SECURITY

Engineer at Axie Infinity causes $600 million loss by falling for a fake job offer, plans to wreak havoc on former company!

share
Engineer at Axie Infinity causes $600 million loss by falling for a fake job offer, plans to wreak havoc on former company!

The popular play-to-earn blockchain game Axie Infinity, faced a hack on its sidechain Ronin in March this year. The attacker took control of five out of nine private keys of Ronin verification nodes, resulting in the loss of 173,600 ETH and $25.5 million. Axie Infinity only discovered the incident nearly a week later and stated that there was no tracking system to monitor large fund outflows. By the end of June this year, Ronin finally resumed official cross-chain bridge withdrawals, compensating all users' losses and implementing measures to prevent suspicious withdrawals.

Reasons for Private Key Leakage?

As for the reasons behind the private key leakage? The U.S. government investigation attributes it to the North Korean hacker group Lazarus, but did not disclose the attack details; The Block media recently received disclosures and outlined a potential attack path:

According to two sources, a senior engineer at Axie Infinity developer Sky Mavis was tricked into interviewing for a non-existent company on LinkedIn. By downloading a fake job application PDF, spyware was able to infiltrate the Ronin system.

Additional reading: Explanation of PDF phishing attacks targeting creators, project parties, and KOLs

Sky Mavis also mentioned in a post-incident review document: Several employees were subjected to sophisticated spear phishing attacks on different social platforms, with one employee successfully compromised. That employee has since resigned. However, hackers were then able to potentially breach Sky Mavis' infrastructure and gain control of the validation node.

The Block reported that controlling the validation mechanism requires at least five validation nodes, but the aforementioned recruitment phishing scheme only gave hackers control of four. The remaining one is completed through Axie DAO, a decentralized autonomous organization that supports the game ecosystem. In November 2021, Sky Mavis commissioned Axie DAO to handle heavy transaction loads. Although the arrangement was only for a month and no longer continued, Axie DAO remained on the permission list and was not revoked. Therefore, after hackers invaded the Sky Mavis system, they also obtained the signature of the Axie DAO validation node.

Lazarus Continues to Employ the Same Tactics

ESET Research released a study showing that the North Korean hacker group Lazarus impersonates recruiters on LinkedIn, establishes contact via WhatsApp, Slack, and approaches employees in the defense sector worldwide, gaining trust before sending malicious components to engage in espionage activities and steal funds. The report also mentions the Axie Infinity attack incident, but does not directly indicate if the attack methods are the same. Analysis company Elliptic previously speculated on the money laundering pattern following the Axie Infinity attack, which aligns with Lazarus' typical methods.