a friend recommended i check out HustleWing, an “anonymous job board” with “side hustle opportunities.”
after creating a profile you’re forced to pay for access. despite the marketing site not mentioning fees, i figured whatever. it takes money to make money right? i subscribed for $29. then a quick search found this reddit post accusing HustleWing of being a scam website with no real jobs. yikes!
with my $29 already gone and a spiritual revulsion for chargebacks i decided to poke around the site to salvage some losses. and poke around i did.
everything you’re about to read took less than 30 minutes with my terminal and 2 bare hands. i didn’t brute force endpoints, write SQL injection queries, engage scanners, or DDOS servers. just common sense and a little bit of elbow grease.
HustleWing flaw #1 – not anonymous
first i visited my HustleWing profile and inspected XHR network requests. here i spotted an innocent looking fetch()
to this endpoint:
/api/mem_clnxb1ykq2a0w0s0m1pmv3a55/hustler/profile
in case the link above gets got, here’s a visual preview. it’s my entire user profile, name(!) included, and can be retrieved without authentication.
for an “anonymous” job board, HustleWing already sucks IMO. but maybe their secret sauce is the mem_
prefixed profile IDs. using hashed primary keys instead of enumerable integers makes it ~impossible to find other profiles, right? lol nah.
back on the main job feed i inspected more network requests and found these gems:
/api/businesses/profiles
(50,107 records)/api/opportunities
(817 records)
so i start guessing. can i list user profiles the same way?
/api/hustlers/profiles
(43,773 records)
yep!
HustleWing flaw #2 – dishonest
to back up real quick, HustleWing’s website claims 100,000+ users. since the actual number is 43,000, they’re lying by 233%.
another fun fact, immediately after joining HustleWing you realize it’s not a place for side hustles at all. it’s a “seeking co-founder” community forum.
which is fine if that’s their pitch, but it’s not. HustleWing presents itself as a place to find part-time consulting projects with household brands.
and to top it off, HustleWing doesn’t let you cancel your account.
there is no billing page, live chat, support center, customer service widget, or “contact us” form anywhere. it’s a 1-way valve from your wallet to theirs.
HustleWing flaw #3 – vulnerable AF
if you checked out my profile JSON above, you probably noticed there’s no email address. phew! but what happens if we Use Our Brain and Find A Way?
i did, and found an even juicier endpoint. just replace “hustler/profile” with “user” at the end for the full kimono.
- public profile (includes names, not cool):
/api/mem_clnxb1ykq2a0w0s0m1pmv3a55/hustler/profile
- private profile (name / email / etc):
/api/mem_clnxb1ykq2a0w0s0m1pmv3a55/user
as before, here’s proof in case these links break:
to make it just a little harder for bad actors reading this post, i’ll refrain from sharing code snippets that paginate every Business + Opportunity and traverse to the owning member’s ID => private profile.
but it is possible. and i may or may not have downloaded 50,000 hiring agents’ names, emails, and job listings. tomorrow i may or may not cold email a few of them 1) their doxed profile and 2) a Ryan Kulp developer pitch.
HustleWing flaw #4 – took $29 from Ryan
i can go all day about API endpoints that shouldn’t exist, like this one that seems to indicate more than 3,000 people are paying or have paid for HustleWing, a scam job board with zero accountability.
/api/hustlers/profiles?plan=pro
on Thursday, Oct 19th 2023 i emailed HustleWing to cancel my paid subscription. having not received confirmation that my request was completed, i’m earning back the $29 by sharing this exposé with 1000s of people. i’m aiming for at least the same number of people they tricked.
competing with Ryan Kulp is traditionally a bad idea.
HustleWing flaw #5 – thinking it won’t get worse
usually when i find a vulnerability i email the company directly and avoid public drama. but HustleWing is a POS website run by POS people and i don’t care.
if a fellow ethical hacker wants to carry the torch, i suggest first figuring out if “Jessica” is a real person. this account sends all the newsletters and onboarding mailers.
my second suggestion is to get in touch with Brian Ficho, HustleWing’s co-founder according to an online directory called LinkedIn. maybe then he’ll send a scary legal notice for my trash can.
https://www.linkedin.com/in/brianficho
Brian, do better man.
