Take away:

  • Hackers tricked an Axie Infinity senior engineer into applying for a position at a fictional company.
  • Earlier this year, the fraud caused the loss of $540 million in cryptocurrency.
  • The Block revealed information about the hacking operation for the first time.

Rarely has a job application gone as horribly wrong as it did in the case of one senior developer at Axie Infinity, whose desire to work for what turned out to be a fictional firm resulted in one of the greatest hacks in the cryptocurrency industry.

An exploit cost $540 million in cryptocurrency to Ronin, the Ethereum-linked sidechain that powers the play-to-win game Axie Infinity, in March. The US authorities later linked the incident to the North Korean hacker collective Lazarus, but the full specifics of the exploit’s use have not been made public.

Ronin’s downfall was caused by a false job ad, The Block can now reveal.

A senior developer at Axie Infinity was tricked into applying for a position at a firm that didn’t exist, according to two people with direct knowledge of the situation who requested anonymity owing to the sensitive nature of the event.

Big was Axie Infinity. The play-to-earn game allowed employees in Southeast Asia to even support themselves during its height. In November of last year, it touted 2.7 million daily active users and $214 million in weekly trading volume for its in-game NFTs, though both figures have since declined.

People claiming to be from the phoney corporation approached employees at Axie Infinity creator Sky Mavis earlier this year and pushed them to apply for jobs, according to the people familiar with the situation. One report further mentioned that LinkedIn, a professional networking website, was used to make the approaches.

One insider claimed there were several rounds of interviews before a Sky Mavis engineer was given a job offer with a very big salary.

The engineer downloaded a PDF document that included the fraudulent “offer,” which allowed spyware to infiltrate Ronin’s systems. From there, hackers were able to attack and seize control of four out of the network’s nine validators, putting them one validator away from absolute control.

The following was stated by Sky Mavis in a blog post on the hack that was published on April 27: “Employees are constantly subject to sophisticated spear-phishing assaults on numerous social networks, and one employee was hacked. This worker is no longer employed with Sky Mavis. Utilizing this access, the attacker was able to break into Sky Mavis’ IT system and get to the validator nodes.

In blockchains, validators perform a number of tasks, such as building transaction blocks and updating data oracles. Ronin concentrates power in the nine trusted individuals who sign transactions using a technique known as “proof of authority.”

According to a blockchain analysis company’s blog post from April about the incident, “Funds can be moved out if five of the nine validators allow it. Five of the validators’ private cryptographic keys were obtained by the attacker, which was sufficient to steal the cryptoassets.

However, the hackers only had access to over four of the nine validators after breaking into Ronin’s systems through the false job ad, so they still needed another to seize power.

According to Sky Mavis’ post-mortem, the thieves were able to pull off the heist by using the Axie DAO (Decentralized Autonomous Organization), an organization created to help the gaming industry. Sky Mavis had requested assistance from the DAO in November 2021 due to a high transaction load.

Sky Mavis was given permission by the Axie DAO to sign a number of transactions on its behalf. The allowlist access was maintained after this was stopped in December 2021, according to Sky Mavis’ blog post. “The attacker was able to obtain the signature from the Axie DAO validator once they gained access to Sky Mavis systems.”

Sky Mavis upped the number of its validator nodes to 11 a month after the hack and stated in the blog post that its long-term objective was to have more than 100.

When contacted, Sky Mavis declined to comment on the hack’s methodology. Multiple inquiries for comment from LinkedIn went unanswered.

ESET Research revealed earlier today that Lazarus, a North Korean hacker, had utilized WhatsApp and LinkedIn to target aerospace and defense businesses by impersonating recruiters. But the research made no connection between that method and the Sky Mavis breach.

Early in April, Sky Mavis raised $150 million in a deal that was dominated by Binance. The money raised will be combined with business resources to pay compensation to users who were harmed by the exploit. The business just announced that it would start refunding consumer cash on June 28. Ronin’s Ethereum bridge also restarted last week after abruptly stopping at the time of the hack.

According to data from The Block Research, the number of DeFi attacks has increased significantly this year, with over $2 billion in total funds lost. The amount was $760 million as of January 1.