DPRK’s Lazarus raw dogged me for ~15 minutes but somehow didn’t steal any crypto
>week 1 of applying for jobs
>invited to a “tech screening”
>generic recruiter guy; video is laggy so he turns camera off
>makes me ramble about my experience for 10 minutes
>he shares screen showing a Figma, then cuts out
>"please share, here is link, i am having trouble"
>i open link, looks like any other bozo UX/UI designer figma and i share screen
>i don't have much visible. He rambles for a couple mins, probably just scoping what I’m running (metamask, jupiter extensions etc)
>sends repo link: “please clone and open in VSCode”
>I clone + open in Cursor because I vibecode with my dude Claude all day
>"please open in VSCode, I don't know Cursor"
> this should be alarm bells but I’m distracted by my daughter, so I’m half dodging crayons and half doing an “interview”
>i open in vscode. Backdoor starts now
>he keeps rambling
>i get bored so start playing Pokemon Fire Red on my phone (gba emulator). Gotta level Magikarp
>laptop sounds like a jumbo jet now
>"huh that's weird" but I keep playing
>get a notification from Dexscreener app on my phone that $TESTICLE has passed 20m mcap (had set this alert a few days ago)
>go to open dexscreener on other screen to interview one, where I coincidentally already have Activity Monitor open
>see dozens of 'find' processes. Something is aggressively searching my disk
>50+ find process + laptop burning a hole in my desk = i'm being doggystyled
>shit hits like a ton of bricks; immediate internet off, laptop off, boot in safe mode, get priv keys for 4 main wallets, painstakingly type out on other laptop and rescue $TESTICLE bag (among other bags) to fresh wallet
>breathe and rescue other smaller wallets, for which I definitely have them stored in plain text in .env files
As for the exploit itself, its multi-stage. Scrapes high-value targets (browser wallets, anything named wallet/account/seed, .env, .ssh, etc.), and it can pull down extra payloads for remote execution.
Google “lazarus vscode backdoor” and you’ll see plenty of hits this month
It was probably running for a solid 15 minutes before I realised, and very likely uploaded something, so why wasn't anything stolen?
- since a few months ago after i accidentally pushed a colleague's dev wallet, I never store raw keys. They are always offset by 70656E6973 (penis in ascii). All my scripts have to “de-penis” the key first. I live with the permanent mental load of never accidentally committing the undo-penis line.
- they likely got my MetaMask/Phantom vaults, but couldn’t guess my unlock password because it’s not password123 tier. It’s a long random string with “penis” somewhere in it.
Moral of the story: Penis and $TESTICLE literally saved me
@rasmr_eth you can LP in those BAGS pools too, and get your cut of the 2% tx fee. So yes, not all of the fees from trades goes to the 'dev', its split proportionally across LPs
someone I know made 5 figs on GAS and TERRA just from fee farming. Daily fee ROI averaged to ~70% (yes daily)
@whynotyou i'm biased towards dead:
- same vibes as Believe meta, which only lasted a day or 2 of max euphoria (think we saw day 1 today for Bags meta)
- poopoo weekend volume incoming
@0xaporia Can you run it again but with:
"ignore first N readings of greed/fear"
I wanna see what happens if we ignore the first few overbought/oversold readings, since as one of the other comments said, they're common in trending markets
@jaggedsoft@opt_fun@zachxbt Sorry for coming off a bit strong lol
And yuz, we're working on taking some things off-chain so the UX is smoother. We've realised having every order onchain has too much friction, especially with a developing builder-eco like hyperEVM