In April 2026, I received what appeared to be a legitimate cybersecurity analyst internship offer from a company called Zorvyn FinTech. Over the next 13 days, I experienced one of the most sophisticated employment fraud operations I have ever encountered — complete with professional HR portals, a Dell laptop welcome kit, and a reporting manager named Mudiwa Mkonto. None of it was real. This analysis documents the full 8-phase attack chain and provides actionable indicators to protect job seekers globally.
- The operation uses a coordinated 8-phase attack chain spanning 10–15 days from initial contact to payment extraction
- All payment demands are Bitcoin-only with rotating wallet addresses and 15-minute expiry timers — deliberately untraceable
- Victim PII (address, passport photo, ID, banking details) is collected during legitimate-looking onboarding before the trap closes
- Infrastructure goes NXDOMAIN immediately after payment — the operation migrates to a new shell company identity
- The same network operated under MutaEngine, VRV Security, and Zorvyn FinTech — documented in CNTI-2026-001
How the Scam Works — 8 Phases
Phase 1 — Target Acquisition: Mass screening invitations via LinkedIn, Internshala, and job platforms. The assessment is timed, technical, and fully branded — indistinguishable from a legitimate employer screening.
Phases 2–4 — Trust Building: A formal offer letter with NDA arrives. Salary is above market rate. You receive portal access, a welcome kit order confirmation (laptop, branded merchandise), and a reporting manager introduction. This is engineered to make you feel invested before the real ask.
Phases 5–6 — The Trap: Your reporting manager assigns a "training task" requiring you to purchase software called MutaCryptor from mutaengine.cloud. They promise reimbursement. The payment is Bitcoin-only, with a 15-minute expiry timer and a rotating wallet address — deliberately untraceable.
Phases 7–8 — Exfiltration and Exit: Payment is extracted. The collected PII disappears into the operation. The company's infrastructure goes NXDOMAIN. The network migrates to a new shell company identity and repeats the cycle.
7 Red Flags — Before You Lose Anything
- Bitcoin-only payment for any work requirement — No legitimate employer pays via crypto or requires you to purchase anything before employment begins
- "Do not discuss this with anyone" — Any confidentiality clause before you officially start is designed to prevent you from being warned by others
- Newly registered domain — Run the company domain through WHOIS. Scam operations register domains days before launch. Anything under 30 days old warrants extreme caution
- AI-generated employee photos — LinkedIn profile photos that look too perfect are often synthetic. Reverse image search them on TinEye or Google Images
- Gmail-based official email — @gmail.com for HR communications means no real business domain infrastructure exists
- Urgency on payment deadlines — "Submit by 18 April or lose project team access" — legitimate employers do not issue 48-hour payment ultimatums
- No verifiable company registration — Check CAC in Nigeria, MCA in India, Companies House in the UK. If you cannot find them, they do not exist
What to Do If You Are Targeted
Do not pay anything. Do not submit additional personal information. Screenshot everything — emails, portal screenshots, offer letters, Bitcoin wallet addresses. Report to EFCC in Nigeria, FBI IC3 internationally, or the relevant cybercrime authority in your jurisdiction. Share publicly — this is TLP:WHITE intelligence, freely shareable.
Contact your bank immediately — some crypto transactions can be contested within hours. File a police report with screenshots as evidence. Do not engage the scammers further — any re-engagement will be used to extract more money under the guise of "recovering" your funds.
I published a full 20-page threat intelligence report on this network — CNTI-2026-001, available on this site and in the ICDFA Repository. Read it before your next job application.