HustleWing flaw #6 – zero talent
until i signed up last Friday, nothing good came from HustleWing. it was an open endpoint of 50,000 professionals trying to anonymously pay their bills. HustleWing sold them on a promise and failed.
HustleWing + “Jessica @ HustleWing,” you suck!
Hey thanks for the this post – much appreciated!!
Thanks Ryan, grateful for this read.
And good. Wondered if you could help with even more pathetic scammers… Details described here: https://t.me/DarknetDeutschlandMarkt4IsAScam
This is epic! Thanks for a great read…
Thanks so much,
Was contacted by one of their “representatives” this morning. Quick google search and your site came up 3rd! Thanks for helping me dodge a bullet (and save my $$$$).
Yep they responded to my Director of Engineering application with a link to sign up to their website, which is basically a terrible version of Fiverr. I didn’t sign up or pay any money but they still have my email on file and there’s no way to delete an account there.
Total scam.
I fell for a job posting jobs on LinkedIn that looked like HustleWing was hiring. After I applied, “Jessica” sent a suggested opportunity that I would have had to pay to see it.
Total scam. Thank you for saving me $29 and a bunch of time today!
This was the same rabbit-hole I nearly fell into. There were a number of postings on LinkedIn, and they sounded quite promising. Before filling in *anything*, I did a google search and yep – this page came up second.
Thank you for saving my time and effort, Ryan!
This is pretty devious.
I’m pretty desperate for money. Like I used to make a ton before the pandemic, but not any more. I’ve run through savings and put groceries and living stuff on my credit card. Any time I put limited time applying to fake jobs, it takes away from me applying to a legit job. To top it off, I I contemplating going to the food bank or not on Thursday.
I never really understood why a job seeker, the disempowered one in the employment dynamic, would have to pay money to get a job. It seems like the employer, with a hiring budget should take the financial burden since they are hiring an asset.
I have been thinking of maybe signing up for the membership to try to find work, but not sure if this would be a bogus or black hole job board like upwork again.
I’ll definitely stop considering choosing between a meal and this sign up fee from now on.
It is really too bad it’s not legit. A power time / moonlight board would have been nice.
Great write up. I used the LI link you included for the Co-founder and I always find it sketch if leaders/founders don’t put their profile photo up. Smells super scammy!
dodged a bullet. Thanks. Do you still have the 50,000 hiring managers emails. Looking for consulting gigs and want to avoid trash agencies like Michael Page and other such crap. I want to feel empowered by finding high paying consulting gigs on my own. Email is [email protected]
Thank you for saving me $29, this is incredible!
thank you so much. I was looking for product work and they reached out. Good to know its a mess upfront and really appreciate your work. Ill pay $29 just to avoid having gotten ripped off.
Legend.
Thank you for putting so much time into this.
While I’m here, Bark.com is a microjobs website that also makes big promises. In my experience, their platform is loaded with fake jobs specifically meant to burn applicant’s money.
Thanks! I saw their ad on LinkedIn.
Thank you! Saved me $29 and a lot of shame
Damn. Feeling super dumb right now. And out $29. I do find it helpful to be introduced to companies I hadn’t heard of and find them outside of the platform. But it’s still scammy. If you have those 43k job listings, I’m interested.
You’re the best – I was suspicious when receiving an email from Jessica after applying for an internal position through LinkedIn (subject said applied through Indeed – sheesh).
I was provided a link to search through other openings. There was only one available, and I had to pay to reveal the other opportunities.
This is a pretty horrible practice.
Thanks for posting.
Same story here Ryan. Jessica is not cool. Way to try to hustle folks who are just trying to make an honest living and actually working all legitimate angles to be a proactive member of society. Thank you for shedding light on this scam.
I arrived at your site moments before clicking to confirm my annual subscription. THANK YOU for saving me the headache.
This made my day. Thank you for sharing.
Oh Wow! Thanks so much for sharing this!!! I thought you could trust LinkedIn not to have so many scammers, but there seems to be a lot on their site. Again, thank you!
Thank you for this. I applied through a linkedIn posting and I’m doing my due diligence before getting too far in the process. Glad I did! Unfortunately, I signed up for an account, but didn’t pay $29. It just took me to this video: https://www.youtube.com/watch?v=kYpPT8oLyZY&t=3s
Thank you for this! I applied for a “job” through LinkedIn and figured it was scammy when they wanted me to sign up. Several pings from them later I stumbled across your post. Shame on them.
