Last month, someone claiming to be a NordVPN employee (Salbatore Isom) contacted me on Telegram. He said he was part of NordVPN’s Influence Program and wanted to collaborate with me.
At first, I ignored him. Later, I casually replied. He explained that I only needed to pin a post on X (formerly Twitter) for a week and retweet it once per week. In return, I’d receive $1,000 per month, paid in cryptocurrency—70% upfront, and the remaining 30% at the end of the month.
He said the USDT payment could be made on TRON, ETH, or SOL chains. I didn’t suspect anything at that point and directly gave him my TRON wallet address. He then told me a colleague would prepare a contract. The next day, I received an email with a seemingly normal domain name—jurogo. I even looked it up and found it was a newly registered domain, less than a week old, with barely any information online.
Then he asked me to download a piece of software to “sign the contract.” That immediately raised red flags for me. Normally, contracts are signed via web forms, not software downloads. The file he sent was a ZIP archive, over 300 MB in size. I canceled the download. Later, just to be safe, I opened it in a virtual machine running Ubuntu 22, with networking set to NAT so it couldn’t access any host data.
After extracting the ZIP, I found various .exe and .dll files—it was clearly malware or a trojan. In hindsight, it was terrifying. If I had run that on my host machine, they could have stolen my crypto wallet’s private key, or worse, encrypted my files and demanded ransom.
Not long after, that so-called contract signing site returned an error:
503 Service Unavailable
The server is temporarily down for maintenance.
A few days later, he sent me another link. I kept talking to him and pretended I had already signed the contract, asking him to send the payment first. He checked and claimed he didn’t see my submission and asked me to redo it.
To confirm my suspicions, I also contacted NordVPN’s official team. Two years ago, they had actually emailed me for a partnership opportunity, but I never replied. This time, the official team responded:
Unfortunately, the person contacting you is not someone from our organisation. We do not reach out via channels such as Telegram, only by official emails that can be found in this blog post.
You can also reach out to the NordVPN support team for confirmation in case you have any doubts.
Lesson Learned
These days, you really need to stay alert. As the saying goes:
If it’s too good to be true, it probably is. Share on XPS: If someone reaches out to you for collaboration via Telegram, it’s almost certainly a scam. Legitimate companies use official channels like business emails listed on their websites—not random chat apps.
Also, make sure you do not click any suspicious link or download/install any untrusted software. And make sure you have some protection e.g. Anti-virus software such as Norton.
The domain was just recently registered, less than a week old (as shown on whois domain lookup). The registrant is called John Deecon, who I looked it up on Linkedin. He is from London, and working in Crypto industry. He looks like a Russian.
Fake Scammer Domain was just recently registered, as shown by whois lookup. The Registrant is called John Deecon.
The fake “Contract” signing website is quite professional looking.
The fake phishing email from the scammer
The scammer said the contract was not signed properly – and he asked me to do it again.
The fake contract signing app – Juro App
The newly domain/website shows 503 – broken and suspicious.
The fake contract signing website prompts to download the Juro App which is required to sign the contract.
The chat between me and the scammer who pretends to be from NordVPN.
The 300M zip file contains all the .exe and .dll which can only be run on Windows.
Scam Emails/Incidents
- Telegram Accounts Are Shockingly Easy to Hack Without 2FA
- Last Month’s Scam Experience on Telegram (NordVPN Impersonation)
- A blatantly fake phishing email from OpenSea (NFT)
- Scammers Are Exploiting Multi-Signature Wallets (Tron): Stay Alert!
- Ways to spot SEO scam – Signs that tell you about scam SEO companies
- Receiving a Blackmail/Scam Email saying that I watched Po*n....
- Beware of the Malicious Transactions on TRON Blockchain
- The Major Security Flaws of Wirex (WirexApp) Exchange
Relevant Posts
- Beware of the NordVPN Influencer Scam
- NordVPN says he is not from the Org
- A Deeper look into the Trojan/Virus by NordVPN Influencer Scam
–EOF (The Ultimate Computing & Technology Blog) —
1408 wordsLast Post: Bitcoin has reached All-Time-High 118K
Next Post: How to Clean Up NVM Node Versions Except One?