms or technology recruiters. The pattern is simple: share a repository, talk through apparently plausible architecture, then ask the candidate to build or run something locally. Hidden in that code is a remote access tool or wallet drainer.
Law enforcement and threat intelligence have repeatedly warned about fake-recruiter campaigns that install backdoors or place illicit remote IT workers inside companies. Recent actions in June 2025 highlighted how such schemes infiltrated more than 100 organisations and stole both cryptocurrency and source code. These operations weaponise remote work practices and identity obfuscation, often using LinkedIn as the first touchpoint.
For Estonia and the wider Baltics, where cross-border hiring and crypto innovation are common, the risk is amplified by distributed teams and contractor-heavy delivery models. A single Trojanised test task can lead to credential theft, poisoned build chains, or reputational damage. Security teams should therefore treat recruitment workflows as a potential initial access vector, not just an HR function.
Core topic explained without fluff
What it is and what it is not
A GitHub recruitment scam is a social engineering tactic where adversaries impersonate a company or recruiter, share code during an interview, and request a candidate to clone, build, or contribute to a repository. The repository includes malicious components such as obfuscated scripts, suspicious post-install hooks, or compiled binaries that, when executed, install a backdoor or drain crypto wallets. Several research teams have tracked campaigns where fake recruitment was used to deliver bespoke malware, including “DreamJob” style lures and malicious coding challenges.
It is not a legitimate technical screen, an open source contribution, or a normal code sample request. Legitimate employers provide clear documentation, legal paperwork where appropriate, transparent identities, and do not pressure candidates to run unsigned executables or grant commit rights to private repos.
Typical weak points or failure modes
- No NDA, no contract, yet a push for code execution or commits to their repo.
- New or low-history GitHub orgs with few contributors and sparse commit history.
- Obfuscated JavaScript or Python, minified blobs, or compiled binaries included in a “frontend” task.
- Installers or scripts that request elevated privileges, add persistence, or reach out to unfamiliar domains.
- Payment offered only in crypto, insistence on out-of-band channels, or rushed timelines.
- Engineers running interview tasks on primary laptops without EDR, sandboxing, or network containment.
- HR and hiring managers lack a secure hiring process or sanctions screening.
A quick cautionary note: industry reporting shows attackers using LinkedIn lures and GitHub repos to drop backdoors via interview tasks or coding challenges. Treat this pattern as a known threat, not a theoretical edge case.
Checklist: red flags and first actions
| Signal in the interview | Why it matters | Your first move |
|---|---|---|
| “Run this script” or “install this tool” during the call | Execution on a trusted device is the goal | Move to a disposable VM or container |
| Brand new GitHub org, few commits | Low provenance and easy throwaway | Inspect history, contributors, forks before cloning |
| Obfuscated code or unsigned binaries | Hides payloads and persistence | Block execution, request source and hashes |
| Crypto-only payment, no paperwork | Higher fraud and sanctions risk | Pause process, request formal docs and references |
| Pressure to grant repo rights | Privilege escalation and data exfiltration | Keep read-only, use throwaway account |
Practical playbook
Step-by-step actions
Start with one principle: treat interview code as untrusted until proven safe.
- Secure the environment before you clone. Use a disposable virtual machine, a locked-down container, or a dedicated non-production device with no access to corporate credentials or wallets. Disable password managers and single sign-on in that session. Block outbound traffic by default and allow only what the task truly needs.
- Check provenance. Review the GitHub organisation age, contributor history, release tags, and issues. Verify the recruiter identity through company channels and mutual references. Legitimate teams should not object to verification, basic paperwork, or staged access.
- Read before you run. Open
package.json,requirements.txt,poetry.lock,Cargo.toml, or equivalent to review dependencies. Look for post-install or lifecycle scripts. Search the repo forexec,eval,Base64, or long hex strings. If binaries are included, insist on source or signed releases with published hashes. - Scan everything. Run static analysis and malware scans on the repository and dependencies. Use YARA rules, SCA tools, and a multi-engine scanner for archives and installers. Pay attention to uncommon packaging, strange install paths, persistence attempts, and DNS lookups to unfamiliar domains. Reporting from threat researchers shows backdoors delivered via coding tests are not hypothetical.
