A fake job offer allegedly led to Axie Infinity’s $600 million hack

Last August, play to win the Axie Infinity game was on top of the world. The Pokémon-inspired game was spawning developer Sky Mavis about $15 million in revenue per day, and some players in Southeast Asia were earning enough cryptocurrencies to live on. Fast forward 11 months, and the price of Axie NFTs and the game’s Smooth Love Potion cryptocurrency have collapsed. There are many reasons, but one of the most important is a hack that took place in March.

A hacker has managed to exploit the Ronin blockchain that Axie Infinity uses to steal $620 million worth of cryptocurrencies. Sky Mavis previously said this was achieved through a phishing scam, and the US government said Lazarus, a North Korean-backed company, was behind the heist. A report by The Block on Wednesday revealed how the hack was socially engineered: a fake job offer.

A senior engineer at Sky Mavis was targeted by “recruiters” on LinkedIn who were hoping to hire him at their company, reports The Block, citing sources familiar with the matter. The recruitment process involved several interviews and ended with a job offer, sent in PDF. The company, however, did not exist, and the PDF was full of spyware.

Ronin is a Proof of Authority blockchain, which means that control over the network is given to handpicked validators. At the time of the hack, Axie Infinity had nine validators. For a bad actor to take control of Ronin, they needed to take control of five of these nine validators. For a bad actor to take full control of the bitcoin blockchain, which uses Proof of Work, they would need 51% of the electricity being used by all bitcoin miners in the world. While bitcoin is designed to be secure at all costs, Ronin’s sole purpose was to provide cheap and fast transactions for Axie Infinity players.

A screenshot of the Axie Infinity Marketplace.

Axie Infinity sees players fight and create Axie monsters, which are possessed as NFTs. At their peak, lower-tier Axies were selling for over $300 each. They are now worth much less – with Axies often selling for under $10.

Sky Mavis

The spyware contained in that PDF, reports The Block, allowed the hacker to control four of Ronin’s nine validators. The hackers had access to the community-run Axie DAO, which had access to yet another validator. Once they took control of the network, the hackers drained Axie Infinity’s hoard of $25 million USDC stablecoin and 173,600 ether. After the dramatic drop in ether’s price, the total heist is now worth $229 million.

Sky Mavis was contacted for comment but did not immediately respond. In an April post-mortem, the Axie team wrote: “Sky Mavis employees are under constant advanced spear phishing attacks on various social channels and one employee has been compromised. This employee no longer works at Sky Mavis. The attacker succeeded. leverage this access to penetrate Sky Mavis’ IT infrastructure and gain access to the validator nodes.”

Since the hack, Sky Mavis has tried to make amends with Axie Players. Following a $150 million funding round in April, Sky Mavis is refunding players who lost cryptocurrencies in the hack. For added security, Ronin now has 11 validators instead of nine.

Leave a Reply

Your email address will not be published.