Ryan, you’re fucking awesome man! Much appreciated!! People like you is making this world to a better place for sure! Cudos to you my friend!!!!
Thanks –> you’ve done God’s work with this post!! Appreciate it.
Haha ever since you posted these API endpoints hustlewing disabled public access to them. Thank you for calling out startups for not doing their due diligence when it comes to privacy and security. Hope they make a better plaform.
Thank you!
I wish I’d seen this before I signed up. Luckily, I didn’t pay anything because I’m not that trusting, but now I’m on their email list; ugh! I hope others see this heads up before it’s too late.
Love this so much! THANK YOU!
That Was Totally Wicked!!
Finding it is one thing. Posting it is badass. You remind me of my code heroes back in the early 2000’s. – Go on with your bad self.
Everything Sean said! Ryan, you are Legend….
Thank you for saving me the time and money.
Unfortunately HustleWing and Bravado seem to be very similar and complete scams for real professionals looking to find a side hustle. Anyone know of any legit organizations offering real services? for professionals looking for side hustles? I’d love to know.
I may have just found another potential scam they’re running. Saw a posting for a marketing job with “Fin,” an AI Skincare Assistant app available in the Apple Store. When I researched the company on LI, I found only 1 associated employee so far and few details on Google. When I looked at the app details, the seller is “HustleWing LLC.” I wonder if the app and open jobs were created just to grab more contact info, or if this might(?) be a legitimate situation where a founder is using their services. In any case, based on your technical analysis, I certainly wouldn’t trust an app sold by HustleWing to be secure.
interesting. yes, perhaps a new company named “Fin” hired HustleWing to run a recruitment campaign for them. but finding them online should be pretty easy. and finding duplicate postings of their job opp seems pretty standard too. based on what we’ve seen thus far, i wouldn’t put it past HustleWing to invent a fake app for leads.
I just applied to a job on LinkedIn that was posted by HustleWing. Quickly received an email that I might be a good fit, they asked me to answer a few more questions, then… they auto-generated my answer for why I would be a good fit? Lol. Anyways, this is when the company name was revealed to me (Speaking Roses).
I googled their name to show that I did some research in my answer and their SERP listing led to a 404 page. Poked around the website some more and it was so bad for having been featured in “500+ media publications” and being around for 20+ years.
As someone with 10 years of experience in web design & marketing, I immediately thought the website was fake and wondered if they were creating fake sites/apps to flood their platform with. THANK YOU for this post <3
I also created an account then found it was a scam. Super frustrated, I tried to figure out who was running their LinkedIn jobs account. After a ton of sleuthing (and after maybe asking a friend at LinkedIn), I figured out HustleWing is owned by a guy named Greg Caplan, the former CMO of Cameo.
Here is his LinkedIn: https://www.linkedin.com/in/gregcaplan/
Thank you this is so helpful!
Wow good thing I did some research! Saved me $29.00 thanks a lot
great post and ingenious method to poke around – well done! If you have a couple seconds, curious to see if my record (signed up, didn’t pay) that I “permanently deleted” is actually gone. Because if not, that’s about as clear-cut against data privacy laws as you can be – and I know a person or two in federal LE who would be interested in hearing about that specifically…..
Thanks so much for this post. Luckily I didn’t sign up for the paid account, but I certainly wasted time looking through their “opportunities”. Dirtbags.
Thank you sir! Glad I did a quick search before falling for these scammers.
Just perfect! You are awesome!
You are my hero, Ryan. Upon applying to a HustleWing job on LinkedIn, and leaving the “send me communication” box checked, Jessica sent me an email titled, “Welcome to the Darknet of Work.” That was a lovely little red flag, so I googled “is hustlewing legit?” and found your stellar investigative work via Reddit. Best $29 I’ve never spent. Phew. Thank you, Ryan.
Thanks for the heads up!
Well done, Ryan.
From the looks of it, these guys are advertising jobs on LinkedIn under other company names. Once you apply to their job advertisement, they harvest your email address and send out unsolicited commercial email.
Its a pretty clever business model, dancing around the edges of fraud.