- Contain credentials and secrets. Use a clean Git identity with no access to internal repos. Ensure SSH agents, cloud CLIs, and browser sessions are not available inside the sandbox. Rotate any credentials that might have been present after the exercise.
- Do not grant write access. If asked to push code, fork to a disposable account or submit a patch file. Never add unknown deploy keys or GitHub Apps to your organisation during an interview.
- Legal and compliance gate. For any extended trial work, insist on an NDA, a defined statement of work, and clear IP terms. For crypto-related roles, perform sanctions and adverse media screening. Government and vendor advisories warn about illicit remote IT workforces and fake recruiters targeting tech companies.
- Triage suspicious findings. If scans or reviews indicate malware patterns, stop, preserve evidence, and report the repository via GitHub’s Abuse process or private vulnerability reporting. Consider notifying relevant authorities if sanctions risk is suspected.
- Close the loop. Rotate any tokens used in the sandbox, wipe the VM or container, and log the incident in your risk register. Brief the hiring panel so the same lure does not catch someone else next week.
Quick wins this week: enforce disposable VMs for all interview tasks, publish a one-page secure hiring checklist, and add an approval step if a candidate is asked to run any third-party code.
Longer term: bake security into the hiring playbook, add sanctions and identity checks, and integrate code scanning into the process.
Tooling and process integration
Focus on approach over vendor names.
- Isolation and execution: standardised VM images, ephemeral containers, and network egress controls for interview tasks.
- Code hygiene: pre-clone provenance checks, dependency review, and mandatory malware scanning integrated into the interview workflow.
- Access control: throwaway Git identities, read-only access by default, no repository write permissions for non-employees.
- Detection and response: EDR on workstations, centralised logging for sandboxes, and clear escalation paths to security.
- Governance: HR, legal, and security alignment on NDAs, IP terms, and sanctions screening for high-risk roles and regions.
- Reporting: GitHub Abuse and private vulnerability reporting channels are documented and tested.
Measurement and governance
Metrics and thresholds
- Sandbox coverage: 100 percent of technical interviews that involve code must use an isolated environment.
- Repository provenance pass rate: at least 95 percent of interview repos must meet age and activity thresholds before cloning.
- Malware scanning compliance: 100 percent of interview repos and artefacts scanned before execution.
- Awareness completion: 100 percent of hiring managers and technical interviewers complete annual secure hiring training.
Regional and regulatory considerations
In the EU, processing candidate data and running checks must align with GDPR principles of necessity and proportionality. Keep only what you need, tell candidates how their data is used, and minimise copies of artefacts. For crypto-related roles, consider MiCA obligations for VASP-like activities and the heightened scrutiny around wallet security.
Recent enforcement actions and advisories highlight that sanctioned actors have used fake recruitment and remote IT work to infiltrate companies. Even if your organisation is not in the United States, global sanctions regimes and local AML expectations may still apply. Build screening and enhanced due diligence into your hiring playbook for high-risk roles and geographies.
Ready to raise the drawbridge around your hiring flow? Explore Security Awareness or talk to us via Contact.
FAQs
Is this really happening, or just a theoretical risk?
It is happening. Researchers and agencies have documented fake recruiter campaigns delivering malware via coding tasks and interview artefacts, along with broader operations to place illicit remote IT workers.
Should candidates ever run interview code locally?
Only in a sandbox. Use a disposable VM or container with no access to credentials, wallets, or corporate assets. Read the code and scan it before any execution.
Do I need an NDA for a simple test task?
If the task involves non-public code, company IP, or extended trial work, an NDA or short trial agreement protects both sides and sets expectations. It also helps weed out impostors who refuse normal due diligence.
Could this expose us to sanctions risk?
Potentially. Screening, device control, and identity verification are essential when hiring fully remote engineers in sensitive domains like crypto.
