How a fake offer stole 540 million dollars from Axie Infinity?

Source: The Block

Original Author: Ryan Weeks

Translation: Katie Gu, Odaily Planet Daily

Earlier this year, a hacker tricked a senior engineer at Axie Infinity into applying for a job at a fictitious company, ultimately leading to a loss of $540 million in cryptocurrency for Axie Infinity. Here are the details of the hack on Axie Infinity reported by The Block.

Few job experiences can be as thrilling as that of the senior engineer at Axie Infinity. His interest in joining a fictitious company ultimately led to one of the largest hacks in the crypto industry.

In November last year, the daily active users of Axie Infinity's in-game NFTs reached as high as 2.7 million, with weekly trading volume hitting $214 million (both figures have since declined significantly).

In March this year, Axie Infinity's Ethereum sidechain Ronin lost $540 million worth of cryptocurrency. Although the U.S. government later linked the incident to the North Korean hacker group Lazarus, the full details of how the attack was carried out have not been disclosed. In fact, the downfall of Ronin was caused by a mere fake job advertisement. Two individuals familiar with the matter stated that a senior engineer at Axie Infinity was deceived into applying for a position at a company that did not actually exist. Due to the sensitivity of the matter, these individuals requested anonymity.

According to insiders, earlier this year, someone claiming to represent the fake company contacted employees of Axie Infinity developer Sky Mavis through LinkedIn and WhatsApp, luring him with the promise of a new job opportunity. Reports indicate that after several rounds of interviews, an engineer at Sky Mavis was offered a highly lucrative position.

The fake offer was sent as a PDF file, which the engineer downloaded—allowing a Trojan to infiltrate Ronin's system. From that point on, the hacker was able to attack and take control of 4 out of 9 validators on the Ronin network, just one validator short of complete control.

In a blog post published on April 27, Sky Mavis analyzed the hack, stating: "Employees were continuously targeted by sophisticated phishing networks across various social channels, and one employee was compromised. This employee is no longer with Sky Mavis. The attacker successfully exploited that access to penetrate Sky Mavis's IT infrastructure and gained access to the validator nodes."

Validators in a blockchain can perform various functions, including creating transaction blocks and updating data oracles. Ronin uses a so-called "proof of authority" system to sign transactions, concentrating power in the hands of 9 trusted validators.

Blockchain analysis firm Elliptic explained in a blog post in April this year: "If five out of the nine validators approve, the funds can be transferred. The attacker managed to obtain the private cryptographic keys of five validators, which was sufficient to steal the crypto assets."

However, after successfully infiltrating Ronin's system through the fake job advertisement, the hacker only controlled 4 out of the 9 validators—meaning the hacker still needed one more to control the Ronin system completely.

In a post-mortem analysis, Sky Mavis revealed that the hacker successfully used Axie DAO (an organization supporting the game ecosystem) to complete the theft. Sky Mavis had requested Axie DAO's assistance in handling transaction load issues in November 2021.

"Axie DAO allowed Sky Mavis to sign various transactions on its behalf. It was paused in December 2021, but the access list was not revoked," Sky Mavis stated in the blog post. "Once the attacker entered Sky Mavis's system, they could obtain signatures from Axie DAO validators."

A month after the hack, Sky Mavis increased the number of its validator nodes to 11 and stated in a blog post that its long-term goal is to exceed 100.

When contacted by reporters, Sky Mavis declined to comment on how the hack occurred. LinkedIn also repeatedly declined to comment.

Earlier today, ESET Research released an investigation showing that the North Korean hacker group Lazarus impersonated recruiters using LinkedIn and WhatsApp, targeting aerospace and defense contractors. However, the report did not link this technique to the Sky Mavis hack.

In early April this year, Sky Mavis raised $150 million in a funding round led by Binance. The funds will be used alongside the company's reserves to compensate users affected by the breach. Axie Infinity recently announced that it would begin refunding users on June 28. The Ethereum bridge for Ronin, which was abruptly interrupted during the hack, was also restarted last week.

According to data from The Block Research, there has been a surge in DeFi hacking incidents this year, with total losses exceeding $2 billion. On January 1, this figure was only $760 million.