The popular P2E crypto game Axie Infinity was reportedly hacked using a complex phishing scheme involving fake LinkedIn job offers.
Remember our article about Axie Infinity where we mentioned the infamous March hack that drained Sky Mavis’ treasury for the equivalent of $625 million? Later the US government tied the incident to a North Korean hacker group Lazarus. Now it seems like there is a new dimension to this story. According to two people with direct information about the event, a senior engineer at Axie Infinity was tricked into applying for a job at a fictional company.
Earlier this year some people approached Sky Mavis’ staff and encouraged them to apply for jobs at a fake company they represented. Allegedly they contacted the staff via the professional networking site LinkedIn. When the employees showed their interest in the jobs offerings, they proceeded with several rounds of fake job interviews and then a generous fake compensation package. Culminating with one senior engineer who tried to open a PDF file supposedly containing an official job offer from the fake company, and that was how spyware infiltrated Ronin’s systems. Then hackers were able to attack and take over four out of nine Ronin’s validators, only one validator short of total control.
In a post-mortem blog post about the hack, published at the end of April, Sky Mavis blamed “advanced spear-phishing attacks” that compromised one employee who no longer works there. However, they didn’t explain the mechanism of the hack.
Validators are used for a lot of things in blockchain, including the creation of transaction blocks and updating of data oracles. Ronin, the blockchain network behind Axie Infinity, uses a “proof of authority” for validating transactions with nine trusted actors who have all the authority. Hackers took over four validators out of five needed to move the assets, so, how did they do it if they were still lacking one? They used Axie DAO that supported the gaming ecosystem to complete the hack. As it turns out, Sky Mavis had asked DAO for help in November 2021 when they had a high transaction load.
“The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked. Once the attacker got access to Sky Mavis systems they were able to get the signature from the Axie DAO validator.”
To improve their security Sky Mavis increased the number of their validator nodes to 11, and they are now working towards making it a hundred. Neither Sky Mavis nor LinkedIn commented on the new hack details.
After the hack Sky Mavis promised to reimburse the victims and repair the Ronin’s Ethereum bridge. While the bridge was relaunched in June, three months after the hack, the Lazarus Group is also suspected to be behind the recent $100 million altcoin heist from Harmony Horizon bridge. The amount of funds lost to the DeFi hacks has grown increasingly this year topping $2 billion according to the Block research data.