The truth! The reason why the Ronin cross-chain bridge was stolen was...
Few job applications have been more high-profile than a senior engineer at Axie Infinity, whose interest in joining a company that turned out to be fictitious led to one of the crypto industry's biggest hacks.
Ronin, the ethereum-linked sidechain behind earning game Axie Infinity, lost $540 million in cryptocurrency in an exploit in March. While the U.S. government later linked the incident to the North Korean hacking group Lazarus, it has not disclosed full details on how the exploit was carried out.
Now we reveal how a fake job ad destroyed Ronin.
A senior engineer at Axie Infinity was duped into applying for a job at a company that didn’t actually exist, according to two people with direct knowledge of the matter, who asked not to be named due to the sensitivity of the matter.
Axie Infinity's stats are impressive. In its heyday, workers in Southeast Asia were even able to earn a living by “playing and earning”. Its in-game NFTs had 2.7 million daily active users and $214 million in weekly transaction volume in November — though both numbers have since fallen sharply.
Earlier this year, people claiming to represent the fake company contacted employees of Axie Infinity developer Sky Mavis and encouraged them to apply for jobs, according to people familiar with the matter. One source added that the methods were carried out through the professional website LinkedIn.
After multiple rounds of interviews, an engineer at Sky Mavis was offered an extremely well-paid job, one of the sources said.
The fake "report" came in the form of a PDF document that the engineer downloaded -- allowing the spyware to infiltrate Ronin's systems. From there, hackers were able to attack and take over four of the nine validators on the Ronin network — leaving them with only one validator out of full control.
In a postmortem blog post about the hack published on April 27, Sky Mavis said: "Employees were continually subjected to advanced spear phishing attacks across various social channels and one employee was compromised. The employee is no longer with Sky. Mavis works. The attackers managed to exploit this access to infiltrate the Sky Mavis IT infrastructure and gain access to validating nodes."
Validators perform various functions in the blockchain, including creating blocks of transactions and updating data oracles. Ronin uses what it calls a "proof-of-authority" system to sign transactions, centralizing power in the hands of nine trusted participants.
A blog post by blockchain analytics firm Elliptic about the incident in April explained: “If five of the nine validators approve, the funds can be transferred out. The attacker managed to obtain private key, which is sufficient to steal cryptoassets.”
But after successfully infiltrating Ronin's system via fake job advertisements, the hackers took control of only four of the nine validators -- meaning they needed another validator to take control.
Sky Mavis revealed in a post-mortem analysis that the hackers managed to use Axie DAO (Decentralized Autonomous Organization), an organization set up to support the gaming ecosystem, to pull off the attack. Sky Mavis had requested the DAO in November 2021 to help handle the heavy transaction load.
“Axie DAO allowed Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but permission list access was not revoked,” Sky Mavis said in a blog post. "Once the attackers gained access to the Sky Mavis system, they were able to obtain signatures from the Axie DAO validators."
A month after the hack, Sky Mavis increased the number of its validator nodes to 11 and stated in a blog post that its long-term goal is to have more than 100.
Sky Mavis declined to comment on how the hacking was carried out. LinkedIndid not respond to multiple requests for comment.
Earlier today, ESET Research published an investigation showing that North Korea's Lazarus was abusing LinkedIn and WhatsApp to target aerospace and defense contractors by posing as recruiters. But the report did not link the technology to the Sky Mavis hack.
Sky Mavis raised $150 million in a funding round led by Binance in early April. Proceeds will be used, along with the company's own funds, to compensate users affected by the exploit. The company recently said it would begin returning funds to users on June 28. Ronin’s Ethereum bridge was also restarted last week after being abruptly stopped by a hack.
According to The Block Research, the pace of DeFi hacks has accelerated rapidly this year, totaling more than $2 billion in lost funds. On January 1, the figure was $760 million.