Nexera's malware analysis says the 7 August 2024 incident began with a LinkedIn approach offering paid smart contract consulting work, followed by a GitHub skills-test repository that the victim cloned and executed. The code ran a local web server on port 80, contacted C2 infrastructure, fingerprinted browser and wallet extensions, and used BeaverTail to steal wallet credentials. BeaverTail could also deploy InvisibleFerret, which fingerprints hosts, uploads data, and can enable keylogging, clipboard capture, AnyDesk download, and other remote collection. In this case, stolen wallet credentials let the attackers take control of a smart contract, while MFA prevented compromise of the victim's other accounts.