source:The Block
Original author: Ryan Weeks
Translation:Katie Gu, Odaily Planet日报
Earlier this year, hackers tricked a senior engineer at Axie Infinity into applying to a fictitious company, ultimately resulting in Axie Infinity losing $540 million in cryptocurrency. Below are the details of the Axie Infinity hack, as reported by The Block.
Few things are more provocative than the job search experience of an Axie Infinity senior engineer. His interest in joining the fictitious company ultimately sparked one of the largest hacking attacks in the crypto industry.
Last November, the number of daily active users of Axie Infinity in-game NFTs at one point reached 2.7 million, with weekly transaction volume reaching $214 million (both numbers have since declined significantly).
In March of this year, Ronin, the Ethereum sidechain of Axie Infinity, a leader in P2E chain games, lost $540 million in cryptocurrency. The U.S. government later linked the incident to the North Korean hacker group Lazarus, but full details about how the attack was carried out have not been made public. In fact, it was just one fake recruitment ad that destroyed Ronin. Two people with knowledge of the case said a senior engineer at Axie Infinity was tricked into applying for a position at the company that did not actually exist. Because of the sensitivity of the case, the two people requested anonymity.
According to well-informed sources, earlier this year, someone calling themselves the fake company contacted an employee of Axie Infinity developer Sky Mavis via LinkedIn and WhatsApp and lured him in with a new job opportunity. According to reports, after several rounds of interviews, an engineer at Sky Mavis was offered a very high salary.
The fake offer was sent as a PDF file, which the engineer downloaded—which allowed the Trojan to infiltrate Ronin’s systems. From then on, the hackers were able to attack and take over four of the Ronin network’s nine validators, with one more validator needed to gain full control.
Analyzing the hacking attack in a blog post published on April 27, Sky Mavis said, “Employees continued to be attacked by advanced phishing networks on various social channels, and one of the employees was attacked. This employee was further attacked. “The attacker no longer works at Sky Mavis and used this access to infiltrate Sky Mavis’ IT infrastructure and gain access to the verifier node.”
Verifiers can perform a variety of functions in the blockchain, including creating transaction blocks and updating data oracles. Ronin uses a ‘proof of authority’ system to sign transactions, centralizing authority in the hands of nine trusted validators.
Blockchain analytics company Elliptic wrote in a blog post in April of this year, “Funds can only move if five out of nine validators approve. The attackers succeeded in obtaining the private cryptographic keys of five validators, which could be used to steal crypto assets. “It’s enough,” he explained.
However, after successfully infiltrating Ronin’s systems through fake job advertisements, the hackers controlled only four of the nine verifiers—meaning they would need another verifier to take control of Ronin’s systems.
In a post-mortem, Sky Mavis revealed that the hackers used Axie DAO (an organization that powers the gaming ecosystem) to complete the takeover. Sky Mavis had asked Axie DAO in November 2021 for help in handling transaction load issues.
“Axie DAO allows Sky Mavis to sign various transactions on their behalf. Although discontinued in December 2021, the access list has not been revoked,” Sky Mavis said in a blog post. “If an attacker penetrates the Sky Mavis system, they can obtain signatures from the Axie DAO validator.”
A month after the hack, Sky Mavis increased the number of validator nodes to 11, and said in a blog post that its long-term goal is 100 or more.
When a reporter contacted Sky Mavis, the company declined to comment on how the hacking attack was carried out. LinkedIn also declined to comment on several occasions.
Earlier today, ESET research firm released findings showing that the North Korean hacker group Lazarus targeted aerospace and defense contractors by posing as recruiters through LinkedIn and WhatsApp. However, the report did not link this technique to the Sky Mavis hack.
In early April this year, Sky Mavis raised $150 million in an investment round led by Binance. These funds, along with the company’s reserve funds, will be used to compensate users affected by this vulnerability. Axie Infinity recently announced that it would return funds to users starting June 28th. Ronin’s Ethereum bridge, which was suddenly shut down due to a hacking attack, was restarted last week.
According to data from The Block Research, the total amount of funds lost due to frequent DeFi hacking incidents this year exceeded $20 billion. On January 1, this number was just $7.6 billion.
