nickel-alley-fake-interviews-crypto-theft-freelancers

“Nickel Alley” fake interviews are a crypto-theft cyber attack on freelance developers via LinkedIn, Upwork and Fiverr

What happened

Sophos warns that a group it calls ‘Nickel Alley’ is tricking freelance developers with fake interview processes that deliver malware and steal cryptocurrency. The bait is painfully specific: coding tests plus repo downloads, delivered through platforms such as LinkedIn, Upwork and Fiverr.

According to the report, the fake interview sequence coerces candidates to run or fetch code from attacker-controlled repositories, which is how the malware is pushed to the target environment. Sophos identified the technique and linked it to credential and crypto-theft objectives, but exact victim counts or financial losses have not been disclosed.

Why this matters to businesses

Freelancers and gig platforms are now an explicit attack surface for organisations that outsource code, integrations or short-term engineering work. Suppliers, contractors and hiring managers can all be collateral damage when a recruiter-style ruse becomes a delivery mechanism for malware and credential theft.

The consequences are straightforward and nasty: lost wallets, stolen credentials, compromised source code, longer incident response, and brand damage when a third party used by the business is the vector. Given how teams hire contractors, treating MFA as optional and accepting repo access without verification are avoidable weaknesses that attackers love.

If you’ve got the same weakness, here’s what happens next

If your teams or contractors run unvetted code from a repo as part of an interview, several things can follow. First, an implanted backdoor can quietly persist, giving attackers time to move laterally or siphon secrets. Second, stolen keys or credentials can be used to drain cryptocurrency wallets or pivot into CI pipelines.

Following that, you can expect escalation costs: forensic bills, legal checks, customer notifications and wasted leadership time in crisis calls. None of it needs to be dramatic to be damaging, just slow, costly and reputation-eating over months.

What to do on Monday morning

• Stop the practice of asking candidates to run unreviewed code locally. Use isolated sandboxes or hosted test harnesses only.

• Require identity proofing for interviewers and candidates on external platforms, and record the provenance of any repo used in a hiring task.

• Ensure contractors get least privilege access, time-limited credentials and no write-level access to production or CI by default.

• Enable and enforce MFA for all accounts that touch source code, wallets or build systems, and quit treating it as optional.

• Inspect any downloaded repo with automated static and dynamic scanners before execution, ideally in an ephemeral sandbox with network egress blocked.

• Log and monitor for unusual repository clones, new deploy keys or unexpected package installs, and alert on suspicious patterns.

• Review supplier contracts to require secure interview practices and incident notification clauses from platforms and contractors.

Where ISO standards fit, without the sales pitch

An ISO-aligned information security management system makes this sort of risk visible and harder to ignore. For example, an ISO 27001 approach forces you to document contractor onboarding and access controls so you don’t learn about a gap during an incident call.

When human behaviour is central, structured awareness and simulated phishing programmes reduce the chances someone will run attacker code because it looks like an interview. For practical training options, see usecure.

For baseline certification and supplier assurance that fits smaller teams, consider independent schemes like IASME, which you can read about at IASME certifications, to make sure suppliers meet minimal controls.

And if your continuity and recovery planning matters because stolen keys or poisoned pipelines can stop delivery, an established BCMS helps you define who does what when, and how to recover safely. See practical continuity guidance at ISO 22301.

All of these links are about making the obvious controls actually stick, not about adding paperwork for the sake of it.

Think less about paranoia, more about predictable checks that stop a fake interview from becoming a full incident.