The Block: How a fake job offer took down the world’s most popular crypto game

Rarely has a job application backfired more spectacularly than in the case of one senior engineer at Axie Infinity, whose interest in joining what turned out to be a fictitious company led to one of the crypto sector’s biggest hacks.

Ronin, the Ethereum-linked sidechain that underpins play-to-earn game Axie Infinity, lost $540 million in crypto to an exploit in March. While the US government later tied the incident to North Korean hacking group Lazarus, full details of how the exploit was carried out have not been disclosed.

The Block can now reveal that a fake job ad was Ronin’s undoing.

According to two people with direct knowledge of the matter, who were granted anonymity due to the sensitive nature of the incident, a senior engineer at Axie Infinity was duped into applying for a job at a company that, in reality, did not exist.

Axie Infinity was huge. At its peak, workers in Southeast Asia were even able to earn a living through the play-to-earn game. It boasted 2.7 million daily active users and $214 million in weekly trading volume for its in-game NFTs in November last year — although both numbers have since plummeted.

Earlier this year, staff at Axie Infinity developer Sky Mavis were approached by people purporting to represent the fake company and encouraged to apply for jobs, according to the people familiar with the matter. One source added that the approaches were made through the professional networking site LinkedIn.

After what one source described as multiple rounds of interviews, a Sky Mavis engineer was offered a job with an extremely generous compensation package.

The fake “offer” was delivered in the form of a PDF document, which the engineer downloaded — allowing spyware to infiltrate Ronin’s systems. From there, hackers were able to attack and take over four out of nine validators on the Ronin network — leaving them just one validator short of total control.

In a post-mortem blog post on the hack, published April 27, Sky Mavis said: “Employees are under constant advanced spear-phishing attacks on various social channels and one employee was compromised. This employee no longer works at Sky Mavis. The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes.”

Validators fulfill various functions in blockchains, including the creation of transaction blocks and the updating of data oracles. Ronin uses a so-called “proof of authority” system for signing transactions, concentrating power in the hands of nine trusted actors.

An April blog post on the incident from blockchain analysis firm Elliptic explains: “Funds can be moved out if five of the nine validators approve it. The attacker managed to get hold of the private cryptographic keys belonging to five of the validators, which was enough to steal the cryptoassets.”

But after successfully infiltrating Ronin’s systems through the fake job ad, the hackers had control of just four out of the nine validators — meaning they needed another in order to take control.

In its post-mortem , Sky Mavis revealed that the hackers managed to use the Axie DAO (Decentralized Autonomous Organization) — a group set up to support the gaming ecosystem — to complete the heist. Sky Mavis had asked the DAO for help dealing with a heavy transaction load in November 2021.

“The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked,” said Sky Mavis in the blog post. “Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator.”

A month after the hack, Sky Mavis had increased the number of its validator nodes to 11, and said in the blog post that its long-term goal was to have more than 100.

Sky Mavis declined to comment on how the hack was carried out when reached. LinkedIn didn’t respond to multiple requests for comment.

Earlier today, ESET Research published an investigation showing that North Korea’s Lazarus had abused LinkedIn and WhatsApp by posing as recruiters to target aerospace and defense contractors. But the report did not tie that technique to the Sky Mavis hack.

Sky Mavis raised $150 million in a round led by Binance in early April. The proceeds will be used alongside the company’s own funds to reimburse users affected by the exploit. The company said recently that it would begin returning funds to users on June 28. After coming to a sudden halt at the time of the hack, Ronin’s Ethereum bridge also relaunched last week .

The rate of DeFi hacks has accelerated rapidly this year, topping $2 billion in total funds lost, according to The Block Research data . On January 1, the number stood at $760 million.

© 2023 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.