Chat on WhatsApp
HomeAbout SOC ProjectsPortfolio ServicesAcademy CertificationsBlog Contact →
← Back to Blog
Threat Intelligence · April 2026 · By O.T. Nathaniel

How Fake Internship Scams Work — And How to Spot Them

In April 2026, I received what appeared to be a legitimate cybersecurity analyst internship offer from a company called Zorvyn FinTech. Over the next 13 days, I experienced one of the most sophisticated employment fraud operations I have ever encountered — complete with professional HR portals, a Dell laptop welcome kit, and a reporting manager named Mudiwa Mkonto. None of it was real.

I am sharing this because hundreds of tech and cybersecurity job seekers globally have been targeted by this same network. This is how it works — and exactly how to spot it before it costs you money.

How the Scam Works (8 Phases)

Phase 1 — Target Acquisition: The operation sends mass screening invitations via LinkedIn, Internshala, and other job platforms. The assessment looks completely legitimate — timed, technical, and branded.

Phase 2–4 — Trust Building: You receive a formal offer letter with NDA, a salary above market rate, employee portal access, and even a welcome kit order confirmation (laptop, branded merchandise). This is all designed to make you feel invested before the real ask comes.

Phase 5–6 — The Trap: Your "reporting manager" assigns a training task. To complete it, you must purchase a software product called MutaCryptor from mutaengine.cloud. They promise reimbursement. The payment is Bitcoin-only, with a 15-minute expiry timer and rotating wallet addresses — deliberately untraceable.

Phase 7–8 — Exfiltration: Your payment is gone. Your PII (address, passport photo, ID, banking details) was collected during onboarding. The company's infrastructure then goes dark (NXDOMAIN). The operation moves to a new shell company identity.

7 Red Flags to Watch For

  • Bitcoin-only payment for any work requirement — No legitimate employer pays you in crypto or asks you to purchase anything via cryptocurrency
  • "Do not discuss this with anyone" — Any confidentiality clause before employment officially starts is a massive red flag
  • Newly registered domain — Run the company domain on ScamAdviser or check WHOIS. Scam operations register new domains days before launching
  • AI-generated employee photos — LinkedIn profile photos that look "too perfect" are often synthetic. Reverse image search them
  • Gmail-based company emails — @gmail.com for official HR communications means there is no real business domain infrastructure
  • Urgency on payment deadlines — "Submit by 18 April or lose project team access" — legitimate reimbursements do not have 48-hour deadlines
  • No verifiable company registration — Check CAC in Nigeria, MCA in India, Companies House in the UK. If you cannot find them, they do not exist

What to Do If You're Targeted

Do not pay anything. Do not submit additional personal information. Screenshot everything — emails, portal screenshots, offer letters. Report to the relevant cybercrime authority (EFCC in Nigeria, CBI in India, FBI IC3 internationally). Share publicly to warn others — this is TLP:WHITE intelligence, freely shareable.

I published a full 20-page threat intelligence report on the MutaCryptor Scam Network — available free on this site. Read it before your next job application.

Written by O.T. Nathaniel, AMICDFA, CCEP, CBTP — SOC Analyst & Founder of Cyber Nate

← More Articles Get in Touch View SOC Projects