Rarely has a job application had a more spectacular outcome than in the case of Sky Mavis engineer, developer of the crypto game Axie Infinity, whose interest in joining what turned out to be a fake company led to one of the biggest hacks in the crypto sector.
Ronin, the Ethereum-linked sidechain behind the game Axie Infinity to monetize it, lost $540 million in cryptocurrency due to an exploit in March. Later, the US government linked the incident to the North Korean hacking group Lazarus, but full details of how the attack was carried out have not been released.
Publication of The Block revealed that the Ronin hack was due to social engineering and a fake job posting.
According to two people with direct knowledge of the matter, who requested anonymity because of the sensitive nature of the incident, a senior engineer at Axie Infinity was tricked into applying for a job at a company that didn’t actually exist.
Axie Infinity was a huge project. At its peak, workers in Southeast Asia could even earn a living through the play-to-earn game. Last November, it boasted 2.7 million daily active users and $214 million in weekly trading volume for its in-game NFTs, though both numbers have since plummeted.
Earlier this year, employees of the developer Axie Infinity Sky Mavis were approached by what appeared to be a fake company and encouraged to submit their resumes for jobs, according to people familiar with the matter. One source added that the approaches were made through LinkedIn, a professional job and candidate search site.
It worked, after several rounds of interviews, the Sky Mavis engineer was offered the job with an extremely generous compensation package.
The fake “offer” was delivered as a spyware-infected PDF document that the engineer downloaded to his work computer, allowing the attackers to infiltrate Ronin’s systems. From there, the hackers were able to attack and take over four of the nine validators on the Ronin network, with one more left to gain full control.
In the blog post about the hack posted on April 27, Sky Mavis said: “The employees are under constant advanced spear-phishing attacks on various social channels and one employee was compromised. This employee no longer works at Sky Mavis. The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes.”
Validators perform various functions in blockchains, including creating blocks of transactions and updating “data oracles.” Ronin uses a so-called “proof of authority” system to sign deals, concentrating power in the hands of nine trusted validators.
In April Elliptic’s blog post on the incident explains: “Funds can be moved out if five of the nine validators approve it. The attacker managed to get hold of the private cryptographic keys belonging to five of the validators, which was enough to steal the cryptoassets.”
But after successfully breaking into Ronin’s systems through a fake job posting, the hackers only had full control of four of the nine validators, meaning they needed one more.
In a post, Sky Mavis revealed that the hackers managed to use the Axie DAO (Decentralized Autonomous Organization) — a group created to support the gaming ecosystem — to complete the heist. In November 2021, Sky Mavis asked the DAO to help handle the heavy transaction load.
“Axie DAO has placed Sky Mavis on the list of permissions to sign various transactions on its behalf. This was discontinued in December 2021, but access to the whitelist was not revoked,” Sky Mavis said in the blog post. “Once the attacker gained access to Sky Mavis’ systems, they were able to obtain the signature from the Axie DAO validator.”
A month after the breach, Sky Mavis increased the number of validation nodes to 11 and stated in a blog post that its long-term goal is to have more than 100.
Sky Mavis declined to comment on how the hack was carried out. LinkedIn also did not respond to multiple requests for comment.
ESET Research revealed that Lazarus hackers from North Korea were abusing LinkedIn and WhatsApp posing as headhunters looking for specialists for aerospace and defense contractors. But the report did not tie the technique to the Sky Mavis hack.
Sky Mavis raised $150 million in a funding round led by Binance in early April. The funds received will be used along with the company’s own funds to reimburse users affected by the exploit. The company recently announced that it has begun issuing refunds to users.