Key takeaways:
- Hackers fooled a senior developer at Axie Infinity into applying for a position at a bogus business.
- The scheme resulted in the loss of $540 million in bitcoin earlier this year.
- Details of how the breach was carried out are being disclosed for the first time.
A senior developer at Axie Infinity, curious about joining a firm that turned out to be fictional, was responsible for one of the crypto industry’s largest hacks.
In March, the Ethereum-linked sidechain Ronin, which underlies the play-to-earn game Axie Infinity, lost $540 million in cryptocurrency due to a vulnerability. While the U.S. government eventually linked the incident to the North Korean cyber organisation Lazarus, the exploit’s exact execution remains unknown.
Axie Infinity senior engineer applied for a fake job
According to two anonymous sources with intimate knowledge of the case, a senior engineer at Axie Infinity was tricked into applying for a position at a firm that did not exist.
Axie Infinity was monstrous. Play-to-earn games allowed labourers in Southeast Asia to make a livelihood. In November of last year, it claimed to have 2,7 million daily active users and $214 million weekly trading volume for its in-game NFTs; however, these figures have since decreased.
Staff at Axie Infinity creator Sky Mavis were contacted earlier this year by individuals claiming to represent the phoney firm and invited to apply for positions, according to sources familiar with the situation. According to one source, the attempts were made via the professional networking website LinkedIn.
After numerous rounds of interviews, a Sky Mavis engineer was given a very lucrative remuneration package.
The bogus “offer” was supplied as a PDF document, downloaded by the engineer, enabling malware to penetrate Ronin’s systems. From there, hackers could assault and seize control of four of the Ronin network’s nine validators, leaving them one validator shy of complete control.
In a post-mortem blog post on April 27th, Sky Mavis said: “Employees are under constant advanced spear-phishing attacks on various social channels, and one employee was compromised. This employee no longer works at Sky Mavis. The attacker managed to leverage that access to penetrate Sky Mavis IT infrastructure and gain access to the validator nodes.”
Sky Mavis. Image: Yahoo Finance
How the breach was executed
In blockchains, validators perform several roles, including producing transaction blocks and updating data oracles. Ronin employs a technique known as “proof of authority” to sign transactions, concentrating power in the hands of nine trusted individuals.
In an April blog post, Elliptic, a blockchain research company, said, “Funds can be moved out if five of the nine validators approve it. The attacker managed to get hold of the private cryptographic keys belonging to five of the validators, which was enough to steal the crypto assets.”
However, after successfully penetrating Ronin’s networks via the bogus job posting, the hackers had control of just four of the nine validators, requiring another to seize power.
Sky Mavis disclosed that the hackers used the Axie DAO (Decentralised Autonomous Organisation) – an organisation created to promote the game environment — to perpetuate the robbery. In November 2021, Sky Mavis contacted the DAO for assistance with a significant transaction volume.
The Axie DAO permitted Sky Mavis to sign several transactions on its behalf. This was terminated in December 2021, although access to the allowlist was not withdrawn. Once the attacker gained access to Sky Mavis’s systems, they could get the Axie DAO validator’s signature.
When contacted, Sky Mavis refused to comment on how the breach was executed.
In early April, Sky Mavis secured $150 million in financing headed by Binance. The money will be utilised with the company’s cash to pay impacted users. The business announced that it would begin restoring customer payments on June 28th. Ronin’s Ethereum bridge was also reactivated last week after it abruptly ceased operations during the breach.
The pace of DeFi attacks has increased this year, surpassing $2 billion in total cash stolen. On January 1st, the figure was $760 million.