Today, we will tell a story about how a fake job offer lured Sky Mavis employees, leading to one of the biggest hacks in blockchain gaming and the crypto industry.
Axie Infinity uses the Ronin Bridge, an Ethereum side-chain exclusive for Axie Infinity, and a fake job posting led to its hacking, and the hackers stole $540 million worth of crypto. On June 28, Axie Infinity finally re-opened the Ronin Bridge, promising they’ll reimburse their
users for all the stolen funds.
According to the US government, a North Korea-based hacker group called Lazarus was responsible for this hack. The officials didn’t disclose much inside information but let two insiders speak, whose identities shall remain anonymous. A senior engineer at Axie Infinity saw an ad – a fake ad for a job post and applied for it. (the job didn’t exist)
The Job Posting
According to a source, a senior staff member at Axie Infinity was approached by a fake recruiter via LinkedIn to apply for an exotic position. To make it sound real, the “company” even took interviews and fake-hired them too. After conducting some interviews, some of them were offered excellent pay.
Those who were selected received the acceptance letter via a PDF file. When the employee opened the PDF, it infiltrated the Ronin system, leaving it vulnerable to attackers stealing assets. To complete the heist, the hackers used Axie’s DAO as the permission to sign transactions was still valid.
“The attacker managed to get control over five of the nine validator private keys — 4 Sky Mavis validators and 1 Axie DAO — in order to forge fake withdrawals. This resulted in 173,600 Ethereum, and 25.5M USDC drained from the Ronin bridge in two transactions,” reported the Ronin Bridge post-mortem.
“The Axie DAO allows Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the permission list access has not been revoked…Once the attackers gained access to the Sky Mavis system, they were able to obtain signatures from the Axie DAO validator,” said Sky Mavis.
One month after the hack, Sky Mavis increased the validator nodes from 9 to 11. They later indicated in a blog post that they plan to increase the number to 100. They didn’t comment on how the hack took place because of obvious reasons.