How a Fake Job Offer Destroyed the World's Most Popular Crypto Game
By Ryan Weeks
Few job application outcomes are more dramatic than what happened to a senior engineer at Axie Infinity. His interest in joining a fictional company led to one of the largest hacks in the crypto industry.
Ronin is an Ethereum-related sidechain that is the basis for the game Axie Infinity. Axie Infinity lost $540 million in cryptocurrency in an exploit in March. While the U.S. government later linked the incident to the North Korean hacking group Lazarus, full details of how the attack was carried out have not been disclosed.
The Block can now reveal that a fake job ad destroyed Ronin.
A senior engineer at Axie Infinity was duped into applying for a position at a company that didn't actually exist, according to two people with direct knowledge of the matter. The two people spoke on condition of anonymity due to the sensitivity of the matter.
Axie Infinity is huge. In its heyday, workers in Southeast Asia were even able to earn a living by “playing and earning”. In November, its in-game NFTs had 2.7 million daily active users and $214 million in weekly transaction volume — though both numbers have since dropped significantly.
Employees at Axie Infinity developer Sky Mavis were approached earlier this year by people claiming to represent the bogus company and encouraged them to apply for jobs, according to people familiar with the matter. Those avenues were conducted through professional networking site LinkedIn, a source added.
After multiple rounds of interviews, an engineer at Sky Mavis has landed an extremely well-paying job, sources say.
The fake "offer" was sent as a PDF file, which the engineer downloaded -- allowing the Trojan to infiltrate Ronin's systems. From there, hackers were able to attack and take over four of the nine validators on the Ronin network — leaving them with only one validator out of full control.
In a postmortem blog post about the hack on April 27, Sky Mavis said: "Employees were continually subjected to advanced spear-phishing attacks on various social channels and one employee was compromised. The employee is no longer in Sky Mavis works. The attackers managed to exploit this access to infiltrate Sky Mavis IT infrastructure and gain access to validating nodes."
Validators perform various functions in the blockchain, including creating blocks of transactions and updating data oracles. Ronin uses what it calls a "proof-of-authority" system to sign transactions, centralizing power in the hands of nine trusted participants.
A blog post by blockchain analytics firm Elliptic about the incident in April explained: “If five of the nine validators approve, the funds can be transferred out. private key, which is sufficient to steal cryptoassets.”
But after successfully infiltrating Ronin's systems via fake job advertisements, the hackers took control of only four of the nine validators — meaning they needed another validator to take control.
In a postmortem, Sky Mavis revealed that the hackers managed to use Axie DAO (Decentralized Autonomous Organization) — an organization set up to support the gaming ecosystem — to pull off the attack. Sky Mavis had requested the DAO in November 2021 to help handle the heavy transaction load.
“Axie DAO allowed Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but permission list access was not revoked,” Sky Mavis said in a blog post. "Once the attackers gained access to the Sky Mavis system, they were able to obtain signatures from the Axie DAO validators."
A month after the hack, Sky Mavis increased the number of its validator nodes to 11 and stated in a blog post that its long-term goal is to have more than 100.
Sky Mavis declined to comment on how the hacking was carried out. LinkedIn did not respond to multiple requests for comment.
Earlier today, ESET Research published an investigation showing that North Korea's Lazarus was abusing LinkedIn and WhatsApp to target aerospace and defense contractors by posing as recruiters. But the report did not link the technology to the Sky Mavis hack.
Sky Mavis raised $150 million in a funding round led by Binance in early April. Proceeds will be used, along with the company's own funds, to compensate users affected by the exploit. The company recently said it would begin returning funds to users on June 28. Ronin’s ethereum bridge was also restarted last week after it came to an abrupt stop at the time of the hack.
According to The Block Research, the pace of DeFi hacks has accelerated rapidly this year, totaling more than $2 billion in lost funds. On January 1, the figure was $760 million.