I ran a public search for this scam company run by Greg Caplan & Brian Ficho. Here is all of the publicly available data on the company (for your small claim’s court (and eventual class action needs).
*Entity Information*
Entity Name: HUSTLEWING LLC
Principal Address: 2147 W THOMAS ST
CHICAGO,IL 60622-0000
File Number: 13498784
*Status*
NGS on 07-01-2024
Entity Type: LLC
Type of LLC: Domestic
Org. Date/Admission Date
07-14-2023
Jurisdiction: IL
Duration: PERPETUAL
*Annual Report*
Filing Date: 00-00-0000
*Annual Report*
Year: 2024
Agent Information: GREGORY CAPLAN
2147 W THOMAS ST
CHICAGO, IL 60622-3629
Agent Change Date: 07-14-2023
If you want to see more, check it out here and put HustleWing in the search bar. https://apps.ilsos.gov/businessentitysearch/businessentitysearch#getDetails
Thank you for this helpful post. Head-scratcher that the co-founder doesn’t include a LinkedIn headshot.
thanks Carlton! i agree. and your portfolio looks awesome btw.
I have been looking for side gigs but generally try to avoid spammy-looking sites. I got an email and just because I did sign up for travel insurance with “Safety Wings” it somehow felt connected and I signed up until I got the payment part. Something felt super off.
Thank You!!
I suspected a scam and this confirmed it. And I can’t believe how lax they are with their API. Yikes!!!
Thanks for saving me a bit of dough and time. You rock.
Thanks Ryan. Very brilliant. We appreciate your work. Keep it up.
Do you know anything about Jackson Stevens – Top Recruiters? Will appreciate your assistance. They have a lot of positive reviews on Trust Pilot and LinkedIn. I could not find any critical review on the search engines I used.
Thanks for this! One google search and this was on top, decided to look into them after receiving a job offer. Definitely not taking it now!
When I received a response to my application for a position listed on LinkedIn by Hustlewing within an hour, my first reaction was, “huh”? It just appeared to good to be true. So I googled them to check out if they were legit, and low and behold I found your informative and timely blog. Thank you! You saved me a lot of aggravation!!
It is simply amazing to me that 10 months after this post, LinkedIn still permits them to have a profile and list positions.
i reported the job listing today after finding this article and linkedin responded a couple hours later with,
“We took action on your report
We limited the distribution of the job post
Thank you for your report. After reviewing it, we decided to take action on the job post you reported in accordance with our Professional Community Policies. As a result, we’ve limited its distribution to the author’s first-degree connections.
Thank you for reporting. It helps keep LinkedIn safe for all our members.”
which is quite possibly the worst response? because it boils down to “yeah we agree this is a scam so only people who have followed or connected with the company will get to apply to the scam!”
like, what the actual fuck??
they have thousands of connections, most likely because of how desperate people are for fair-paying work, and when i reported the listing it had only been up for 55 minutes and already had about 89 applicants. i really hope most people who apply to the job know not to pay for access to any kind of job offer.
I too wrote them (a year ago) and asked to cancel as soon as I realized that they “business model” was a scam. And yet they just hit me with an auto pay to the tune of $96. I am pissed.
Thank you so much for this timely information. They are EVERYWHERE on LinkedIn so likely roping in thousands of people.
Just saw in the LA Times that Gavin Newsom signed a new bill requiring one-step cancellation of online subscriptions so yet may be grounds for class action.
https://www.latimes.com/california/story/2024-09-24/easy-to-cancel-subscriptions-new-state-law
Thanks for this Ryan! I cleared my cart.
Man. Thorough as heck! Thank you for the warning and headsup. I almost signed up and decided to quickly search for credibility. So glad I came across your forum. Saved me alot of headache.
Thank you so much Ryan for sharing this information with me. Like many others I received information today about a possible job and was asked to complete questions. Jessica did not reach out to me, instead it was [email protected]. I wish them nothing but the best, but thankful I did additional information and found your blog. I mean the fact that this post in from a year ago and they are still going strong is crazy.
THANK YOU!!!!
Shit, I was a victim of them.
There appears to be a way to permanently delete your account now. Also the API calls mentioned a year ago no longer work, so they must have beefed up their site.