Are you willing to hack Chinese websites and take control for random people for up to $100,000 a month?
Someone is making that appetizing, strange, and clearly sketchy job offer accurately. The person uses what appears to be a series of fake accounts with avatars showing pictures of attractive women and avatars slipping into the direct messages of some cybersecurity experts and researchers of X over the past few weeks.
“We are recruiting WebShell engineers and teams to penetrate Chinese websites around the world with a monthly salary of up to $100,000. If you’re interested, you can join the channel first.”
For some reason I received this message from an X account named “See my homepage”. This had @jerellayce88010, which appeared to be randomly generated.
When I followed the link, I was able to see the channel administrator, the person who had an avatar generated by the pirate AI, named “Jack.”
“Are you proficient in penetration techniques?” Jack asked me.
I’m not, but I asked Jack to tell them more about their goals.
“Get a webshell from a registered domain in China. There is no specific target. As long as the domain is registered in China, that’s our target range,” Jack mentioned a webshell, program, or script that hackers can use to control hacked web servers. “You need to understand China’s CMS” – referring to the content management system, software that runs the backend of your website, “You will be able to find loopholes and get a web shell in batches. There is no limit to the number you need. This is a long-term job. You can establish long-term cooperation.”
Yes, but crucially, why?
“All I need is Chinese transportation,” Jack said. I probably lost patience with my questions.
I understand, but for what?
At this point, Jack was definitely tired of my questions and gave me the challenge. Get 3 web shells in a domain registered in China. Jack gave me $100 for each domain I was hacked.
Alas, I still have no skills to do it or the willingness to break the law. Instead, I continued asking questions such as who Jack was working for. “The Indian government,” replied, but in a subsequent chat, Jack contradicted that and condemned the automatic translation.
I spoke to some of the researchers who got Jack’s strange job offers, and they were confused too. For example, they didn’t say they received malicious links or suspicious questions that pointed to some sort of doxing or fraudulent campaign.
“I think he’s more of a troll than a serious threat actor,” said S1R1US, a security researcher who received a DM from one of X’s Jack’s sock puppet accounts.
Grugq, a well-known cybersecurity expert, told TechCrunch he had never seen anything like this recruitment campaign. “I’ve seen (people) ask stupid questions and spam various cybersecurity-related things,” he said. “But it’s not like a permanent, widespread, weird s from this guy.”
According to Grugq, the goal is probably to infect people in China with malware, as it makes no sense to use Chinese domains to launch DDOS attacks and spam.
“I really can’t think of the WTF they’re doing,” concluded Grugq. “That doesn’t make sense.”
Apparently, no other people can do it either. God Speed, Jack, whatever adventure you are on.