Few job applications in the world have been more compelling than a senior engineer at Axie Infinity who was interested in joining a company that turned out to be a fictional company that led to one of the biggest hacks in the crypto industry.
Ronin, the Ethereum sidechain exclusive to chain game Axie Infinity, lost $540 million in cryptocurrency in a March hack. While the U.S. government later linked the incident to the North Korean hacking group Lazarus, full details on how the exploit was executed have not been disclosed.
According to The Block, the incident was linked to a fake job advertisement.
Earlier this year, employees at Axie Infinity developer Sky Mavis were contacted via LinkedIn by a person claiming to represent the fake company and encouraged them to apply for jobs, two people familiar with the matter said on condition of anonymity. After several rounds of interviews, an engineer at Sky Mavis was offered a very well-paying job.
The engineer then received a fake “Offer” acceptance letter presented as a PDF document, which the engineer downloaded — allowing hacking software to infiltrate Ronin’s system. From there, hackers were able to attack and take over four of the nine validators on the Ronin network, leaving just one validator without full control.
In a post-mortem blog post about the hack, published on April 27, Sky Mavis said: “Employees have been subject to advanced phishing attacks across various social channels, and one employee has been compromised. The employee is no longer at Sky Mavis. Attackers managed to exploit this access to infiltrate the Sky Mavis IT infrastructure and gain access to validating nodes.”
Validators perform various functions in the blockchain, including creating blocks of transactions and updating data oracles. Ronin uses a so-called “proof-of-authority” system to sign transactions, centralizing power in the hands of nine trusted validators.
“If five of the nine validators approve, the funds can be transferred out,” blockchain analytics firm Elliptic explained in a blog post on the incident in April. The attackers managed to gain access to five validators private key, which is enough to steal crypto assets.”
But after successfully infiltrating Ronin’s systems through fake job advertisements, the hackers took control of only four of the nine validators — meaning they needed another validator to take control.
In its post-mortem report, Sky Mavis revealed that the hackers managed to use Axie DAO, an organization set up to support the gaming ecosystem, to complete the attack. Sky Mavis had asked the DAO to help handle the heavy transaction load in November 2021.
“The Axie DAO allows Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the permission list access has not been revoked,” Sky Mavis said in a blog post. “Once the attackers gained access to the Sky Mavis system, they were able to obtain signatures from the Axie DAO validator.”
A month after the hack, Sky Mavis increased its number of validators to 11, and said in a blog post that its long-term goal is to have more than 100.
Sky Mavis declined to comment on how the hack was carried out. LinkedIn also did not respond to The Block’s request for comment.
Sky Mavis raised $150 million in a funding round led by Binance in early April. The financing will be used along with the company’s own funds to compensate users affected by the attack. The company recently said it will begin returning funds to users on June 28. Ronin’s ethereum bridge also restarted last week after it came to an abrupt halt at the time of the hack.
Earlier today, ESET Research published an investigation showing North Korea’s Lazarus abusing LinkedIn and WhatsApp to target aerospace and defense contractors. But the report did not link the technology to the Sky Mavis hack.
In addition, in April this year, the security agency SlowMist issued a security reminder that the North Korean APT organization Lazarus Group used a series of malicious applications to conduct targeted APT attacks against the digital currency industry, including:
- The hacker group fully adopts the principles of social engineering and plays a role in major social media (social media includes Twitter, Facebook, LinkedIn, etc.)
- Chat with blockchain industry developers, get close, in order to implement the next actions.
- In order to “close up” with the developers, the hacker group even established its own trading website, and through this very normal-looking website, it used the pretense of recruiting outsourced employees.
- Take the opportunity to defraud the trust of developers, and then send relevant malware for phishing attacks. (Send DMG /EXE Trojan)
In response to this incident, SlowMist gives the following preventive suggestions:
- It is recommended that industry practitioners pay attention to the security information of major threat platforms at home and abroad at any time, do a good job in self-examination, and be vigilant.
- Before the developer runs the executable program, do the necessary security checks.
- Do a good job of zero trust mechanism, which can effectively reduce the risk brought by such threats.
- It is recommended that users running on a Mac/Windows machine keep real-time protection of security software turned on, and update the latest virus database at any time.